How to Configure WPA2-Enterprise on Each Operating System

Samuel Metzler Education

How to Configure WPA2-Enterprise on Each Operating System

Automation is key for a positive user experience; the faster a monotonous task can be finished, the more time users can focus on important activities. Network authentication operates the same. Manually configuring operating systems can be a daunting task, even with guides that walk the user through the process. The problem is guides do not prevent the possibility of user errors due to misunderstanding of high-level technical concepts. An error in configuring just one device can pose a serious security risk to the entire network. It opens a door for over-the-air credential theft and can threaten the organization’s data, not just the end user’s personal data.

That’s where EAP-TLS, WPA2-Enterprise using certificate-based authentication, stands above the rest. Certificate-based authentication, ensures that only approved network users have access to the network. A certificate-based network not only eliminates over-the-air credential theft, but certificates offer a better user experience by eliminating credentials and burdensome password-change policies. The user only needs to enter their credentials once to authenticate their identity and be assigned a certificate. After this process, they’re automatically connected for the life of the certificate.

SecureW2’s JoinNow Suite works with every operating system so end users can easily self-service for WPA2-Enterprise. Below we’ve detailed the difference between manually configuring your device for WPA2-Enterprise on different operating systems and using an onboarding software like SecureW2.

Configuring WPA2-Enterprise for Windows OS

Manual Configuration

Manually configuring a Windows device requires the user to set up a new wireless network, enter a network name, set the security type, adjust network settings, set the authentication method, and many more steps. While it’s certainly possible to complete this process accurately, it is highly complex and much more difficult than an onboarding software designed for efficiency.

  1. Setting Up a New Network
    • Go to the control panel, then under setup network go to manual configuration.
    • Make sure the security type is set to WPA2-Enterprise and the encryption type is set to AES.
  2. Modify the Wi-Fi Connection
    • Go to change connection settings.
  3. Configuring Certificate Authentication
    • Under security, go to choose authentication method.
    • Pick the setting in regards to certificates.
      • Choose the setting ‘Microsoft: smart cards or other certificates’
  4. Authentication with EAP-TLS
    • Install a certificate authority so the certificates will be able to verify which server to connect with.
      • Make sure it is a trusted root CA.
    • EAP-TLS is the authentication method used to authenticate certificates.
  5. Enable certificate enrollment
    • Be sure to enable both the certificate and simple certificate selection
    • Select the option that allows the device to use the certificate. After clicking OK, the process is complete.

Configuring with SecureW2

The process for configuring Windows OS with SecureW2 requires the user to connect the onboarding SSID and open an internet browser. The user is sent to SecureW2’s JoinNow onboarding software. After clicking JoinNow, a graphic will indicate the progress of the configuration. The user will then be prompted to enter their credentials and the device will be authenticated and equipped with a certificate.

Configuring WPA2-Enterprise for macOS

Manual Configuration

In order to manually configure macOS, the end user needs to know how to create an enterprise profile, install a client security certificate, verify the certificate, and adjust the network settings. The process isn’t too difficult for someone with a background in IT, but it is risky for the average network user because of the high-level technical information involved with each step.

  1. Setting Up EAP-TLS Authentication
    • EAP-TLS requires client and server certificates.
    • Be sure to verify that server certificate validation is enabled to ensure your device always authenticates to the correct RADIUS server.
  2. Creating the Network Profile
    • Apple devices include a network location feature that allows end users to configure network based on the location.
    • Under System Preferences, go to Network, Edit Location, and then Add Location.
  3. Creating 802.1x Profiles – User Profile
    • Since we’re using EAP-TLS authentication, the client-side certificate is required first.
    • Open Network Preferences and select 802.1x under Advanced.
    • Select the secure wireless network.
      • For authentication, be sure to choose EAP-TLS.
    • After hitting Apply, the certificate will be distributed to the device.

Configuring with SecureW2

Downloading the SecureW2 JoinNow Suite for macOS allows the reigns to be taken over by automation so end users are not required to complete the process. The setup is similar to Windows OS; the end user starts by connecting to the onboarding SSID and opens a browser. After downloading the .DMG file and entering their credentials, the configuration process begins. The entire configuration and authentication requires only a few steps, allowing the end user to sit back while the device configures.

