Configure EAP-TTLS/PAP on Windows for RADIUS

Additional configuration is necessary if opting to use EAP-TTLS/PAP authentication for wireless clients. JumpCloud recommends when possible to utilize PEAP for authentication, as no additional configuration is necessary with rare exceptions.  Please refer to Configure your WiFi Clients to use RADIUS for additional information.

EAP-TTLS/PAP is a widely deployed authentication protocol. Learn to configure EAP-TTLS/PAP on JumpCloud RADIUS clients that run Windows.


For supported Windows versions, this protocol is natively supported. Other operating systems may also have native support or may require a third party supplicant.

Download the JumpCloud RADIUS Certificate

In order for Windows to trust JumpCloud's RADIUS servers, a certificate must be installed on each client system being configured for access.  Download the JumpCloud RADIUS certificate here.

Import the JumpCloud RADIUS Certificate

  1. Select Start, type mmc, and then press ENTER.
  2. On the File menu, select Add/Remove Snap-in.
  3. Under Available snap-ins, select Certificates, and then select Add.
  4. Select Local computer, and select Finish.
  5. Select OK.
  6. In the console tree, double-click Certificates.
  7. Right-click the Trusted Root Certification Authorities store.
  8. Select All Tasks, select Import to import the certificate.
  9. Within the Certificate Import Wizard, select the file download above and select Next.
  10. Choose to Place all certificates in the following store with a value of Trusted Root Certification Authorities.
  11. Select Finish.


The 2023 cert is valid until July 10, 2024. For more information, see Update RADIUS Certificates.

Alternatively, you can download and import the new certificate manually from the command line, as shown in the following examples:

Import-Certificate -FilePath "C:\Windows\Temp\" -CertStoreLocation Cert:\LocalMachine\Root 


Import-Certificate -FilePath "C:\Windows\Temp\" -CertStoreLocation Cert:\LocalMachine\Root

Wireless Network Configuration

  1. Right-click the wireless icon in your task bar, and click Open Network and Sharing Center.
  2. Click Set up a new connection or network.
  3. Click Manually connect to a wireless network and click the Next button.
  4. Populate the following:
    • Network name: SSID name configured on the WAP/Router device
    • Security Type: WPA2-Enterprise
    • Encryption Type: AES
    • Security Key: <blank>


Check Connect even if the network is not broadcasting if not broadcasting the RADIUS SSID.

  1. Click the Next button.
  2. On the Successfully added screen, click Change connection settings.
  3. Click the Security tab.
  4. Click the Choose a network authentication method: dropdown and select Microsoft: EAP-TTLS.
  5. Click the Settings button next to authentication method.
  6. Ensure that Unencrypted password (PAP) is chosen for Select a non-EAP method for authentication.
  7. From the Trusted Root Certification Authorities, choose
  8. Click the OK button.
  9. (Optional for not having to supply credentials) Back on the Windows Properties window, click the Advanced settings button.
  10. Choose User authentication from the authentication mode drop-down.
  11. Click Save credentials which will allow you to input username and password.

Removing Wireless Network Configuration

If you choose to utilize PEAP for authentication instead of EAP-TTLS/PAP, or are possibly looking to remove the service, you will be required to delete the existing wireless connection.  After the connection has been successfully removed you may again connect to your WAP or Router device using non-EAP-TTLS methods.  No additional configuration is required for PEAP with JumpCloud RADIUS, so with the old profile removed the user may connect to networking device normally.

  1. Click the Network icon on the lower right corner of your screen.
  2. Click Network settings.
  3. Click Manage Wi-Fi settings.
  4. Under Manage known networks, click the network you want to delete.
  5. Click Forget. The wireless network profile is deleted.

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case