Skip to main content

Chromebook OS - EAP-PEAP Configuration

Configure Chromebook devices to connect to IronWifi WPA-Enterprise wireless networks using EAP-PEAP authentication. This guide covers both manual configuration for individual devices and centralized deployment through Google Workspace Admin Console.

Overview

EAP-PEAP provides secure wireless authentication using username and password credentials. Chrome OS fully supports EAP-PEAP for enterprise Wi-Fi connections.

Prerequisites

  • Chrome OS 70 or later
  • Valid IronWifi user credentials
  • Wireless network configured with WPA2-Enterprise

Configuration Steps

Manual Configuration

  1. Click the time/battery area in the bottom right corner
  2. Click the Settings gear icon
  3. Select Network > Wi-Fi
  4. Click Add connection (or select your network)
  5. Configure:
    • SSID: Your network name
    • Security: EAP
    • EAP method: PEAP
    • EAP Phase 2 authentication: MSCHAPv2
    • Server CA certificate: Default or select installed cert
    • Identity: Your username (usually email address)
    • Password: Your password
  6. Click Connect

Network Settings Detail

SettingValue
SecurityEAP
EAP methodPEAP
Phase 2 authenticationMSCHAPv2
Server CA certificateDefault / Do not check / Installed cert
Subject match(optional) Server hostname
IdentityYour username
PasswordYour password

Certificate Configuration

Using Default Certificates

Chrome OS includes common CA certificates. Select Default for Server CA certificate if your RADIUS server uses a publicly trusted certificate.

Installing Custom CA Certificate

If using a private CA:

  1. Open Settings > Security and Privacy
  2. Click Manage certificates
  3. Select Authorities tab
  4. Click Import
  5. Select your CA certificate file
  6. Check Trust this certificate for identifying websites
  7. Click OK

Then in Wi-Fi settings, select your installed certificate.

Google Admin Console Deployment

For managed Chromebooks, deploy via Google Admin Console:

Create Wi-Fi Network

  1. Sign in to admin.google.com
  2. Go to Devices > Networks > Wi-Fi
  3. Click Add Wi-Fi
  4. Configure:
    • Name: Network display name
    • SSID: Your network SSID
    • Security type: WPA2-Enterprise (802.1X)
    • EAP method: PEAP
    • Inner protocol: MSCHAPv2
    • Identity: ${LOGIN_ID} (uses user's Google account)

Apply to Organizational Unit

  1. Select Organizational units to apply the policy
  2. Click Save
  3. Networks will automatically configure on managed devices

Certificate Deployment

To deploy CA certificates:

  1. Go to Devices > Networks > Certificates
  2. Click Add certificate
  3. Upload your CA certificate
  4. Select organizational units
  5. Reference the certificate in your Wi-Fi configuration

Identity Variables

Google Admin Console supports these variables for automatic identity:

VariableDescription
${LOGIN_ID}User's Google account email
${LOGIN_EMAIL}Same as LOGIN_ID
${DEVICE_SERIAL_NUMBER}Device serial number
${DEVICE_ASSET_ID}Asset ID if configured

Troubleshooting

"Connection Failed" Error

  1. Verify username and password
  2. Check the network is within range
  3. Ensure account is active in IronWifi
  4. Try forgetting and re-adding the network

Certificate Errors

If certificate validation fails:

  1. Try setting Server CA certificate to Do not check (testing only)
  2. Install the correct CA certificate
  3. Verify the server hostname matches the certificate

Auto-Connect Not Working

  1. Check that Automatically connect is enabled
  2. Verify the network is in range
  3. Review if credentials have expired

Managed Network Override

If a managed network isn't working:

  1. Contact your Google Workspace admin
  2. Check policy in chrome://policy
  3. Review network configuration in Admin Console

Guest Mode Limitations

In Guest mode:

  • Enterprise networks may not be available
  • Installed certificates are not accessible
  • Use signed-in user session for EAP networks

Kiosk Mode

For Chromebooks in kiosk mode:

  1. Configure network in Admin Console
  2. Use device-level network policies
  3. Test connectivity before deploying