Android - EAP-TLS Configuration

Configure Android devices for secure, certificate-based authentication to IronWifi WPA-Enterprise wireless networks using EAP-TLS. This passwordless authentication method provides the highest level of WiFi security through mutual certificate verification.

Overview

EAP-TLS is one of the most secure Wi-Fi authentication methods available. It uses client and server certificates for mutual authentication, eliminating the need for passwords. Chromebooks support EAP-TLS natively.

Prerequisites

• Android 4.0 or later
• Client certificate installed on the device
• Wireless network configured with WPA2-Enterprise
• CA certificate for the RADIUS server

Certificate Installation

Option 1: MDM Deployment (Recommended)

For enterprise environments, deploy certificates via MDM:

1. Configure SCEP in IronWifi console
2. Create certificate profile in your MDM
3. Deploy to managed devices

Option 2: Manual Installation

1. Transfer the certificate file (.p12 or .pfx) to your device
2. Open Settings > Security > Encryption & credentials
3. Tap Install a certificate > VPN & app user certificate
4. Select your certificate file
5. Enter the certificate password
6. Name the certificate (e.g., "IronWifi")

Installing CA Certificate

1. Download the CA certificate
2. Open Settings > Security > Encryption & credentials
3. Tap Install a certificate > CA certificate
4. Select the certificate file
5. Confirm installation

Configuration Steps

Android 10 and Later

1. Open Settings > Network & Internet > Wi-Fi
2. Tap your enterprise network (or Add network)
3. Configure:
   • EAP method: TLS
   • CA certificate: Select your installed CA certificate
   • User certificate: Select your client certificate
   • Domain: Your RADIUS server domain
   • Identity: Your username (from certificate subject)
4. Tap Connect

Android 9 and Earlier

1. Open Settings > Wi-Fi
2. Tap the enterprise network
3. Configure:
   • EAP method: TLS
   • CA certificate: Select certificate
   • User certificate: Select your certificate
   • Identity: Your username
4. Tap Connect

Certificate Requirements

Client Certificate

For EAP-TLS authentication, the client certificate must have:

• Extended Key Usage: Client Authentication (1.3.6.1.5.5.7.3.2)
• Subject or SAN: Must contain user identifier matching IronWifi username
• Key Type: RSA 2048-bit or higher (recommended)
• Validity: Not expired

Format Support

Android supports these certificate formats:

• .p12 / .pfx - PKCS#12 (recommended)
• .pem - PEM encoded
• .crt / .cer - DER or PEM encoded

MDM Configuration

Android Enterprise

<WifiConfig>
  <SSID>YourNetwork</SSID>
  <SecurityType>WPA2-Enterprise</SecurityType>
  <EapMethod>TLS</EapMethod>
  <ClientCertificate>user_cert</ClientCertificate>
  <CACertificate>ca_cert</CACertificate>
</WifiConfig>

Google Workspace / Intune

1. Create a Wi-Fi configuration profile
2. Select EAP-TLS as the authentication type
3. Reference the deployed certificates
4. Assign to device groups

Troubleshooting

Certificate Not Appearing in List

1. Verify the certificate was installed correctly
2. Check it's installed as "VPN & app user certificate"
3. Ensure the certificate hasn't expired
4. Try reinstalling the certificate

Authentication Fails

1. Check the certificate subject matches your IronWifi username
2. Verify the certificate hasn't expired
3. Ensure the issuing CA is trusted by IronWifi
4. Check authentication logs in IronWifi console

"No User Certificate Available"

1. The certificate may be corrupted
2. Re-export from the original source with the private key
3. Verify the .p12 file includes the private key

Server Certificate Validation Error

1. Install the RADIUS server's CA certificate
2. Ensure the domain name is correctly configured
3. Check the server certificate hasn't expired

Security Considerations

Private Key Protection

• Android stores private keys in the system keystore
• Keys are protected by device encryption
• Screen lock is recommended for certificate protection

Certificate Lifecycle

Monitor certificate expiration:

1. Set calendar reminders for renewal
2. Use MDM to automate certificate renewal via SCEP
3. Plan for certificate revocation procedures

Related Topics

• Android - EAP-PEAP - Password-based authentication
• SCEP with Intune - Certificate provisioning
• Chromebook - EAP-TLS - Chromebook configuration