This guide applies to Mac computers
Your network infrastructure must support the chosen EAP types and be configured correctly to allow authentication. If you do not know how your network is configured, work with your network administrators to determine how they want network clients to connect.
Configure EAP-TLS
EAP-TLS uses Transport Layer Security and an identity certificate to authenticate devices to the network.You must provide an identity certificate to use EAP-TLS.
1
Select EAP Type
Select TLS under Accepted EAP Types.
2
Configure TLS Version Settings
To prevent using older and weaker TLS versions, select the TLS minimum version you would like to allow. If your infrastructure does not support the latest versions of TLS, select the TLS maximum version you want to use.
3
Configure Identity Certificate
Select a method to provide an identity certificate and configure applicable settings. See Configure the Wi-Fi Library Item to learn more.
Configure EAP-TTLS
Tunneled Transport Layer Security uses a TLS tunnel to encrypt another authentication protocol. It does not require an identity certificate. Devices can use a username and password or device-based directory credentials to authenticate. Username and password authentication:1
Select Authentication Method
Choose Username and password for Authentication.
2
Configure Username
Optionally, provide the Username. You can use a static value or one of Iru Endpoint’s global variables, such as $EMAIL. If you do not enter a username, the device prompts the user to enter one when connecting to the network.
3
Set Password Prompt Frequency
Select how often to prompt the user for their password. If you choose Once and don’t provide a password, the device will prompt the user once for their password and remember it. If you select, Every time the user connects to the network, the device will not remember the password.
4
Configure Password
If devices use a shared username and password, enter the password in the Password field. If you do not enter a password, the device prompts the user to enter a password when connecting to the network..png?fit=max&auto=format&n=TTV4GXkIHgRpdDZ5&q=85&s=67480d44c947ee458a01e5d3926ca780)
1
Choose authentication method
Choose either Computer AD system authentication to use the Active Directory computer account or Computer OD system authentication to use the Open Directory computer account.
1
Configure TTLS authentication
When you select TTLS, your device will use a username and password or device directory credentials for authentication. If your network requires an identity certificate as a second authentication factor, select Require Two-Factor Authentication.
2
Set inner authentication
For Inner authentication, choose the authentication protocol to use inside the TLS tunnel.
3
Specify outer identity (optional)
Optionally specify Outer identity. It is different from the identity used inside the tunnel and is specified to prevent exposing the inner identity.
4
Set TLS minimum version
To prevent using older and weaker TLS versions, select the TLS minimum version you would like to allow
5
Set TLS maximum version
If your infrastructure does not support the latest versions of TLS, select the TLS maximum version you want to use.
Configure EAP-LEAP
Lightweight Extensible Authentication Protocol is an older authentication method based onMS-CHAP and Dynamic WEP. It does not use an identity certificate. Devices can use a username and password or device-based directory credentials to authenticate. Username and password authentication:1
Choose authentication method
Choose Username and password for Authentication.
2
Configure username (optional)
Optionally, provide the Username. You can use a static value or one of Kandji’s global variables, such as $EMAIL. If you do not enter a username, the device prompts the user to enter one when connecting to the network.
3
Set password prompt frequency
Select how often to prompt the user for their password. If you choose Once and don’t provide a password, the device will prompt the user once for their password and remember it. If you select Every time the user connects to the network, the device will not remember the password.
4
Configure password (optional)
If devices use a shared username and password, enter the password in the Password field. If you do not enter a password, the device prompts the user to enter a password when connecting to the network.
1
Choose directory authentication
For Authentication, choose Computer AD system authentication to use the Active Directory computer account or Computer OD system authentication to use the Open Directory computer account.
Configure EAP-PEAP
Protected Extensible Authentication Protocol addresses shortcomings of previous Extensible Authentication Protocols such as LEAP. Like EAP-TTLS, PEAP uses a TLS tunnel to encrypt another authentication protocol. It does not require an identity certificate. Devices can use a username and password or device-based directory credentials to authenticate. Username and password authentication:1
Choose authentication method
Choose Username and password for Authentication.
2
Configure username (optional)
Optionally, provide the Username. You can use a static value or one of Kandji’s global variables. For example, $EMAIL. If you do not enter a username, the device prompts the user to enter one when connecting to the network.
3
Set password prompt frequency
Select how often to prompt the user for their password. If you choose Once and don’t provide a password, the device will prompt the user once for their password and remember it. If you select, Every time the user connects to the network, the device will not remember the password.
4
Configure password (optional)
If devices use a shared username and password, enter the password in the Password field. If you do not enter a password, the device prompts the user to enter a password when connecting to the network.
1
Choose directory authentication
For Authentication, choose Computer AD system authentication to use the Active Directory computer account or Computer OD system authentication to use the Open Directory computer account.
1
Configure PEAP authentication
When you select PEAP, your device will use a username and password or device directory credentials for authentication. If your network requires an identity certificate as a second authentication factor, select Require Two-Factor Authentication.
2
Set TLS minimum version
To prevent using older and weaker TLS versions, select the TLS minimum version you would like to allow.
3
Set TLS maximum version
If your infrastructure does not support the latest versions of TLS, select the TLS maximum version you want to use.
4
Specify outer identity (optional)
Optionally, specify Outer identity. It is different from the identity used inside the tunnel and is specified to prevent exposing the inner identity.
Configure EAP-FAST
Flexible Authentication via Secure Tunneling (FAST) uses a TLS tunnel to encrypt additional authentication information. FAST also supports fast re-establishment of the tunnel through Protected Access Credentials (PAC). It does not require an identity certificate. A username and password or device-based directory credentials can provide authentication. Username and password authentication:1
Choose authentication method
Choose Username and password for Authentication.
2
Configure username (optional)
Optionally, provide the Username. You can use a static value or one of Kandji’s global variables. For example, $EMAIL. If you do not enter a username, the device prompts the user to enter one when connecting to the network.
3
Set password prompt frequency
Select how often to prompt the user for their password. If you choose Once and don’t provide a password, the device will prompt the user once for their password and remember it. If you select, Every time the user connects to the network, the device will not remember the password.
4
Configure password (optional)
If devices use a shared username and password, enter the password in the Password field. If you do not enter a password, the device prompts the user to enter a password when connecting to the network.
1
Choose directory authentication
For Authentication, choose Computer AD system authentication to use the Active Directory computer account or Computer OD system authentication to use the Open Directory computer account.
1
Configure EAP-FAST authentication
When you select EAP-FAST, your device will use a username and password or device directory credentials for authentication. If your network requires an identity certificate as a second authentication factor, select Require Two-Factor Authentication.
2
Specify outer identity (optional)
Optionally specify Outer identity. It is different from the identity used inside the tunnel and is specified to prevent exposing the inner identity.
3
Enable PAC usage
To use Protected Access Credentials, select Use PAC.
4
Enable PAC provisioning
To use Protected Access Credentials, select Provision PAC.
5
Enable anonymous PAC provisioning
If you would like to provision the PAC anonymously, select Provision PAC anonymously.
Configure EAP-SIM
This authentication method is compatible with the Wi-Fi Library Item only.
1
Configure RAND values
Choose the Minimum number of RAND valuesthe devices requires from the server. The available options are 3 (default), 2, or Don’t specify. More RAND challenges result in stronger keying material.
Configure EAP-AKA
This authentication method is compatible with the Wi-Fi Library Item only.
