Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi on your Access Point (2024)

• A Certificate Authority
• A RADIUS server
• A properly configured Access Point (AP)
• A process for distributing the CA certificate and enrolling clients. This is usually handled via a Mobile Device Management (MDM) enrollment of client devices

Smallstep provides a Certificate Authority, a RADIUS server, and MDM integrations for the seamless deployment of certificates and network profiles to your clients.

Here’s a simplified diagram of an Apple laptop getting a client certificate and joining an 802.1x EAP-TLS authenticated network. With EAP-TLS, the RADIUS server must complete a mutual TLS handshake with the device before giving the thumbs up to the access point:

This document describes how to configure popular Wi-Fi Access Points (AP) to use 802.1x EAP-TLS with WPA-Enterprise Wi-Fi, with RADIUS provided by Smallstep. These instructions will delegate Wi-Fi authentication on your AP to your Smallstep account.

For MDM enrollment, we have integrations and tutorials for Jamf and Intune, but Smallstep can integrate with just about any MDM, and can even be deployed in environments without MDM.

On this page, you'll find:

• Create a Wi-Fi Device Collection in Smallstep
• Configure 802.1x EAP-TLS on any Access Point
• Instructions for specific Access Points:
  • Ubiquiti Unifi
  • Aerohive
  • Aruba
  • Asus
  • Cisco Wireless LAN Controller
  • Extreme Networks
  • Juniper Mist
  • Meraki
  • MikroTik
  • Sophos UTM

Create a Wi-Fi Device Collection in Smallstep

Before you configure an Access Point for EAP-TLS, you need create a Smallstep Wi-Fi Account and RADIUS server.

If you haven’t already, sign up for a Smallstep account. In your Smallstep account, you’ll want to create a Mobile Device Collection, add a Wi-Fi Account to it, and add your client devices to the collection.

1. Create a Device Collection.

   Sign into Smallstep, go to the Mobile Devices tab, and choose + Add Collection. Select Any macOS, iPadOS, or iOS device as the platform, and give your device collection a name.

2. Add your device(s) to the device collection.

   See Also

   How to Configure a Router to Use WPA2 in 7 Easy StepsThe differences between WPA-Personal and WPA-EnterpriseKRACK Attacks: Breaking WPA2ScreenCloud Help Center

   Use the serial number of the device as the Device Identifier when you create it.You can find the serial number for your device under Settings > General > About,or in About This Mac. Make sure you click "Register Device".

3. Create a “Wi-Fi” account in your new Smallstep Device Collection

   You’ll need to supply the Wi-Fi SSID you’ll use for WPA3 Enterpriseand your public-facing (WAN) IP address, so our RADIUS server canidentify requests from your network.

4. When you’re finished, you’ll see your RADIUS server details. Use these when you configure your Access Point.

General Instructions for Configuring 802.1x EAP-TLS on any Access Point

In case your Access Point isn’t specifically listed here, here are some general instructions. Each Access Point will have a slightly different configuration UI, but these network settings are constant no matter what AP you’re using:

• Security Protocol: WPA2 Enterprise or WPA3 Enterprise
• RADIUS server information (provided by Smallstep)
  • RADIUS server IP
  • RADIUS server port
  • RADIUS server shared secret
  • RADIUS accounting port

Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi on Ubiquiti Unifi

First, create a RADIUS Profile in the Unifi Network app, :

1. Go to Settings → Profiles → RADIUS → Create New
2. Give the profile a name
3. Under Authentication servers, add the RADIUS server IP address, port, and shared secret you received from Smallstep
4. Choose Save.

Next, create a new 802.1x EAP-TLS WPA-Enterprise authenticated Wi-Fi network and link your new Smallstep RADIUS profile to it:

1. Go to Settings → WiFi → Create New
2. Give your network an SSID
3. Under Advanced Configuration, choose Manual
4. Go to Security
   1. For Security Protocol, select WPA-3 Enterprise
   2. For RADIUS Profile, select the RADIUS profile you created above
5. Go back and choose Save

Your new 802.1x EAP-TLS WPA-Enterprise Wi-Fi network is ready for use.

Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi onMikroTik

This section is suitable for a MikroTik AP that uses RouterOS.You can use the WebFig UI or the MikroTik Terminal to configure your AP.

