Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi on your Access Point

For 802.1x EAP-TLS (certificate-based) Wi-Fi deployments in security-sensitive environments, you’ll generally need four things:

  • A Certificate Authority
  • A RADIUS server
  • A properly configured Access Point (AP)
  • A process for distributing the CA certificate and enrolling clients. This is usually handled via a Mobile Device Management (MDM) enrollment of client devices

Smallstep provides a Certificate Authority, a RADIUS server, and MDM integrations for the seamless deployment of certificates and network profiles to your clients.

Here’s a simplified diagram of an Apple laptop getting a client certificate and joining an 802.1x EAP-TLS authenticated network. With EAP-TLS, the RADIUS server must complete a mutual TLS handshake with the device before giving the thumbs up to the access point:

This document describes how to configure popular Wi-Fi Access Points (AP) to use 802.1x EAP-TLS with WPA-Enterprise Wi-Fi, with RADIUS provided by Smallstep. These instructions will delegate Wi-Fi authentication on your AP to your Smallstep account.

For MDM enrollment, we have integrations and tutorials for Jamf and Intune, but Smallstep can integrate with just about any MDM, and can even be deployed in environments without MDM.

On this page, you'll find:

Protect a Wi-Fi Resource in Smallstep

Before you configure an Access Point for EAP-TLS, you need create a Smallstep Wi-Fi Resource.

If you haven’t already, sign up for a Smallstep account and add some devices for testing, under the Devices tab.

  1. Sign into Smallstep. Under the Protect tab, go to Wi-Fi and Add a Wi-Fi resource.

    You’ll need to supply the Wi-Fi SSID you’ll use for WPA3 Enterprise and your public-facing (WAN) IP address, so our RADIUS server can identify requests from your network.

  2. When you’re finished, if you're using a Smallstep-managed RADIUS server, you’ll see your RADIUS server details. Use these details when you configure your Access Point.

General Instructions for Configuring 802.1x EAP-TLS on any Access Point

In case your Access Point isn’t specifically listed here, here are some general instructions. Each Access Point will have a slightly different configuration UI, but these network settings are constant no matter what AP you’re using:

  • Security Protocol: WPA2 Enterprise or WPA3 Enterprise
  • RADIUS server information (provided by Smallstep)
    • RADIUS server IP
    • RADIUS server port
    • RADIUS server shared secret
    • RADIUS accounting port

Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi on Ubiquiti Unifi

First, create a RADIUS Profile in the Unifi Network app, :

  1. Go to SettingsProfilesRADIUSCreate New
  2. Give the profile a name
  3. Under Authentication servers, add the RADIUS server IP address, port, and shared secret you received from Smallstep
  4. Choose Save.

Next, create a new 802.1x EAP-TLS WPA-Enterprise authenticated Wi-Fi network and link your new Smallstep RADIUS profile to it:

  1. Go to SettingsWiFiCreate New
  2. Give your network an SSID
  3. Under Advanced Configuration, choose Manual
  4. Go to Security
    1. For Security Protocol, select WPA-3 Enterprise
    2. For RADIUS Profile, select the RADIUS profile you created above
  5. Go back and choose Save

Your new 802.1x EAP-TLS WPA-Enterprise Wi-Fi network is ready for use.

Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi on MikroTik

This section is suitable for a MikroTik AP that uses RouterOS. You can use the WebFig UI or the MikroTik Terminal to configure your AP.

  1. Add a new RADIUS client, replacing the RADIUS IP and secret with the values you received from Smallstep:

    1. Go to RADIUS -> Add New
    2. For Service, select wireless
    3. Enter the Address and Secret for the Smalletp RADIUS server
    4. Adjust the Timeout to 5000ms
    5. Choose Ok

    Or, in the terminal:

    /radius
    add address=123.123.123.123 secret="secret-goes-here" \
    service=wireless timeout=5s
    
  2. Add a security profile:

    1. Go to Wireless -> Security Profiles -> Add New
    2. Give the profile the name EAP_AP
    3. For Mode, choose dynamic keys
    4. For Authentication Types, select WPA2 EAP
    5. For Supplicant Identity, enter Mikrotik
    6. Choose Ok

    Or, in the terminal:

    /interface wireless security-profiles
    add authentication-types=wpa2-eap eap-method=passthrough mode=dynamic-keys name=EAP_AP supplicant-identity=Mikrotik
    
  3. Associate the security profile with the Wireless interface:

    1. Go to Wireless Interfaces and choose the interface you'd like to use with EAP-TLS
    2. Update Security Profile to EAP_AP
    3. Choose Ok

    Or, in the terminal:

    /interface/wireless
    set [find] security-profile=EAP_AP
    

For more information, see MicroTik Documentation.

Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi on Aerohive

First, create a new RADIUS profile:

  1. On the Aerohive dashboard, go to ConfigurationCommon ObjectsAuthenticationExternal RADIUS Servers, and click on “+” to create a new RADIUS server
  2. Provide a Name for the server
  3. Enter the RADIUS server IP address, port, and shared secret you received from Smallstep into their respective fields
  4. Click Save

Next, create a new 802.1x EAP-TLS WPA-Enterprise authenticated Wi-Fi network and link your new Smallstep RADIUS profile to it:

  1. Go to ConfigureNetwork PoliciesAdd Network Policy
  2. Select Wireless, provide a Policy Name, and click Next
  3. Click “+” to add a Wireless SSID.

Aerohive EAP-TLS setup

  1. Provide SSID Name and SSID Broadcast Name for your network
  2. Under SSID Usage:
    1. For SSID Authentication, select Enterprise WPA/WPA2 802.1X
    2. For Key Management, select WPA2-(WPA2 Enterprise)-802.1X
    3. For Encryption Method, select CCMP (AES)
  3. Scroll down to Authentication Settings. Click on +, next to Default RADIUS Server Group, to add a RADIUS server
  4. Select the Smallstep RADIUS profile you created above, and click on Save

Your 802.1x EAP-TLS WPA-Enterprise Wi-Fi network is ready for use.

Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi on Aruba

Note: These instructions follow setup for Aruba mobility controllers wireless AP portals. See Aruba reference WLAN configuration documentation

First, create a new RADIUS profile:

  1. On the Aruba portal, go to Configuration → Authentication → Auth Servers
  2. Click + in the Server Group table and provide a Name for the new server group, then click Submit
  3. From the Server Group table, click the group you just created, then click + to add new RADIUS server details
  4. Select the Add new server option, and then enter the RADIUS server IP address and hostname received from Smallstep into their respective fields
  5. Select RADIUS from the Type drop-down list
  6. Click Submit

Next, create a new 802.1x EAP-TLS WPA-Enterprise authenticated Wi-Fi network and link your new Smallstep RADIUS profile to it.

  1. On the dashboard, go to Configuration → WLAN, then click the + icon to add a new WLAN
  2. On the General tab:
    1. For Name (SSID), enter a name for the SSID
    2. For Primary usage, select the Employee option
    3. For Broadcast on, click on the Select AP Groups drop-down list, then select a desired AP group
    4. For Forwarding Mode, leave the default tunnel option
    5. Click Next
  3. On the VLANs tab, select your VLAN ID, and click Next
  4. On the Security > Enterprise tab:
    1. For Key management, select WPA-3 Enterprise
    2. For Auth servers section, click +, select the Smallstep RADIUS profile, and click OK
    3. Click Next
  5. On the Access tab:
    1. For the Default role drop-down list, select an existing user role to be assigned to an employee that successfully authenticates to the WLAN, or define a new role by clicking on Show Roles and clicking ”+” in the Roles table
    2. Click Finish
  6. On the next page, click on Pending Changes, then click on Deploy Changes

Your new 802.1x EAP-TLS WPA-Enterprise Wi-Fi network is ready for use.

Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi on Meraki

  1. On your Meraki dashboard, navigate to Wireless > Configure > SSIDs
  2. Enable an Unconfigured SSID
  3. Under the newly Unconfigured SSID, click on rename, name the SSID accordingly, then click Save Changes
  4. Click on edit settings. This will will take you to the Access control tab for the SSID

Meraki EAP-TLS Wi-Fi setup

  1. Set the Association requirements to Enterprise with my RADIUS server
  2. Scroll to RADIUS servers to add your Smallstep RADIUS server. Enter the RADIUS server IP address, port, and shared secret, you received from Smallstep into their respective fields
  3. Click Save

Your new 802.1x EAP-TLS WPA-Enterprise Wi-Fi network is ready for use.

Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi on Cisco Wireless LAN Controller

First, create a new RADIUS profile:

  1. Go to Security > RADIUS > Authentication, then click New to add a new RADIUS server
  2. Provide the Server Address, Shared Secret and Port Number obtained from Smallstep
  3. Click Apply

Next, create a new 802.1x EAP-TLS WPA-Enterprise authenticated Wi-Fi network and link your new Smallstep RADIUS profile to it:

  1. Click on the WLANs tab, choose Create New and click Go
  2. Provide a name for your new WLAN, and click Apply to continue
  3. Go to the General tab, ensure that Status is Enabled
  4. Go to the Security tab > AAA Servers. In the Server 1 dialog box, under Authentication Servers, select the RADIUS server that you just configured, and click Apply

Your new 802.1x EAP-TLS WPA-Enterprise Wi-Fi network is ready for use.

Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi on Extreme

First, create a new RADIUS profile:

  1. On your Extreme Networks dashboard, navigate to ONBOARD > AAA
  2. On the Default AAA Configuration page, scroll to RADIUS Servers, and click Add 
  3. Provide the RADIUS Server IP address, RADIUS Port, and Shared Secret provided by Smallstep
  4. Click Save

Extreme EAP-TLS setup

Next, create a new 802.1x EAP-TLS WPA-Enterprise authenticated Wi-Fi network and link your new Smallstep RADIUS profile to it:

  1. Navigate to Networks > Add:
    • For Network Name, provide a suitable name
    • For SSID, enter a name for the SSID
    • For Status, select Enable
    • For Auth Type, select WPA2 Enterprise w/ RADIUS
    • For Authentication Method, select RADIUS
    • For Primary RADIUS, select the Smallstep RADIUS IP Address added earlier
    • For Backup RADIUS, select another if any
    • For Default Auth Role, select Enterprise User
    • For Default VLAN, select a VLAN
  2. Click Save

Your new 802.1x EAP-TLS Enterprise Wi-Fi network is ready for use.

Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi on Juniper Mist

  1. Navigate to Organization > WLAN Templates
  2. Click a WLAN template (or create a template)
  3. Click on Add WLAN
  4. In the Edit/Create WLAN window, provide an SSID for your new WLAN
  5. Scroll to the Security section, under Security Type, select WPA3 or WPA2, then click Enterprise (802.1X)
  6. Scroll to the Authentication Servers section, and click Add Server
  7. Enter the Hostname (IP Address) and Shared Secret of the RADIUS server received from Smallstep
  8. Click Save

Your 802.1x EAP-TLS WPA-Enterprise Wi-Fi network is ready for use. For more, see Juniper Mist reference documentation.

Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi on Sophos UTM

First, create a new RADIUS profile:

  1. Go to Definitions & Users > Authentication Services
  2. On the Servers tab, click New Authentication Server
  3. On the Add Authentication Server dialogue box:
    1. For Backend, select RADIUS
    2. For Position, select Top
    3. For Server, click + to add a new RADIUS server IP address provided by Smallstep
    4. For Shared Secret, enter the shared RADIUS server secret provided by Smallstep
  4. Click Save

Next, configure 802.1x EAP-TLS WPA-Enterprise WLANs to use the new RADIUS profile for authentication:

  1. Go to Wireless Protection > Global Settings > Advanced.
  2. On the Enterprise Authentication box, select the created RADIUS profile from the Radius Server dropdown.
  3. Click Apply

Then, create a new 802.1x EAP-TLS WPA-Enterprise authenticated Wi-Fi network:

  1. Go to Wireless Protection > Wireless Networks
  2. Click on Add Wireless Network
  3. On the Add Wireless Network dialog:
    1. For Network name, enter a descriptive name for the network
    2. For Network SSID, provide a suitable name
    3. For Encryption mode, select WPA2/WPA Enterprise
    4. For Client traffic, see the implications of the different options on the Sophos UTM Administrator Guide.
  4. Click Save

Go ahead to associate the new SSID network with your access point, and your new 802.1x EAP-TLS WPA-Enterprise Wi-Fi network is ready for use.

Configure 802.1x EAP-TLS WPA-Enterprise Wi-Fi on Asus

These instructions follow setup for RT-AX1800S. However you should find most current ASUS routers have a similar interface.

Tip: To set up an 802.1x EAP-TLS Enterprise Wi-Fi WLAN on your Asus router, start with a separate dual band setup so that you have a break-glass connection to a WPA2 Password connection in the event that your settings are not allowing access to the configured band.

  1. On the Asus Router dashboard, navigate to Advanced Settings > Wireless

    ASUS EAP-TLS setup

  2. On the General tab, configure the following parameters:

    1. For Network Name (SSID), enter a name for the WLAN
    2. For Authentication Method, select WPA2-Enterprise
    3. For Server IP Address, Server Port, and Connection String, provide the RADIUS server properties provided by Smallstep during setup
  3. Click Apply to save changes to router

Your new 802.1x EAP-TLS WPA-Enterprise Wi-Fi network is ready for use.

Last updated on March 11, 2024