Skip to main content

Chromebook OS - EAP-TLS Configuration

Configure Chromebook devices for secure, certificate-based authentication to IronWifi WPA-Enterprise wireless networks using EAP-TLS. This passwordless authentication method leverages Chrome OS's native security features including TPM hardware protection.

Overview

EAP-TLS is a highly secure enterprise Wi-Fi authentication method that uses certificates instead of passwords. Chromebooks support EAP-TLS natively, making them ideal for certificate-based enterprise deployments.

Prerequisites

  • Chrome OS 70 or later
  • Client certificate installed on the device
  • CA certificate for the RADIUS server
  • Wireless network configured with WPA2-Enterprise

Certificate Installation

Manual Certificate Installation

  1. Open Settings > Security and Privacy
  2. Click Manage certificates
  3. To install CA certificate:
    • Select Authorities tab
    • Click Import
    • Select your CA certificate file
  4. To install client certificate:
    • Select Your certificates tab
    • Click Import and bind
    • Select your .p12 or .pfx file
    • Enter the certificate password

Google Admin Console (Managed Devices)

For enterprise deployment:

  1. Sign in to admin.google.com
  2. Go to Devices > Networks > Certificates
  3. Click Add certificate
  4. Select certificate type:
    • Server CA certificate for RADIUS server validation
    • User certificate for client authentication
  5. Upload the certificate
  6. Select organizational units
  7. Click Save

Configuration Steps

Manual Configuration

  1. Click the time/battery area in the bottom right
  2. Click Settings > Network > Wi-Fi
  3. Click Add connection
  4. Configure:
    • SSID: Your network name
    • Security: EAP
    • EAP method: EAP-TLS
    • Server CA certificate: Select installed CA cert
    • User certificate: Select your client certificate
    • Identity: Your username (from certificate subject)
  5. Click Connect

Configuration Settings

SettingValue
SecurityEAP
EAP methodEAP-TLS
Server CA certificateYour RADIUS CA cert
Subject match(optional) RADIUS server hostname
User certificateYour client certificate
IdentityUsername or email

Google Admin Console Deployment

Create Network Configuration

  1. Go to admin.google.com
  2. Navigate to Devices > Networks > Wi-Fi
  3. Click Add Wi-Fi
  4. Configure:
    • Name: Display name for the network
    • SSID: Your wireless network SSID
    • Security type: WPA2-Enterprise (802.1X)
    • EAP method: EAP-TLS
    • Server CA certificate: Select deployed cert
    • Client certificate: Reference deployed client cert

Certificate References

Reference certificates using their names:

Server CA Certificate: IronWifi-CA
User Certificate: ${USER_CERT}

Automatic Identity

Use identity variables:

  • ${LOGIN_ID} - User's Google account
  • ${CERT_SUBJECT_CN} - Certificate common name

SCEP Integration

For automatic certificate provisioning:

Configure SCEP in Google Admin

  1. Go to Devices > Networks > Certificates
  2. Click Add certificate > SCEP
  3. Configure SCEP server URL from IronWifi console
  4. Set certificate template parameters
  5. Apply to organizational units

IronWifi SCEP Setup

  1. In IronWifi console, go to Users > Connectors
  2. Create new SCEP Connector
  3. Copy the SCEP URL
  4. Configure certificate subject template

Troubleshooting

"No User Certificate Found"

  1. Verify certificate is installed in Your certificates
  2. Check the certificate has a private key
  3. Try re-importing the certificate
  4. Ensure certificate isn't expired

"Authentication Failed"

  1. Verify certificate subject matches IronWifi username
  2. Check certificate hasn't been revoked
  3. Ensure CA certificate is correctly installed
  4. Review IronWifi authentication logs

Certificate Not Appearing

  1. Check certificate format (.p12, .pfx supported)
  2. Verify password is correct
  3. Certificate may need private key included
  4. Try importing via Chrome (chrome://settings/certificates)

Server Certificate Validation Error

  1. Install the correct CA certificate
  2. Verify Subject match setting
  3. Check server certificate hasn't expired

TPM-Based Certificates

Chrome OS can store certificates in the TPM (Trusted Platform Module):

  • Provides hardware-based key protection
  • Keys cannot be exported
  • Required for some enterprise deployments

To use TPM:

  1. Select Import and bind when importing certificates
  2. Keys will be stored in hardware

Managed Guest Sessions

For shared Chromebooks using managed guest sessions:

  1. Configure network at device level (not user level)
  2. Use device certificates instead of user certificates
  3. Deploy via Admin Console organizational units