WPA2 / WPA3 Enterprise authentication

WPA-Enterprise uses TKIP with RC4 encryption, while WPA2-Enterprise adds AES encryption. WPA3 uses Simultaneous Authentication of Equals (SAE) to provide stronger defenses against password guessing. SAE is a secure key establishment protocol. WPA3-Enterprise provides additional protections for networks transmitting sensitive data by offering the equivalent of 192-bit cryptographic strength.

Use the following guidelines to configure WPA2 or WPA3 Enterprise authentication.

Except for Apple TV, WPA2 Enterprise is applicable to iOS 8.0 or supported newer versions.

WPA3 Enterprise is applicable to iOS 13.0 or supported newer versions.

**Table 50.** Wi-Fi WPA2 / WPA3 enterprise authentication Field description
Item	Description
Network Name (SSID)	Enter the name (i.e., service set identifier) of the Wi-Fi network these settings apply to. This field is case sensitive.
Description	Enter additional text to clarify the purpose of this group of Wi-Fi settings.
Hidden Network	Select this option if the SSID is not broadcast.
Authentication	Select one: •WPA2 Enterprise •WPA2 Enterprise (iOS 8 or later except Apple TV) •WPA3 Enterprise (iOS 13 or later)
Data Encryption	Select the data encryption method associated with the selected authentication type. For WPA2 Enterprise authentication, the following encryption options are available: • AES • TKIP
User Name	Specify the variable to use as the user name when establishing the Wi-Fi connection. See WPA2 / WPA3 Enterprise authentication.
Password	Specify the variable to use and any necessary custom formatting for the Wi-Fi password. The default variable selected is $PASSWORD$. Enter additional variables or text in the text box adjacent to the Password field. Entries in this text box are kept hidden and will not be visible to any Ivanti EPMM administrator. If you specify $PASSWORD$, also enable Save User Password under Settings > System Settings > Users & Devices > Registration. All variables and text up to the last valid variable will be visible. Anything after the last valid variable will not be visible. The valid variable may appear in either of the password fields. Valid variables are variables in the drop-down list.
Apply to Certificates	Configure this field with the CA certificate needed to validate the Identity Certificate presented by the Wi-Fi Access Point. It is not the CA certificate needed to validate the Identity Certificate sent to the device in the Wi-Fi configuration. If you configure multiple certificates, either as root certificates in separate files, or chain certificates in a single file, they appear in the CA cert drop-down on the client, however, “unspecified” is the selected value for the certificate.
Trusted Certificate Names	This feature is not supported on Android devices.
Allow Trust Exceptions	This feature is not supported on Android devices.
Use Per-connection Password	This feature is not supported on Android devices.
EAP Type	Select the authentication protocol used: •PEAP •TLS •TTLS You must select only one protocol. If you select EAP-FAST, then you also need to specify the Protected Access Credential (PAC). If you select TLS, then you must specify an Identity Certificate. If you select TTLS, then you must also specify the Inner Identity Authentication Protocol. You may optionally specify an Outer Identity, which on Android devices is propagated to the Anonymous Identity field in the Android system Wi-Fi settings.
Connects To	Select Internet or Work.
Apple Settings	These features are not supported on Android devices.
Android Settings	See Wi-Fi network priority for Android devices.
Windows Settings	These settings apply only to Windows devices.