Versions Compared

Old Version 25

changes.mady.by.user Chandrakanth Pokuru

Saved on

compared with

New Version 26

changes.mady.by.user Chandrakanth Pokuru

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

      • Install the server certificate on the RADIUS server, which is used to establish the TLS tunnel for secure communication.
      • Configure the RADIUS server to support EAP-TTLS or EAP-PEAP and to verify the username and password credentials.
      • draw.io Diagram
        bordertrue
        diagramNamefreeradiconfig-unpd
        simpleViewerfalse
        width
        linksauto
        tbstyletop
        lboxtrue
        diagramWidth521
        revision1
      • Ensure that the CA certificate (used to sign the server certificate) is trusted by client devices.

4.Configure the Wi-Fi Access Point:

The Wi-Fi AP must be configured to use WPA2-Enterprise (or WPA3-Enterprise) and must use EAP-TTLS or EAP-PEAP as the authentication methods.

...

      • Set the Security Mode on the AP to WPA2-Enterprise or WPA3-Enterprise.
      • Specify the RADIUS server IP address and shared secret on the AP to allow it to forward authentication requests to the RADIUS server.
      • Enable EAP-TTLS or EAP-PEAP as the authentication method on the AP.

5. Configure the Passpoint Profile for Username and Password Authentication:

      • The Passpoint profile on the client device needs to specify the EAP method (either EAP-TTLS or EAP-PEAP) and the credentials (username and password) that the client will use to authenticate.
      • The profile also contains the identity provider (IDP) information that allows the device to automatically connect to Passpoint-enabled networks.

...

        • Configure the ANQP (Access Network Query Protocol) settings on the Wi-Fi AP to advertise support for EAP-TTLS or EAP-PEAP.
        • On the client device, create a Passpoint configuration profile that specifies the username and password for authentication, as well as the EAP type (EAP-TTLS or EAP-PEAP)
        • draw.io Diagram
          bordertrue
          diagramNameexpp
          simpleViewerfalse
          width
          linksauto
          tbstyletop
          lboxtrue
          diagramWidth421
          revision1

6.Install the Passpoint Profile on Client Devices:

      • The Passpoint profile containing the username, password, and EAP method needs to be installed on the client device.
      • The client device must also have the CA certificate installed to trust the RADIUS server’s certificate.

...

        • For Windows/macOS/Linux: Use the system’s network manager or profile manager to install the profile.
        • For Android and iOS devices: The Passpoint profile can be pushed via Mobile Device Management (MDM), or users can install it manually.

7. EAP-TTLS or EAP-PEAP Authentication Workflow:

When the client with a Passpoint profile containing the username and password tries to connect to a Passpoint-enabled Wi-Fi network, the following occurs:

...

        1. The client sends an authentication request to the AP.
        2. The AP forwards this request to the RADIUS server.
        3. The RADIUS server responds with its certificate to establish a secure TLS tunnel.
        4. The client validates the server certificate (using the CA certificate installed on the client device).
        5. The client sends the username and password (inside the secure TLS tunnel) to the RADIUS server.
        6. The RADIUS server verifies the username and password by checking the credentials against its backend database (such as LDAP, AD, etc.).
        7. Upon successful authentication, the client is granted access to the Wi-Fi network.
        8. A secure TLS session is established for the client’s data to be transmitted securely.

8. User Experience:

Once the Passpoint profile with the username and password is configured, the client device can automatically connect to Passpoint-enabled networks that support EAP-TTLS or EAP-PEAP without needing to re-enter the credentials.

...