Configure EAP-TTLS/PAP on Mac & iOS for RADIUS

Additional configuration is necessary if opting to use EAP-TTLS/PAP authentication for wireless clients. JumpCloud recommends when possible to utilize PEAP for authentication, as no additional configuration is necessary with rare exceptions.  Please refer to Configure your WiFi Clients to use RADIUS for additional information.


For Apple products, administrators can can leverage the free Apple Configurator. The instructions below walk step by step through this process utilizing Apple Configurator.


If administrators had previously purchased Mac Server, it can still be used, but Apple no longer sells this application.

Creating the Profile with Apple Configurator

  1. Download the RADIUS server certificate to your local system
  2. Open Apple Configurator from your Applications Folder.
  3. Click on Apple File Menu at the top of your screen and choose New Profile.

Saving the Profile on Mac

  1. Select Certificates from the left navigation and choose Configure.
  2. Browse to downloaded certificate, select the file, and Open.
  3. Select Wi-Fi from the left navigation and choose Configure.
  4. Once in this screen, you should apply these settings as seen below:
  5. On the Wi-Fi page, under Enterprise Settings, select Trust.
  6. Check the certificate box and Save.
  7. On the profile warning, select Save Anyway.
  8. Select General from the left navigation.
  9. Enter in a Name for the Profile, populate the remaining settings, and Save
  10. To distribute, click the Apple File menu at the top of your screen and click Sign Profile…
  1. Search for and open the Profiles utility on the Mac where the Profile is to be saved
  2. Select the Add Profile symbol
  1. Select the Profile you saved while creating the WiFi profile per the steps above.
  2. You will initially be prompted to confirm you want to install the profile. Click Continue
  3. You may be prompted to ensure you want to continue to install the profile. Click Continue
  4. When installing, you will be prompted for a user name which can be left blank. Click Install
  5. When prompted, sign in to the Mac with administrator privileges. 
  6. The Profile will then be successfully installed.


It is recommended to remove other profiles to ensure there are no conflicts.

Logging into the RADIUS-Integrated WAP

  1. From the WiFi icon in your topbar, select the Wireless SSID you input in your Apple Configurator Profile. 
  1. You will be prompted to see the certificate for the JumpCloud RADIUS server 
  2. You will then be prompted to authenticate against the RADIUS 

Removing Wireless Network Profile

If you choose to utilize PEAP for authentication instead of EAP-TTLS/PAP, or are possibly looking to remove the service, you will be required to delete the existing wireless connection.  After the connection has been successfully removed you may again connect to your WAP or Router device using non-EAP-TTLS methods.  No additional configuration is required for PEAP with JumpCloud RADIUS, so with the old profile removed the user may connect to networking device normally.

  1. Click on the Apple menu and choose System Settings.
  2. Select Privacy & Security and scroll to Others.
  3. Select Profiles.
  4. Click on the wireless network that applies to your RADIUS EAP-TTLS configuration in the left pane.
  5. Once selected, click the – (minus) displayed at the bottom-left of the window to delete.
Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case