WPA Enterprise Settings for Apple and Android Enterprise
Overview
With Silverback, you can create profiles with specific Wi-Fi settings for WPA, WPA2, and WPA3 Enterprise security standards, and then deploy these profiles to your managed devices. Silverback offers many features, including protocol level configurations, authentication options, proxy and trust settings. Before you start with the configuration, we recommend contacting your Network or IT Administrator for receiving the requirements for your network configuration. This Knowledge Base article provides an overview about all Enterprise Settings for Android Enterprise and Apple devices. If you are using a non-certificate based authentication for your Wi-Fi network on Samsung Knox devices, you can also configure the Wi-Fi profiles with the Knox Service Plugin.
Protocols
After selecting a Security Type for Enterprise security standards within the Wi-Fi configuration, you can select your required protocol and configure additional settings based on the selected protocol.
Protocols
In the Protocols settings, you can enable the authentication framework that is used in your network. As there are many methods defined by RFCs and vendor-method methods, Silverback supports the below shown Extensible Authentication Protocol (EAP) configurations. The TTLS and PEAP Protocol offer additional configurations for the inner authentication / phase 2 authentication and these options vary based on the operating system.
Option | Apple | Android | Samsung Knox |
---|---|---|---|
Protocols |
|
|
|
Inner Authentication / Phase 2 Authentication |
|
|
|
Protected Access Credentials
EAP-FAST supports as defined in RFC 4507 the TLS extension to support the fast re-establishment of a secure tunnel without having to maintain per-session state on the server. The EAP-FAST-based mechanisms are defined to provision the credentials for the TLS extension. These credentials are called Protected Access Credentials (PACs). The following options applies to the EAP-FAST configuration for Apple devices.
Option | Description | Supported Platforms | ||
---|---|---|---|---|
Use Pac |
|
|
||
Provision PAC |
|
|
||
Provision PAC Anonymously |
Note that there are known machine-in-the-middle attacks for anonymous provisioning. |
|
Authentication
Depending on which authentication method is required for your network, Silverback offers the following settings for both user-based authentication and certificate-based authentication.
Username, Password, and Identity
In general, you can configure within this section the pre-configuration of usernames (identities) and passwords for the authentication process. The Username and Password configuration applies to the following protocols: LEAP, TTLS, PEAP, EAP-FAST, PWD, and partly for TLS on Android and Samsung Knox. Some settings, like the Use Per-connection password applies only to Apple devices.
Option | Description | Supported Platforms | ||
---|---|---|---|---|
Use Individual Username |
|
|
||
Username |
|
|
||
Use Per-connection Password |
|
|
||
Use User Password |
|
|
||
Password |
|
|
||
Outer Identity / Anonymous Identity |
|
|
Certificate-based authentication
Silverback offers three different levels of certificate-based authentication for your Wi-Fi networks. You can use the basic certificate distribution and distribute only certificates from your Certification Authority to your devices or you can use the extended methods, which requires additional templates and configurations. With the extended methods, you can populate certificates either to Active Directory user or device objects.
Option | Description | Supported Platforms | ||
---|---|---|---|---|
Basic options for certificate-based authentication | ||||
Certificate Type |
|
|
||
Individual Client Certificates |
|
|
||
Individual Client Certificate subject |
|
|
||
Upload Enterprise Certificate |
|
|
||
TLS Minimum Version |
|
|
||
TLS Maximum Version |
|
|
||
Extended options for certificate-based authentication | ||||
Populate into Active Directory |
|
|
||
Use Computer Object |
|
|
||
Certificate Template Name |
|
|
||
Requester Name LDAP Attribute |
|
|
||
Agent Certificate |
|
|
Trust
Next to the configuration of the Authentication options, the Trust section allows you to create the certificate chain of trust to ensure that both the client and RADIUS server are legitimate. You can configure here accepted server certificate common names or upload certificates for the chain of trust. As the settings differ between platforms, the configuration is divided into two sections.
For Android Enterprise Devices
Option | Description | ||
---|---|---|---|
Trust Configuration |
|
||
Upload Certificate |
|
||
Certificates |
|
||
Domain |
|
For Apple Devices
Option | Description | ||
---|---|---|---|
Allow Trust Exceptions |
As of iOS 8, Apple no longer supports this key. |
||
Server |
|
||
Upload Certificate |
|
||
Certificates |
|
Proxy
If you have a proxy server in your organization for having a gateway between you and the internet, you can configure the following Proxy options. As the settings differ between platforms, the configuration is divided into two sections.
For Android Enterprise Devices
Option | Description | ||
---|---|---|---|
Enable Proxy |
|
||
Server |
|
||
Port |
|
||
Exclusion List |
|
For Apple Devices
Option | Description | ||
---|---|---|---|
Proxy Type |
|
||
Server |
|
||
Port |
|
||
Individual Usernames |
|
||
Username |
|
||
Individual Passwords |
|
||
Password |
|
||
PAC URL |
|
||
Allow Direct Connection if PAC is Unreachable |
|