1. Add a new RADIUS client, replacing the RADIUS IP and secret with the values you received from Smallstep:

   1. Go to RADIUS -> Add New
   2. For Service, select wireless
   3. Enter the Address and Secret for the Smalletp RADIUS server
   4. Adjust the Timeout to 5000ms
   5. Choose Ok

   Or, in the terminal:

   /radiusadd address=123.123.123.123 secret="secret-goes-here" \service=wireless timeout=5s

2. Add a security profile:

   1. Go to Wireless -> Security Profiles -> Add New
   2. Give the profile the name EAP_AP
   3. For Mode, choose dynamic keys
   4. For Authentication Types, select WPA2 EAP
   5. For Supplicant Identity, enter Mikrotik
   6. Choose Ok

   Or, in the terminal:

   /interface wireless security-profilesadd authentication-types=wpa2-eap eap-method=passthrough mode=dynamic-keys name=EAP_AP supplicant-identity=Mikrotik

3. Associate the security profile with the Wireless interface:

   1. Go to Wireless Interfaces and choose the interface you'd like to use with EAP-TLS
   2. Update Security Profile to EAP_AP
   3. Choose Ok

   Or, in the terminal:

   /interface/wirelessset [find] security-profile=EAP_AP

Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi on Aerohive

First, create a new RADIUS profile:

1. On the Aerohive dashboard, go to Configuration→ Common Objects→ Authentication→ External RADIUS Servers, and click on “+” to create a new RADIUS server
2. Provide a Name for the server
3. Enter the RADIUS server IP address, port, and shared secret you received from Smallstep into their respective fields
4. Click Save

Next, create a new 802.1x EAP-TLS WPA-Enterprise authenticated Wi-Fi network and link your new Smallstep RADIUS profile to it:

1. Go to Configure → Network Policies → Add Network Policy
2. Select Wireless, provide a Policy Name, and click Next
3. Click “+” to add a Wireless SSID.

4. Provide SSID Name and SSID Broadcast Name for your network
5. Under SSID Usage:
   1. For SSID Authentication, select Enterprise WPA/WPA2 802.1X
   2. For Key Management, select WPA2-(WPA2 Enterprise)-802.1X
   3. For Encryption Method, select CCMP (AES)
6. Scroll down to Authentication Settings. Click on +, next to Default RADIUS Server Group, to add a RADIUS server
7. Select the Smallstep RADIUS profile you created above, and click on Save

Your 802.1x EAP-TLS WPA-Enterprise Wi-Fi network is ready for use.

Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi onAruba

First, create a new RADIUS profile:

1. On the Aruba portal, go to Configuration → Authentication → Auth Servers
2. Click+in theServer Grouptable and provide a Name for the new server group, then clickSubmit
3. From theServer Grouptable, click the group you just created, then click +to add new RADIUS server details
4. Select theAdd new serveroption, and then enter the RADIUS server IP address and hostname received from Smallstep into their respective fields
5. SelectRADIUS from theTypedrop-down list
6. ClickSubmit

Next, create a new 802.1x EAP-TLS WPA-Enterprise authenticated Wi-Fi network and link your new Smallstep RADIUS profile to it.

1. On the dashboard, go toConfiguration→WLAN, then click the+icon to add a new WLAN
2. On the General tab:
   1. ForName (SSID), enter a name for the SSID
   2. ForPrimary usage, select theEmployeeoption
   3. For Broadcast on, click on the Select AP Groupsdrop-down list, then select a desired AP group
   4. For Forwarding Mode, leave the default tunnel option
   5. ClickNext
3. On theVLANstab, select your VLAN ID, and click Next
4. On the Security > Enterprise tab:
   1. ForKey management, selectWPA-3 Enterprise
   2. For Auth serverssection, click+, select the Smallstep RADIUS profile, and clickOK
   3. ClickNext
5. On the Access tab:
   1. For the Default roledrop-down list, select an existing user role to be assigned to an employee that successfully authenticates to theWLAN, or define a new role by clicking onShow Rolesand clicking”+”in theRolestable
   2. Click Finish
6. On the next page, click on Pending Changes, then click on Deploy Changes

Your new 802.1x EAP-TLS WPA-Enterprise Wi-Fi network is ready for use.

Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi onMeraki

1. On your Meraki dashboard, navigate to Wireless > Configure > SSIDs
2. Enable an Unconfigured SSID
3. Under the newly Unconfigured SSID, click on rename, name the SSID accordingly, then click Save Changes
4. Click on edit settings. This will will take you to the Access control tab for the SSID

5. Set theAssociation requirementsto Enterprise with my RADIUS server
6. Scroll to RADIUS servers to add your Smallstep RADIUS server. Enter the RADIUS server IP address, port, and shared secret, you received from Smallstep into their respective fields
7. Click Save

Your new 802.1x EAP-TLS WPA-Enterprise Wi-Fi network is ready for use.

Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi onCisco Wireless LAN Controller

First, create a new RADIUS profile:

1. Go to Security > RADIUS > Authentication, then clickNewto add a new RADIUS server
2. Provide the Server Address, Shared Secret and Port Number obtained from Smallstep
3. Click Apply

Next, create a new 802.1x EAP-TLS WPA-Enterprise authenticated Wi-Fi network and link your new Smallstep RADIUS profile to it:

1. Click on theWLANstab, chooseCreate Newand clickGo
2. Provide a name for your new WLAN, and clickApplyto continue
3. Go to theGeneraltab, ensure that Status isEnabled
4. Go to theSecuritytab >AAA Servers. In the Server 1 dialog box, under Authentication Servers, select the RADIUS server that you just configured, and clickApply

Your new 802.1x EAP-TLS WPA-Enterprise Wi-Fi network is ready for use.

Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi onExtreme

First, create a new RADIUS profile:

1. On your Extreme Networks dashboard, navigate toONBOARD>AAA
2. On the Default AAA Configuration page, scroll to RADIUS Servers, and click Add
3. Provide the RADIUS Server IP address, RADIUS Port, and Shared Secret provided by Smallstep
4. Click Save

Next, create a new 802.1x EAP-TLS WPA-Enterprise authenticated Wi-Fi network and link your new Smallstep RADIUS profile to it:

1. Navigate toNetworks>Add:
   • For Network Name, provide a suitable name
   • ForSSID, enter a name for the SSID
   • For Status, select Enable
   • For Auth Type,select WPA2 Enterprise w/ RADIUS
   • For Authentication Method, select RADIUS
   • For Primary RADIUS,select the Smallstep RADIUS IP Address added earlier
   • For Backup RADIUS, select another if any
   • For Default Auth Role, select Enterprise User
   • For Default VLAN, select a VLAN
2. Click Save

Your new 802.1x EAP-TLS Enterprise Wi-Fi network is ready for use.

Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi on Juniper Mist

1. Navigate to Organization>WLAN Templates
2. Click a WLAN template (or create a template)
3. Click on Add WLAN
4. In the Edit/Create WLAN window, provide an SSID for your new WLAN
5. Scroll to the Securitysection, under Security Type, select WPA3orWPA2, then click Enterprise (802.1X)
6. Scroll to theAuthentication Serverssection, and clickAdd Server
7. Enter the Hostname (IP Address) and Shared Secret of the RADIUS server received from Smallstep
8. Click Save

Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi on Sophos UTM

First, create a new RADIUS profile:

1. Go to Definitions & Users > Authentication Services
2. On the Servers tab, click New Authentication Server
3. On the Add Authentication Server dialogue box:
   1. For Backend, select RADIUS
   2. For Position, select Top
   3. For Server, click + to add a new RADIUS server IP address provided by Smallstep
   4. For Shared Secret, enter the shared RADIUS server secret provided by Smallstep
4. Click Save

Next, configure 802.1x EAP-TLS WPA-Enterprise WLANs to use the new RADIUS profile for authentication:

1. Go to Wireless Protection > Global Settings > Advanced.
2. On the Enterprise Authentication box, select the created RADIUS profile from the Radius Server dropdown.
3. Click Apply

Then, create a new 802.1x EAP-TLS WPA-Enterprise authenticated Wi-Fi network:

1. Go to Wireless Protection > Wireless Networks
2. Click on Add Wireless Network
3. On theAdd Wireless Networkdialog:
   1. For Network name, enter a descriptive name for the network
   2. For Network SSID, provide a suitable name
   3. For Encryption mode, select WPA2/WPA Enterprise
   4. For Client traffic, see the implications of the different options on the Sophos UTM Administrator Guide.
4. Click Save

Go ahead to associate the new SSID network with your access point, and your new 802.1x EAP-TLS WPA-Enterprise Wi-Fi network is ready for use.

Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi onAsus

These instructions follow setup for RT-AX1800S. However you should find most current ASUS routers have a similar interface.

Tip: To set up an 802.1x EAP-TLS Enterprise Wi-Fi WLAN on your Asus router, start with a separate dual band setup so that you have a break-glass connection to a WPA2 Password connection in the event that your settings are not allowing access to the configured band.

1. On the Asus Router dashboard, navigate to Advanced Settings > Wireless

   

2. On the General tab, configure the following parameters:

   1. ForNetwork Name (SSID), enter a name for the WLAN
   2. ForAuthentication Method, select WPA2-Enterprise
   3. For Server IP Address, Server Port, and Connection String, provide the RADIUS server properties provided by Smallstep during setup

3. Click Apply to save changes to router

Your new 802.1x EAP-TLS WPA-Enterprise Wi-Fi network is ready for use.