Skip to main content

Windows - TTLS + PAP Configuration

Configure Windows devices to connect to IronWifi WPA-Enterprise wireless networks using EAP-TTLS with PAP inner authentication. This method is essential for integrating with external identity providers like Azure AD (without password hash sync), LDAP directories, and legacy systems that don't support MSCHAPv2.

Overview

EAP-TTLS creates a secure TLS tunnel and uses PAP for inner authentication. This method is useful when integrating with external identity providers that don't support MSCHAPv2.

Note: Windows 7 does not natively support EAP-TTLS. Windows 8 and later include built-in EAP-TTLS support.

Prerequisites

  • Windows 8, 10, or 11 (Windows 7 requires third-party supplicant)
  • Valid user credentials
  • Wireless network configured with WPA2-Enterprise

Configuration Steps

Windows 10/11

  1. Open Settings > Network & Internet > Wi-Fi
  2. Click Manage known networks
  3. Click Add a new network
  4. Configure:
    • Network name: Your SSID
    • Security type: WPA2-Enterprise
  5. Click Save

Advanced Configuration via Control Panel

  1. Open Control Panel > Network and Sharing Center
  2. Click Set up a new connection or network
  3. Select Manually connect to a wireless network
  4. Enter:
    • Network name: Your SSID
    • Security type: WPA2-Enterprise
    • Encryption type: AES
  5. Check Start this connection automatically
  6. Click Next, then Change connection settings
  7. Go to the Security tab
  8. Set Authentication method to Microsoft: EAP-TTLS
  9. Click Settings:
    • Enable Identity Privacy: Enter anonymous or leave blank
    • Connect to these servers: (optional) Enter RADIUS server hostname
    • Check Verify the server's identity by validating the certificate
    • Select authentication method: PAP
  10. Click OK to save all settings

Windows 7 Configuration

Windows 7 requires a third-party 802.1X supplicant for EAP-TTLS support:

SecureW2 Client

  1. Download and install SecureW2 EAP Suite
  2. Open SecureW2 Configuration
  3. Create a new profile:
    • SSID: Your network name
    • Outer EAP: EAP-TTLS
    • Inner Protocol: PAP
  4. Configure credentials and certificate validation
  5. Connect to the network

Identity Privacy

EAP-TTLS supports identity privacy (anonymous outer identity):

  • Outer Identity: Sent unencrypted (use anonymous@yourdomain.com)
  • Inner Identity: Your actual username, sent encrypted

To configure:

  1. In EAP-TTLS settings, enable Identity Privacy
  2. Enter an anonymous identity or leave blank

Troubleshooting

EAP-TTLS Option Not Available

  1. Ensure you're running Windows 8 or later
  2. Update wireless adapter drivers
  3. Check for Windows updates

Authentication Fails

  1. Verify credentials are correct
  2. Ensure PAP is enabled on the RADIUS server
  3. Check IronWifi console for authentication logs

Certificate Validation Issues

  1. Install the RADIUS server's CA certificate
  2. Add it to the Trusted Root Certification Authorities store
  3. Select the CA in EAP-TTLS settings

Use Cases

EAP-TTLS + PAP is particularly useful for:

  • Azure AD integration without password hash sync
  • LDAP authentication with external directories
  • Legacy systems that don't support MSCHAPv2
  • Third-party identity providers