Subscribe to Help Center RSS FeedEAP-TTLS/PAP is a widely deployed authentication protocol that provides enhanced network security through digital authentication, ensuring that the appropriate users and devices have access to JumpCloud RADIUS. Learn to configure EAP-TTLS/PAP for your JumpCloud RADIUS clients that run Android.
- The two use cases that require EAP-TTLS/PAP in JumpCloud are:
- Delegated Auth with Entra ID. See Authenticate to RADIUS with Entra ID.
- 6-digit time-based one-time password (TOTP) multi-factor authentication (MFA) for RADIUS-based VPN authentication.
- We do not recommend using PAP without EAP-TTLS or your configuration will be insecure.
- If you are not using one of these two use cases then JumpCloud recommends using PEAPv0 (also referred to as EAP-PEAP or PEAP-MSCHAPv2) for authentication because it requires no additional configuration as this is the default used by all Operating Systems.
- For more information, see Configure Your WiFi Clients to Use RADIUS.
Prerequisites:
- JumpCloud RADIUS configuration. See Get Started: RADIUS to learn more.Â
Configuring a WiFi Profile on Android Devices
These steps may vary slightly depending on the make and model of your Android device.
To configure a WiFi profile with EAP-TTLS/PAP on Android devices:
- On an Android device, go to Settings > Network & internet and tap on Internet.
- Either select the WiFi SSID from the list, or select + Add network and create a new wireless profile.
- (Optional) Enter the Network SSID.
- Configure the following settings:
- EAP method: TTLS
- Phase 2 authentication: PAP
- CA certificate: Select Use system certificates or Trust on first use. Jump to Understanding CA Certificate Options to learn more.
- Domain: radius.jumpcloud.com
- Identity: Enter the user’s JumpCloud email address (or Entra ID username if using delegated authentication).
- Password: Enter the user’s JumpCloud password (or Entra ID password if using delegated authentication).
- Anonymous identity: Leave this field blank.
- Tap Save.
- Tap Connect.
- When prompted for Is this network trusted? Tap Yes, connect.
Understanding CA Certificate Options
When a user connects an Android device to a WiFi network secured by JumpCloud RADIUS, the operating system requires you to configure how the server's identity is validated. The recommended approach is to use the most secure method that validates the server's identity.
- Use system certificates (Recommended): This method instructs the Android device to validate that it is connecting to the legitimate JumpCloud RADIUS server by checking the server's certificate against the public, trusted Certificate Authorities (CAs) already built into the Android operating system. After the initial setup, users won't be prompted again for this setting on subsequent connections.
The Domain field must be set to radius.jumpcloud.com for this option to work.
- Trust on first use (Acceptable): The first time a user connects, their device saves or "pins" the JumpCloud RADIUS server's certificate. On all future connections, the device will only connect if the server presents that exact same certificate.
This option is simpler for users because they don't have to enter a domain. However, users are prompted to trust the certificate again after routine JumpCloud RADIUS server certificate updates, which can cause confusion.
- Don't validate (Not Recommended): This option is highly insecure as it completely disables a key security feature of RADIUS. It tells the device to connect without verifying the server's identity at all, which exposes your users to potential Man-in-the-Middle (MitM) attacks where a malicious actor could impersonate your Wi-Fi network to intercept traffic or capture credentials.
In this Article
Learn More