BastionXP Device Attestation Usecase - Enterprise VPN and WiFi Access

Author: Ganesh Velrajan

Last Updated: Mon, Feb 9, 2026

Implementing the Solution with BastionXP CA

Let’s walk through the practical steps and components involved in setting up this robust solution in your environment.

1. BastionXP CA Deployment

BastionXP CA is your private Certificate Authority. It’s deployed within your network (on-premises or in your private cloud) and acts as the central hub for issuing and managing certificates.

  • Private CA Root/Intermediate: BastionXP CA will become your trusted private root or intermediate CA. This means your devices and RADIUS server will need to trust this CA. This is typically done by distributing the BastionXP CA root certificate to all devices via MDM or Group Policy.
  • ACME Server: The BastionXP CA includes a fully functional ACME server. This is the endpoint that devices (via the BastionXP client or ACME client) will communicate with for certificate enrollment and renewal.

2. RADIUS Server Configuration

Your existing RADIUS server (e.g., Microsoft NPS, FreeRADIUS, Cisco ISE) is a critical component for authentication.

  • Trust BastionXP CA: Configure your RADIUS server to trust the BastionXP CA root certificate. This allows it to validate client certificates issued by BastionXP CA.
  • EAP-TLS Configuration: Ensure your RADIUS server is configured for EAP-TLS authentication.
  • Certificate-Based Authorization: Configure authorization rules on the RADIUS server. You can define policies based on:
  • Subject Alternative Name (SAN): Extract the User Principal Name (UPN) or email address from the certificate’s SAN to authorize users against your identity provider.
  • Device ID: If the BastionXP CA includes a unique device ID in the certificate, you can use this for device-specific authorization.
  • Group Membership: Link certificate attributes to group memberships in your identity provider to control access based on roles (e.g., “Finance group devices can access VPN X, but not VPN Y”).

3. Client Device Configuration (Apple Devices)

This is largely automated by BastionXP CA, minimizing manual effort.

  • BastionXP Client/Agent: For the initial enrollment and ongoing ACME renewal, Apple devices will use either a dedicated BastionXP client application (for user-driven enrollment) or a system-level ACME client functionality (potentially managed by an MDM solution that integrates with ACME).

  • Configuration Profiles: BastionXP CA can generate and deploy configuration profiles (via MDM or manually) to automatically configure:

  • Trust for BastionXP CA: Install the BastionXP CA root certificate.

  • VPN Settings: Configure VPN client settings to use EAP-TLS with the automatically installed client certificate.

  • Wi-Fi Settings: Configure WPA2/WPA3-Enterprise Wi-Fi settings to use EAP-TLS with the automatically installed client certificate.

  • Secure Enclave Interaction: The device’s operating system and the BastionXP client will interact with the Secure Enclave for key generation, private key storage, and cryptographic signing during attestation and EAP-TLS handshakes.

Use Cases: VPN and Wi-Fi Authentication with Device Attestation

Secure Corporate VPN Access

With BastionXP CA, your corporate VPN becomes a fortress.

  1. Onboarding: An employee’s new corporate iPhone enrolls with BastionXP CA. The device performs attestation, proving it’s a genuine, un-jailbroken Apple device running approved software.
  2. Certificate Issuance: BastionXP CA issues a 4-hour client certificate, with the private key locked in the Secure Enclave. A VPN configuration profile is pushed.
  3. VPN Connection: When the employee connects to the VPN, their device presents the certificate to the RADIUS server via EAP-TLS.
  4. RADIUS Verification: The RADIUS server verifies the certificate chain (trusting BastionXP CA) and extracts the user’s identity from the certificate. It checks this against Active Directory.
  5. Access Granted: If the device is attested, the certificate is valid, and the user is authorized, VPN access is granted.
  6. Automated Renewal: Every 4 hours, the device automatically renews its certificate with BastionXP CA (potentially with re-attestation), ensuring continuous, secure VPN access without user intervention.
  7. Policy Enforcement: If the device is later jailbroken, its next attestation during renewal will fail, and BastionXP CA will refuse to issue a new certificate, immediately revoking VPN access.

Robust Enterprise Wi-Fi Authentication

Similarly, your Wi-Fi network gains an unprecedented layer of trust.

  1. Onboarding: An employee’s Mac enrolls with BastionXP CA. Device attestation confirms its integrity.
  2. Certificate Issuance: A client certificate (e.g., 8-hour lifespan) is issued, private key in the Secure Enclave. A Wi-Fi configuration profile is pushed.
  3. Wi-Fi Connection: The Mac attempts to connect to the corporate WPA2/WPA3-Enterprise SSID. It performs EAP-TLS with the RADIUS server, presenting its certificate.
  4. RADIUS Verification: The RADIUS server validates the certificate and the user’s identity.
  5. Access Granted: Secure Wi-Fi access is granted.
  6. Automated Renewal: The certificate automatically renews every 8 hours, ensuring seamless, continuous Wi-Fi connectivity.
  7. Compromise Detection: If a personal iPad, previously enrolled, is found to have an outdated OS version that no longer meets policy, its next attestation check during renewal will fail. Wi-Fi access will be revoked until the device is updated.

Start Your Free Trial Now

Try BastionXP for free with no commitments. No credit card required.

Get Started For Free