Configure EAP-TTLS/PAP on Mac & iOS for RADIUS

Use this article to configure EAP-TTLS/PAP authentication for wireless clients on macOS and iOS. Because additional configuration is required for this protocol, you'll first create a .mobileconfig profile using a tool like Apple Configurator or iMazing, and then install it on your devices or deploy it using a Mobile Device Management (MDM) solution.

Prerequisites:

• A configured JumpCloud RADIUS server. See RADIUS Configuration and Authentication to learn more.
• A wireless access point (WAP), VPN, or router configured for RADIUS. See Configure a Wireless Access Point (WAP), VPN or Router for RADIUS to learn more.
• A configuration profile editor capable of creating a .mobileconfig file, for example Apple Configurator 2 or iMazing Profile Editor. The following instructions walk step by step through this process utilizing Apple Configurator.

Creating the Profile with Apple Configurator

1. On a Mac, open Apple Configurator from your Applications folder.
2. At the top of your screen, click the Apple File Menu and choose New Profile.

Saving the Profile on Mac

1. Select Wi-Fi from the left navigation, then click Configure.
2. Once in this screen, configure the following settings as pictured:
   • Under Service Set Identifier (SSID), enter the name of your WiFi network configured to use JumpCloud RADIUS.
   • Under Security Type, select WPA/WPA2 Enterprise.
   • Under Accepted EAP Types, select TTLS.
   • Under Inner Authentication, select PAP.
     
3. On the Wi-Fi page, under Enterprise Settings, select Trust.
4. Under Trusted Server Certificate Names, click + to add and then enter radius.jumpcloud.com
   
5. After completing the profile, click Save.
6. On the profile warning, select Save Anyway.
7. Select General from the left navigation.
8. Enter in a Name for the Profile, populate the remaining settings, and Save. 
9. To distribute, click the Apple File menu at the top of your screen and click Sign Profile...
   1. Search for and open the Profiles utility on the Mac where the Profile is to be saved
   2. Select the Add Profile symbol
10. Select the Profile you saved while creating the WiFi profile per the steps above.
11. You will initially be prompted to confirm you want to install the profile. Click Continue. 
12. You may be prompted to ensure you want to continue to install the profile. Click Continue. 
13. When installing, you will be prompted for a user name which can be left blank. Click Install. 
14. When prompted, sign in to the Mac with administrator privileges. 
15. The Profile will then be successfully installed. 

Logging into the RADIUS-Integrated WAP

1. From the WiFi icon in your topbar, select the Wireless SSID you input in your Apple Configurator Profile. 
2. You will be prompted to see the certificate for the JumpCloud RADIUS server 
3. You will then be prompted to authenticate against the RADIUS 

Removing Wireless Network Profile

If you choose to utilize PEAP for authentication instead of EAP-TTLS/PAP, or are possibly looking to remove the service, you will be required to delete the existing wireless connection.  After the connection has been successfully removed you may again connect to your WAP or Router device using non-EAP-TTLS methods.  No additional configuration is required for PEAP with JumpCloud RADIUS, so with the old profile removed the user may connect to networking device normally.

1. Click on the Apple menu and choose System Settings.
2. Select Privacy & Security and scroll to Others.
3. Select Profiles.
4. Click on the wireless network that applies to your RADIUS EAP-TTLS configuration in the left pane.
5. Once selected, click the minus (-) displayed at the bottom-left of the window to delete.