Windows - EAP-TLS Configuration

Configure Windows devices for the most secure WiFi authentication method available - certificate-based EAP-TLS with IronWifi WPA-Enterprise networks. This passwordless authentication uses client and server certificates for mutual verification, ideal for enterprise environments with PKI infrastructure.

Overview

EAP-TLS is the most secure Wi-Fi authentication method available. It uses client and server certificates for mutual authentication, eliminating the need for passwords. This method is ideal for enterprise environments with Public Key Infrastructure (PKI).

Prerequisites

• Windows 7, 8, 10, or 11
• Client certificate installed on the device
• Wireless network configured with WPA2-Enterprise
• IronWifi SCEP connector (for automatic certificate provisioning)

Certificate Installation

Option 1: SCEP with Microsoft Intune

For managed devices, use Microsoft Intune to automatically provision certificates:

1. Configure SCEP with Intune in IronWifi
2. Deploy the certificate profile to devices via Intune
3. Certificates will be automatically installed

Option 2: Manual Installation

1. Obtain your client certificate (.pfx or .p12 file)
2. Double-click the certificate file
3. Select Current User or Local Machine
4. Click Next and enter the certificate password
5. Select Automatically select the certificate store
6. Click Finish

Configuration Steps

Windows 10/11

1. Open Settings > Network & Internet > Wi-Fi
2. Click Manage known networks > Add a new network
3. Configure:
   • Network name: Your SSID
   • Security type: WPA2-Enterprise
4. Click Save
5. Click on the network and select Properties
6. Under EAP method, select Microsoft: Smart Card or other certificate

Detailed Configuration

1. Open Control Panel > Network and Sharing Center
2. Click Set up a new connection or network
3. Select Manually connect to a wireless network
4. Enter network details:
   • Network name: Your SSID
   • Security type: WPA2-Enterprise
   • Encryption type: AES
5. Click Next, then Change connection settings
6. Go to Security tab:
   • Authentication method: Microsoft: Smart Card or other certificate
7. Click Settings:
   • Check Use a certificate on this computer
   • Check Use simple certificate selection
   • Check Verify the server's identity by validating the certificate
   • Select appropriate Trusted Root Certification Authorities
8. Click OK to save

Group Policy Deployment

Deploy EAP-TLS configuration enterprise-wide:

Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies

Configure:

• Authentication: WPA2-Enterprise
• EAP type: Microsoft: Smart Card or other certificate
• Enable Use a certificate on this computer

Certificate Requirements

For EAP-TLS to work properly, certificates must meet these requirements:

Client Certificate

• Enhanced Key Usage: Client Authentication (1.3.6.1.5.5.7.3.2)
• Subject or SAN must contain user identifier
• Private key must be available

Server Certificate (IronWifi RADIUS)

• Enhanced Key Usage: Server Authentication
• Must be signed by a trusted CA
• Subject must match server identity

Troubleshooting

Certificate Not Found

1. Open certmgr.msc (Certificate Manager)
2. Navigate to Personal > Certificates
3. Verify your certificate is listed
4. Check the certificate has a private key (key icon)

Authentication Fails

1. Verify the certificate hasn't expired
2. Check the certificate subject matches your IronWifi username
3. Ensure the issuing CA is trusted by IronWifi

Server Certificate Validation Error

1. Install the RADIUS server's CA certificate
2. Add the CA to the trusted root store
3. Select the CA in the EAP-TLS settings

Related Topics

• SCEP with Intune - Automatic certificate provisioning
• Windows - EAP-PEAP - Password-based authentication
• Android - EAP-TLS - Android certificate configuration