Configuring WPA2-Enterprise for iOS

Manual Configuration

Just like every other manual OS configuration, the task of installing configuring the device is left to the end user. Because the process much longer, the odds of device misconfiguration increase greatly with each additional step. Automating the onboarding process eliminates these extra steps and streamlines the user’s configuration experience.

  1. Set Up the Infrastructure
    • Setting Up EAP-TLS authentication, EAP-TLS requires client and server certificates.
      • We are going with EAP-TLS because it’s the most secure authentication method.
    • Be sure to verify server certificate validation in order for the certificates to connect to the correct RADIUS server.
  2.  Configure Network Settings
    • Open the Settings app and find Networks.
      • Go to Other Networks.
    • Enter the name of the network in the appropriate field.
    • Go to Security and adjust the settings.
      • Make sure to choose WPA2-Enterprise and EAP-TLS authentication.
    • Go back to Other Networks and enter password.
      • Enter username as well if necessary.
    • You can now join the network after clicking Join.

Configuring with SecureW2

Installing certificates on to Apple smartphones is a simple process since the configuration software does almost all of the work. Similar to macOS configuration, the end user is required to connect to the onboarding SSID and open their browser app. After entering their login credentials, the JoinNow option becomes available. Once clicked, the device will automatically install a profile and enroll a certificate. The end user is automatically connected to the correct Wi-Fi and doesn’t have to worry about misconfiguration or password-change policies.

Configuring WPA2-Enterprise for Android OS

Manual Configuration

Android devices are the most difficult to manually configure. Before installing, the end user will need a RADIUS server and trusted CA to get a certificate onto the device. Certificates need to be generated by a computer in order to be exported to the Android device. EAP-TLS needs two certificates for the end user and the server, so two certificates need to be exported from the computer to the smartphone. EAP-TLS is widely regarded as the most secure form of authentication because it eliminates over-the-air credential theft. Luckily, there is a faster option for enrolling certificates onto Android devices with EAP-TLS authentication.

  1. Setting Up EAP-TLS Authentication
    • EAP-TLS requires client and server certificates.
    • Be sure to verify server certificate validation in order for the certificates to connect to the correct RADIUS server.
  2. General User Certificate
    • With the infrastructure in place, it’s time to generate a user certificate using another OS.
    • Access certificate server to request a certificate.
      • Select user certificate and allow it to go through.
    • Install the certificate.
  3. Export the Certificate onto the device
    • The device requires the user certificate and the root CA certificate since we are using EAP-TLS.
    • Export the user certificate
      • Find the certificate in the certificate manager.
      • Right click and export.
      • The Certificate Export Wizard will pop up.
        1. Export private key.
        2. Select the option to include all certificate paths.
        3. Enter a password and create file name.
    • Repeat the process for the root CA certificate.
  4. Import Certificates on to Android device
    • Copy both certificate files on to device storage.
    • Go to Settings.
    • Under Security, install certificates from storage.
      • Enter the password to install both.
    • You can check if certificates installed by checking the Trusted Certificates.
  5. Authentication with EAP-TLS
    • Once the certificates are trusted and installed, connect to the right Wi-Fi SSID.
    • A security details prompt will appear.
      • Make sure the EAP method is TLS and both user and root CA certificates are in place.
    • Connect to the Wi-Fi.

Configuring with SecureW2

The process for enrolling certificates on Android devices is incredibly quick with SecureW2. All the end user needs to do is open their browser and they will be required to download the SecureW2 app. After entering the device lock code, the certificate will be installed and the end user can input their credentials. Then the device will automatically configure and authenticate. SecureW2 can cut the onboarding process exponentially.

Device Onboarding Is Easy with SecureW2

Manually configuring new devices creates too much risk in the device onboarding process, both for the organization and the end user. Most end users are not properly trained to do manual configuration, so it saves time, money, and significant risk to automate the configuration and authentication process.

SecureW2’s JoinNow app relieves the end user of configuration and uses EAP-TLS authentication for device enrollment because of its superior security measures. It’s a cost-effective solution because enrollment only takes a few minutes. Automated device onboarding gives the IT department more time for important tasks by cutting down on meaningless support tickets.