Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure Client Device for EAP-TTLS Authentication

This topic provides details on how to configure a client device for Extensible Authentication Protocol–Tunneled TLS (EAP-TTLS) authentication. The procedure uses an Apple client device as an example.

When using Juniper Mist Access Assurance, you need additional configuration when using EAP-TTLS/PAP (credentials-based) authentication for Apple devices. For this task, you must create a profile using a free Apple Configurator tool.

Note:
Providing username and password at the login prompt by clicking on the SSID does not work for Apple devices. Apple devices use PEAP-MSCHAPv2 or EAP-TTLS/MSCHAPv2 authentication methods, which use password hashing algorithm that is not supported by any cloud-based Identity Provider.
To create a Wi-Fi profile:
  1. Download the Juniper Mist server certificate.

    In order for the client devices to trust the Mist Access Assurance server certificates, the Mist Certificate must be included in the Wi-Fi profile.

    1. On the Juniper Mist portal, go to Organization > Access > Certificates.
      The Certificate Authorities page appears.
      Figure 1: View and Save Mist Server Certificate View and Save Mist Server Certificate
    2. Click View Mist Certificate and copy the certificate details.
      Save the certificate locally as a file with the .crt extension. For example: mist-cert.crt.

      If you are using your own custom server certificate, download your Certificate Authority (CA) certificate for this step instead of downloading a Juniper Mist Certificate.

  2. Create a new profile on your Apple client device.
    1. On your Mac computer, open your Apple Configurator tool, and click File > New Profile.
      Figure 2: Wi-Fi Profile Configuration for Apple Client Wi-Fi Profile Configuration for Apple Client

      A new configuration profile document opens.

    2. On the left-navigation bar of the Apple Configurator tool, click Certificates > Configure.
      Figure 3: Upload Juniper Mist Server Certificate in Wi-Fi Profile Configuration for Apple Client Upload Juniper Mist Server Certificate in Wi-Fi Profile Configuration for Apple Client
      Select and upload your Mist Certificate you downloaded in the previous procedure.
    3. From the left-navigation bar of the Apple Configurator tool, select Wi-Fiand click Configure.
      Figure 4: Wi-Fi Profile Configuration for Apple Client Wi-Fi Profile Configuration for Apple ClientWireless Profile Configuration for Apple Client

      Enter the following options for the Wi-Fi settings:

      Figure 5: Settings in Wi-Fi Profile Configuration for Apple Client Settings in Wi-Fi Profile Configuration for Apple Client
      • SSID—Your network's SSID. Ensure that you enter the correct SSID including capital letters.
      • Security TypeWPA2/WPA 3 Enterprise
      • Accepted EAP Types—TTLS and select Per-connection Password.
      • Inner AuthenticationPAP
    4. On the same page, under Enterprise Settings, click Trust. The page displays a list of uploaded certificates.
      Figure 6: Trust Juniper Mist Server Certificate in Wi-Fi Profile Configuration for Apple Client Trust Juniper Mist Server Certificate in Wi-Fi Profile Configuration for Apple Client
      Select the Juniper Mist certificate. This step enables the client devices to trust the Juniper Mist server certificate.

      Now you can distribute it to your Apple clients.

    5. Save your configuration.
      Figure 7: Save Wi-Fi Profile Configuration Save Wi-Fi Profile Configuration
      To Sign the profile, you need an Apple trusted certificate. This step is required for production use.
    Now you can distribute the certificate to your Apple clients.

Watch the following video to learn how to create a network profile for EAP-TLS for testing or lab use:

But how do you configure your client devices based on different operating systems? So you use certificates to authenticate to a Wi-Fi network.

Note that this video is only useful if you're doing lab testing, if you' re actually using your test certificates. And this is not designed for production environments. But in production environments, clients are typically configured by MDMs or group policies or any other onboarding solutions. And none of these steps are required in production. We are just talking about simple lab tests so you could repeat these steps in your testing environment.

So first platform we'll talk about is iOS, or actually iOS, MacOS, and iPadOS. The steps are identical for all the three platforms. So what we will need to do to configure test clients that are running Apple operating systems is the Apple Configurator utility that you can download from Apple directly. It only works on MacOS, obviously. But that's how you configure profiles manually.

So go to Apple Configurator. You'll create a new profile. And we'll just say this is our mist secure net profile. What we are interested in here is Certificate section. We'll need to import the client certificate we've generated in the previous step. So we're going to click Configure. I have my test lab client PFX th at we've exported from a different video.

We'll need to provide a password that we used during the export. I think it's "1234." Great. So our client certificate has been importe d. The other certificate we will need is actually the server certificate that we will display from mist access assurance when client will try to connect. This server certificate is actually available here. So we'll copy this. Save it as a text file. And then save it in the same folder. And we'll call it mist-certificate .crt. So now we'll go back to our profile. We'll import one more cert. And we'll import the Mist certificate in here. Now, the next step is to configure the Wi-Fi profile. So we'll config ure Wi-Fi profile. This is where we'll put our SSID name. And our SSID name was mist-securenet. Just make sure you're using the one you've configured. Under Security Type, we'll use WPA3 Enterprise. Unless you're using an older device, WPA3 is supported on all the Apple - recent Apple products, I should say.

Under Protocols, we'll select TLS because we want to use certific ates to authenticate. We'll then select the client certificate that we' ve imported in the previous step. We'll then go to Trust section. And this is where we are saying client will trust the mist certificate when it will try to authenticate to th e network. So we are doing this mutual trust in here. So in this phase, the client trust the server. The server, in this case, is mist access assurance. In this section, client presents its client certificate. And mist access assurance will have to trust the client cert. We'll then go ahead and save this profile. And this will be saved as .mobileconfig file. And now, how do we distribute this? Obviously, if you're on a Mac , you could go and double-click and install it. But we can also distribute this to our clients using AirDrop, for instance. Now, I will distribute this to my iPad through AirDrop.