How to configure a Wi-Fi network with EAP-PEAP authentication using an external certificate in Knox Manage
Last updated August 10th, 2023
Categories:
Environment
Knox Manage (KM)
Overview
This knowledge base article teaches you how to configure Wi-Fi networks with EAP-PEAP authentication, using corporate certificates with Knox Manage. It also provides an overview on why you might want to use a secure network to protect your company data.
Why should I secure my enterprise Wi-Fi network?
If you leave your wireless network unsecure, your corporate data is vulnerable to external attacks and could be accessed by other devices. To protect your network, consider configuring one of the following security methods:
- Authentication: Identify and approve a request from a device or software (also knowns as a supplicant) to access a network. Once the request is approved, the device can access the network.
- Cryptography: Data sent over the network is encrypted, and only devices equipped with pre-shared keys can encrypt or decrypt transmitted data.
- Certificate: Encryption generates a public and private key. The public key, found in the digital certificate, encrypts data that is sent to the certificate owner. The private key is held only by the certificate owner, and decrypts the information encrypted by the public key.
802.1X authentication is the security protocol most commonly used by large companies. With 802.1X, an authentication method is used between the client and a server connected to the access point, after which a secure connection is established between the two. This process can use identity credentials, with per-user and/or per-session keys to increase security.
This guide shows you how to set up Extensible Authentication Protocol (EAP) with certificates on KM, which enhances 802.1X authentication.
How does Knox Manage secure my enterprise Wi-Fi network?
KM uses external certificates to handle network services like Wi-Fi, VPN, and APNs. It supports three types of EAPs:
- EAP-TLS (Transport Layer Security): Relies on client-side and server-side certificates for authentication. The certificates must be managed on both sides, which can be time-consuming for a large WLAN installation.
- EAP-TTLS (Tunneled Transport Layer Security): Mutually authenticates the client and network through an encrypted channel. This security method requires only server-side certificates.
- PEAP (Protected Extensible Authentication Protocol): Transports securely authenticated data, including legacy password-based protocols. PEAP uses only server-side certificates to authenticate Wi-Fi LAN clients.
The chart below compares the different 802.1X EAP types and their features:
Feature | TLS | TTLS | PEAP |
---|---|---|---|
Serve-side certificate |
Required |
Required |
Required |
Device-side certificate |
Required |
Not required |
Not required |
Deployment difficulty |
Very difficult (due to client certificate deployment) |
Difficult |
Difficult |
Wi-Fi security |
Very high |
High |
High |
How do I configure and deploy a Wi-Fi network with EAP-PEAP authentication using a Knox Manage certificate?
Before you configure Wi-Fi EAP authentication for your network, you need to register both a user certificate and root certificate on the KM server. The user certificate must be in P12 or PFX format, and the root certificate must be in CER, DER, PFX, or P12 format.
For the user certificate:
- In your KM console, go to Advanced > Certificate > External Certificate.
- Click Add.
- Enter a name for your user certificate.
- Under Purpose, select Wifi.
- Under Type, select User.
- Under File Name, upload a certificate file in PFX or P12 format.
- Enter a password and description.
For the root certificate:
- In your KM console, go to Advanced > Certificate > External Certificate.
- Click Add.
- Enter a name for your user certificate.
- Under Purpose, select Wifi.
- Under Type, select Root.
- Under File Name, upload a certificate file in CER, DER, PFX or P12 format.
- Enter a password and description.
You can then configure a Wi-Fi policy with EAP-PEAP authentication using your newly-added certificates. Below are the steps to configure the network in Android Legacy:
- In your KM console, go to Profile > Wi-Fi.
- Under Security type, select 802.1xEAP.
- Under EAP Method, select PEAP.
- Under User information input method, select User Information to allow users to access the network with their KM credentials.
- Under User Certificate, select the user certificate you added. Note that all users share this certificate.
- Under CA certificate, select the root certificate you added.
- Click Save & Assign, then assign the profile to a group or organization.
For Wi-Fi policies with the security type 802.1xEAP, the configuration process has been updated for the following:
- Samsung devices running Android 13 or higher, with an Android security patch version from June 2023 or later
- Google devices running Android 13 or higher, with a Google Play system update version from April 2023 or later
When configuring the Wi-Fi policy, the following fields are required:
- CA certificate
- Domain or Alternate Subject
If the required fields are not completed, the configuration will fail.
Additional information
- To learn how to configure a Wi-Fi policy in an Android Enterprise deployment, see Android Enterprise policies in the KM admin guide.
- For more about configuring a Wi-Fi policy in Android Legacy, see Android Legacy policies in the KM admin guide.
On this page
Is this page helpful?