Mobile security

How to connect to enterprise Wi-Fi security on Android devices

enterprise security
flickr/Danny Oosterveer

Mobile security

Show More

Connecting to wireless networks using the enterprise or 802.1X mode of Wi-Fi security is a bit different compared to using the personal or pre-shared key (PSK) mode. Though connecting to enterprise networks with your laptop may have been straightforward, Android presents you with additional settings you may not understand.

Here's what those settings mean and what you need to know to connect to enterprise Wi-Fi with your Android device:

Download and install any digital certificate files

Start by getting any digital certificate files that are required, for instance if using the EAP-TLS method of 802.1X, from your network administrator. Also, get any recommended certificates, such as the CA certificate so the device can perform server verification.

In newer versions of Android, the certificate import process automatically begins after downloading the file. You just need to input a name for the certificate and select Wi-Fi for the credential use. If lock screen security isn’t enabled on your device, you may be prompted to enable it.

android certificate ITworld/Eric Geier

Installation screen shown after downloading a digital certificate in Android.

In older Android versions, you may have to initiate the certificate import by accessing the Security or Location & Security settings and choosing Install from SD card. If not already set, it will prompt you to create a password for credential storage.

Connecting to the enterprise network

Just like with any other Wi-Fi network, tap the network name from the list of nearby wireless networks in order to connect. The first time you connect, you’ll be prompted for the authentication settings.

android 8021x settings ITworld/Eric Geier

If the correct EAP method isn’t already selected, choose the method supported by the network. If you have just a username and password for the Wi-Fi, the method is likely PEAP. If you must install a digital certificate, it may be TLS.

For most EAP methods, you can optionally specify the CA certificate, which you must first install as discussed in the previous section. For TLS, you must also specify the user certificate.

Here are the settings shown when using the PEAP or TTLS methods:

    • Phase 2 authentication: Optionally select the outer authentication method, such as MS-CHAPv2 or GTC, supported by the network. MS-CHAPv2 is the most popular, but if you aren’t sure try selecting None.

    • Identity: Technical name for your username, which may include a domain name, such as jsmith@company.com, depending upon the network.

    • Anonymous identity: In many cases, you can leave this field blank, although when able to I recommend using a random username, such as “anonymous”.

By default, the username is sent to the authentication server twice. First it’s sent unencrypted, called the outer or anonymous identity, and then secondly inside an encrypted tunnel, called the inner identity. In most cases, the real username on the outer identity is not required for successful authentication. This is why you should avoid using the real username to prevent any eavesdroppers from discovering it.

However, some networks require the full username or at least the correct domain or realm in the outer identity, such as “anonymous@domain.com”.

  • Enter password: Obviously, this is where you enter the password associated with the account you’re logging into.

Remember, you can always modify these authentication settings in the future. Simply long tap the network name and select Modify network config.

This story, "How to connect to enterprise Wi-Fi security on Android devices" was originally published by ITworld.

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)