Mac OS & iOS - TTLS + PAP Configuration

Configure Mac and iOS devices to connect to IronWifi WPA-Enterprise wireless networks using EAP-TTLS with PAP inner authentication. This method is ideal for integrating with external identity providers like Azure AD, LDAP directories, and systems that don't support MSCHAPv2.

Overview

EAP-TTLS (Tunneled Transport Layer Security) with PAP provides a secure authentication method that's particularly useful for:

• Integration with external identity providers
• Azure AD authentication without password hash sync
• LDAP directory authentication
• Systems that don't support MSCHAPv2

Prerequisites

• iOS 10+ or macOS 10.12+
• Valid user credentials
• Wireless network configured with WPA2-Enterprise

iOS Configuration

Manual Setup

iOS requires a configuration profile for EAP-TTLS - it cannot be configured manually through the Settings app.

Configuration Profile Method

1. Create a .mobileconfig profile (see template below)
2. Email the profile to the device, or
3. Host on a web server and download via Safari
4. Install the profile in Settings > General > VPN & Device Management

Profile Template

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>AutoJoin</key>
            <true/>
            <key>EAPClientConfiguration</key>
            <dict>
                <key>AcceptEAPTypes</key>
                <array>
                    <integer>21</integer>
                </array>
                <key>TTLSInnerAuthentication</key>
                <string>PAP</string>
                <key>OuterIdentity</key>
                <string>anonymous</string>
            </dict>
            <key>EncryptionType</key>
            <string>WPA2</string>
            <key>HIDDEN_NETWORK</key>
            <false/>
            <key>PayloadDescription</key>
            <string>Wi-Fi settings for EAP-TTLS</string>
            <key>PayloadDisplayName</key>
            <string>Wi-Fi (YourNetwork)</string>
            <key>PayloadIdentifier</key>
            <string>com.yourcompany.wifi.ttls</string>
            <key>PayloadType</key>
            <string>com.apple.wifi.managed</string>
            <key>PayloadUUID</key>
            <string>YOUR-UUID-HERE</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>SSID_STR</key>
            <string>YourNetworkSSID</string>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>IronWifi Network</string>
    <key>PayloadIdentifier</key>
    <string>com.yourcompany.wifi</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>YOUR-PROFILE-UUID</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

macOS Configuration

Using System Preferences

1. Click the Wi-Fi icon in the menu bar
2. Select Network Preferences (or Wi-Fi Settings)
3. Click Advanced
4. Click the + button to add a network
5. Enter the SSID and select WPA2 Enterprise
6. Click OK
7. Connect to the network
8. In the authentication dialog:
   • Mode: TTLS
   • Inner Authentication: PAP
   • Username: Your username
   • Password: Your password

Terminal Configuration (Advanced)

# Add network using networksetup
networksetup -addpreferredwirelessnetworkatindex en0 "YourNetwork" 0 WPA2E

# Configure 802.1X
# Requires profile installation for TTLS

MDM Deployment

Microsoft Intune

1. Create a Device configuration profile
2. Platform: iOS/iPadOS or macOS
3. Profile type: Wi-Fi
4. Configure:
   • Wi-Fi type: Enterprise
   • EAP type: EAP-TTLS
   • Inner authentication method: PAP
   • Non-EAP method for authentication: Unencrypted password (PAP)
5. Deploy to device groups

Jamf Pro

1. Create a Configuration Profile
2. Add Network payload
3. Configure:
   • Security Type: WPA2 Enterprise
   • Protocols: TTLS
   • Inner Authentication: PAP
   • Outer Identity: anonymous (optional)
4. Scope to appropriate devices

Apple Configurator 2

1. File > New Profile
2. Add Wi-Fi payload
3. Security Type: WPA2 Enterprise
4. Protocols: Check TTLS
5. Inner Authentication: PAP
6. Export and deploy

Identity Privacy

EAP-TTLS supports anonymous outer identity:

• Outer Identity: Sent unencrypted - use anonymous@domain.com
• Inner Identity: Your real username, protected by TLS tunnel

Configure in profile:

<key>OuterIdentity</key>
<string>anonymous@company.com</string>

Troubleshooting

Profile Won't Install

1. Check the profile isn't corrupted
2. Verify XML syntax is valid
3. Ensure UUIDs are unique
4. Check device isn't supervised with restrictions

Authentication Fails

1. Verify PAP is enabled on IronWifi
2. Check username format matches IronWifi configuration
3. Review authentication logs in IronWifi console

Cannot Select TTLS in Settings

iOS doesn't allow manual TTLS configuration - you must use a profile.

Certificate Trust Required

If server certificate validation is enabled:

1. Include the CA certificate in the profile
2. Or install CA certificate separately
3. Trust the certificate in Settings

Use Cases

Azure AD Integration

TTLS + PAP works well with Azure AD when:

• Password hash sync isn't available
• Using passthrough authentication
• Federated authentication is configured

External Identity Providers

Suitable for:

• Okta
• Google Workspace
• Custom LDAP directories
• SAML-based authentication

Related Topics

• Apple iOS - EAP-PEAP - PEAP authentication
• Azure AD Integration - Azure setup
• Windows - TTLS + PAP - Windows configuration