Configuration Guide on EAP-TLS authentication for WPA-Enterprise (with FreeRADIUS)

Knowledgebase
Configuration Guide
Authentication
09-27-2022
80

User’s Application Scenario

Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and Internet connections. WPA-Enterprise standards have adopted IEEE 802.1X (with various EAP types) as the canonical authentication mechanism. There are many EAP methods defined by IETF RFCs, such as EAP-MD5, EAP-POTP, EAP-GTC, EAP-TLS, EAP-IKEv2, etc. In this article, we will deploy a RADIUS (Remote Authentication Dial In User Service) server to achieve WPA-Enterprise authentication with EAP-TLS method.

Note:

This tutorial is for verification and testing purpose. If you want to use RADIUS services for enterprise or commercial scenarios, please consult to professional organizations.

FreeRADIUS is an open-source RADIUS server under GPLv2 license. Project website: github.com.

Configuration

Step 1. Install FreeRADIUS on Linux

For FreeRADIUS’s package installation guide, please refer to FreeRADIUS Packages | NetworkRADIUS. You can also build it from source code by following: github.com. Make sure you install it correctly. If you find your RADIUS service runs into errors during the following procedures, for example, can’t start up or process any request, check if you have installed that correctly.

Environment of this Guide: Ubuntu 22.04 LTS with FreeRADIUS 3.2 (apt-installed)

Step 2. Edit the FreeRADIUS clients configuration

By default, FreeRADIUS 3.2 is installed under /etc/freeradius/.

Firstly, add your AP to the configuration file so that FreeRADIUS will process the authenticate request sent from the AP. Open the terminal and run the following command:

$ sudo nano /etc/freeradius/clients.conf

Add the following contents to the file:

client AP1 { #’AP1’ is the alias of your access point

ipaddr = 192.168.0.100/24 #The IP address of AP1

secret = testing123

#The ’secret’ will be the ‘Authentication Password’

#in Omada Controller’s RADIUS profile settings

}

Note: For WPA-Enterprise encryption, EAPs themselves rather than the Controller will be the clients of RADIUS, so please make sure IPs of all the EAPs are enclosed in the clients.conf.

Then press Ctrl+X and save the file.

Step 3. Edit the FreeRADIUS EAP configuration to enable TLS

Edit the EAP configuration:

$ sudo nano /etc/freeradius/mods-enabled/eap

Find the eap field, Change the default_eap_type to tls. Like:

eap{

default_eap_type = tls

Then press Ctrl+X and save the file.

Step 4. Make the certificates

FreeRADIUS makes certificates by using OpenSSL. The configuration files and CAs are located at /etc/freeradius/certs. First, switch to that folder:

$ sudo -s

$ cd /etc/freeradius/certs

Note that you need to clean up all the CAs each time before you recreate them, or openssl will output ‘Nothing to be done’ and it won’t regenerate new CAs. Delete the existing files by the following command:

$ rm -f *csr *key *p12 *pem *crl *crt *der *mk *txt *attr *old serial dh

You can edit those *.cnf files to meet your requirements. Here we just leave them all to default for testing purpose. After cleaning up the CAs, run make command to generate new CAs.

$ make

Step 5. Start the FreeRADIUS server

You can run the FreeRADIUS server in debug mode with log by using the following command:

$ sudo freeradius -X

The output should be as follows. Once there is ‘Ready to process requests’ means FreeRADIUS server has started correctly.

Step 6. Config the wireless network authentication settings

In this step, you will config the wireless network security to WPA-Enterprise and set the RADIUS profile. The Authentication Password of the RADIUS server is ‘testing123’, as we just set in /etc/freeradius/clients.conf. Authentication Server IP is your RADIUS server’s IP. Authentication port is 1812 by default for RADIUS services.

If you are using Omada Controller, refer to Omada SDN Controller User Guide | TP-Link Chapter 4.4.1--> WPA-Enterprise.

If you are using standalone mode of EAP, refer to configuring_eap_standalone_eap (tp-link.com) Chapter 2.2 Config SSIDs--> WPA-Enterprise.

Step 7. Install the certificates on Clients and verify the authentication

Copy the generated ca.der and client.p12 file (in Step 4.) to the Client such as a laptop or a desktop with a wireless adapter. Note that some smartphones have poor compatibility and may occur errors while installing the CAs. You are supposed to use a Windows PC to do the following test.

To install the CAs on Windows 10/11, just double-click them and follow the steps. If you are using Windows7, you may not be able to install the CAs due to compatibility issues.

Install ca.der:

Then, install client.p12. Note that the password of the private key is ‘whatever’ by default (if you haven’t changed the configurations by editing /etc/freeradius/certs/*.cnf).

Step 8. Connect to the SSID using a certificate

For Windows11:

Go to WLAN settings --> Find your SSID --> Click Connect --> Connect using a certificate. Then you will connect to the wireless network by EAP-TLS method. You can check the terminal outputs on the RADIUS server to see the logs.

For Windows10:

Go to Control Panel-->Network and Internet-->Network and Sharing Center-->Set up a new connection or network

Select Manually connect to a wireless network, and click Next.

Fill in your Network name (SSID), choose the Security type to WPA2-Enterprise, and click Next.

Click Change connection settings.

Under Security label --> Choose a network authentication method, select Microsoft: Smart card or other certificate, and then click settings.

Uncheck the box ‘Verify the server’s identity by validating the certificate’, and click OK on all the pop-ups.

Now, in WLAN Settings, you can connect the SSID using a certificate.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

Please Rate this Document

Related Documents