Extensible Authentication Protocol (EAP) device management settings for Apple devices
You can configure the various EAP protocols for Apple devices that enrol in a device management service. Device management services can support the following 802.1X authentication methods for WPA Enterprise and WPA2 Enterprise networks. You can select multiple EAP methods.
TLS
TTLS (MSCHAPv2)
EAP-FAST
EAP-SIM
PEAP (EAP-MSCHAPv2, the most common form of PEAP)
PEAP (EAP-GTC, less common and created by Cisco)
EAP-AKA (requires no additional configuration)
The tables that follow describe the settings for each EAP method.
TLS
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Account username | The user’s name. | Yes | |||||||||
Identity certificate | The Certificates payload used to authorise connections to the network. | Yes | |||||||||
TLS version support | Select the minimum and maximum TLS versions:
| No | |||||||||
TTLS
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Account username | The user name for the connection to the network. | Yes | |||||||||
Account password | The password associated with the username. | Yes | |||||||||
Identity certificate | The certificate payload used to authorise connections to the network. | Yes | |||||||||
Two-Factor Authentication (2FA) | Requires Two-Factor Authentication to connect to the network. | No | |||||||||
Use directory authentication | Select to allow the credentials for the directory login to be used for authentication. | No | |||||||||
Inner authentication | The authentication protocol to be used:
| Yes | |||||||||
Outer identity | Add the externally visible identification. | No | |||||||||
TLS version support | Select the minimum and maximum TLS versions:
| No | |||||||||
EAP-FAST
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Account username | The user name for the connection to the network. | Yes | |||||||||
Account password | The password associated with the username. | Yes | |||||||||
Identity certificate | The Certificates payload used to authorise connections to the network. | Yes | |||||||||
Two-Factor Authentication (2FA) | Requires Two-Factor Authentication to connect to the network. | No | |||||||||
Use directory authentication | Select to allow the credentials for the directory login to be used for authentication. | No | |||||||||
Outer identity | Add the externally visible identification. | No | |||||||||
TLS version support | Select the minimum and maximum TLS versions:
| No | |||||||||
Protected Access Credential (PAC) support | Specify whether to use PAC. If selected, the other options are:
| No | |||||||||
EAP-SIM
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Two RANDs | Select to allow authentication to the network server by providing only two 128-bit random values. | No | |||||||||
PEAP
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Account username | The user name for the connection to the network. | Yes | |||||||||
Account password | The password associated with the username. | Yes | |||||||||
Identity certificate | The Certificates payload used to authorise connections to the network. | Yes | |||||||||
Two-Factor Authentication (2FA) | Requires Two-Factor Authentication to connect to the network. | No | |||||||||
Use directory authentication | Select to allow the credentials for the directory login to be used for authentication. | No | |||||||||
Outer identity | Add the externally visible identification. | No | |||||||||
TLS version support | Select the minimum and maximum TLS versions:
| No | |||||||||
Note: Each device management service developer implements these settings differently. To learn how various TLS, TTLS, EAP-FAST, EAP-SIM and PEAP protocol settings are applied to your devices, consult your developer’s device management service documentation.