How To Set Up 802.1X Network Authentication on Windows

Learn how to connect your Windows device to an enterprise 802.1X network using RADIUS authentication.

Note: While you can manually configure your Windows device to connect to an enterprise 802.1X network, we highly recommend using a Mobile Device Management (MDM) solution like Microsoft Intune to push the necessary network profiles and certificates to your devices. This ensures that all devices are consistently configured and reduces the risk of misconfiguration.

What is 802.1X Network Authentication?

At home, you probably just plug your computer into an ethernet cable or connect to a Wi-Fi network using a single password. It’s easy and convenient because at home you (usually) trust everyone who can connect to your network. However, in an enterprise environment, you want to make sure that only authorized users and devices can connect to your network. This is where 802.1X network authentication comes in. 802.1X is a network protocol that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. It is commonly used in enterprise networks to provide secure access to network resources.

Why Can't My Device Just Connect to an Enterprise Network Like at Home?

Enterprise networks require a higher level of security and configuration than home networks. Instead of a single password, enterprise networks use RADIUS (Remote Authentication Dial-In User Service) servers to authenticate users and devices. To establish a secure connection, devices need to have the correct network profiles and certificates installed. These tell the device what security protocols to use (EAP-TLS, EAP-TTLS, etc.) and which RADIUS servers to trust. Without these profiles and certificates, your device won’t know how to connect securely to the network. That’s why devices will fail to connect to enterprise networks if they are not properly configured.

How to Trust Your RADIUS Server CA Certificate on Windows

For your Windows device to trust the RADIUS server during the authentication process, you need to install the RADIUS server CA certificate on your device. This tells your Windows device to trust all RADIUS servers that present a certificate signed by this CA during the authentication process.

How to Download Your Radius Server CA Certificate

If you used the EZRADIUS auto-generated certificate for your RADIUS server, you’ll just have a single CA certificate to download. Follow these steps:

Log in to your EZRADIUS portal.
Navigate to Policies.
Select the policy you are using for Entra ID Password Authentication.
Scroll down to the Server Certificate section.
Click on the Download CA Certificate button to download the certificate to your local machine. It will have a filename similar to RootCA.cer.

If you used the EZRADIUS EZCA to issue your RADIUS server certificate, you’ll need to download the the CA certificate for your EZCA CA, plus the Root CA certificate, if applicable. Follow these steps:

Log in to your EZCA portal.
Navigate to Certificate Authorities.
Select the CA that issued your RADIUS server certificate.
Click on the View Details button.
Click on the Download Certificate button to download the CA certificate to your local machine. It will have a filename similar to <CA-NAME>.cer.
If your EZCA CA is an intermediate CA, make sure to also download the Root CA certificate by repeating the above steps for the Root CA.

Refer to your PKI documentation to download the CA certificate(s) that issued your RADIUS server certificate. Ensure you have the root CA and any intermediate CA certificates if applicable.

How to Install the RADIUS Server CA Certificate on Windows

To install the RADIUS server CA certificate on your Windows device, follow these steps:

Locate the downloaded CA certificate file on your local machine (e.g., RootCA.cer).
Double-click the certificate file to open the Certificate window.
Click on the Install Certificate… button.
In the Certificate Import Wizard, choose Local Machine and click Next.
Select Place all certificates in the following store and click on Browse….
Choose Trusted Root Certification Authorities and click OK.
Click Next, then click Finish to complete the installation.
Repeat these steps for any additional CA certificates if necessary (e.g., intermediate CA certificates).

How to Set Up Your Network for RADIUS Authentication on Windows

When connecting your Windows device to an enterprise network using RADIUS authentication, you need to ensure that the correct EAP (Extensible Authentication Protocol) method is configured based on your authentication setup.

How to Configure EAP-TTLS/PAP on Windows for WiFi RADIUS Authentication

If you are using Entra ID passwords you will need to configure your Windows device to use EAP-TTLS/PAP due to Entra ID not supporting MS-CHAPv2 identity delegation. To configure EAP-TTLS/PAP on Windows follow these steps:

Go to Settings –> Network & Internet –> Wi-Fi.
Click on Manage known networks.
Click on Add Network on the top right.
Enter the SSID of your network (Case Sensitive).
Select the Security type as either WPA2-Enterprise or WPA3-Enterprise, depending on your network settings.
For EAP Method, select EAP-TTLS.
For the Authentication Method, select Unencrypted password (PAP). Don’t worry the password is encrypted by EAP-TTLS using the server certificate.
Click Save.
Now when you connect to the network you will be prompted for your Entra ID username and password.

How to Configure EAP-TTLS/PAP on Windows for Wired Ethernet RADIUS Authentication

To configure EAP-TTLS/PAP on Windows for a wired ethernet network follow these steps:

Go to Settings –> Network & Internet –> Ethernet.
Open the network details and for Authentication settings click on Edit
Enable IEEE 802.1X authentication
Click on Edit configuration
Set the EAP method to EAP-TTLS and the Authentication method to Unencrypted password (PAP) and click on Save
Click on Sign in for the wired network.
If you see a Continue connecting? prompt, verify the RADIUS server details and click on Connect.
Enter your Entra ID credentials and click OK