# Setup LDAP Profile on Client Devices
{% hint style="success" %}
By following these steps, you can configure the **LDAP profile** on client devices to ensure proper authentication with the Entra ID (Azure AD) LDAP Server.
{% endhint %}
To allow client devices to authenticate with the Entra ID (Azure AD) LDAP Server, some devices, such as Android phones, require the installation of the **Client’s Authentication (CA) Certificate** (**`ca.pem`**). This certificate is needed for secure communication between the Access Point and client devices and can be exported via the EnGenius Cloud GUI.
Export CA Certificate
### **To get started:**
1. Client devices scan for the **EnGenius WiFi SSID** and connect to it.
2. The **802.1X page** pops up and requests the Username and Password. (e.g., **`account@example.edu`**).
3. If the Certificate page pops up, click **Trust**.
4. For Android phones, it is required to specify the EAP method and Phase 2 authentication. Please refer to the following settings:
* **EAP method:** Select **EAP-TTLS**.
* **Phase 2 authentication:** Select **PAP**.
* (Note: If PAP is not supported on client devices, GTC is an alternative option but may have compatibility issues on specific devices, e.g., Chromebook.)
* **Domain (Optional):** Enter the corresponding domain shown on Cloud GUI, e.g., **`engenius.ai`** (by default)
Enter the Corresponding Domain Shown on Cloud GUI
* **Online Certificate Status:** Choose **Do not validate**.
* (Note: For Google Nexus devices, this option is not available. The certificate (**`ca.pem`**) must be installed.)
