Configuration Guide on EAP-TLS authentication for WPA-Enterprise (with FreeRADIUS)
User’s Application Scenario
Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and Internet connections. WPA-Enterprise standards have adopted IEEE 802.1X (with various EAP types) as the canonical authentication mechanism. There are many EAP methods defined by IETF RFCs, such as EAP-MD5, EAP-POTP, EAP-GTC, EAP-TLS, EAP-IKEv2, etc. In this article, we will deploy a RADIUS (Remote Authentication Dial In User Service) server to achieve WPA-Enterprise authentication with EAP-TLS method.
Note:
This tutorial is for verification and testing purpose. If you want to use RADIUS services for enterprise or commercial scenarios, please consult to professional organizations.
FreeRADIUS is an open-source RADIUS server under GPLv2 license. Project website: github.com.
Configuration
Step 1. Install FreeRADIUS on Linux
For FreeRADIUS’s package installation guide, please refer to FreeRADIUS Packages | NetworkRADIUS. You can also build it from source code by following: github.com. Make sure you install it correctly. If you find your RADIUS service runs into errors during the following procedures, for example, can’t start up or process any request, check if you have installed that correctly.
Environment of this Guide: Ubuntu 22.04 LTS with FreeRADIUS 3.2 (apt-installed)
Step 2. Edit the FreeRADIUS clients configuration
By default, FreeRADIUS 3.2 is installed under /etc/freeradius/.
Firstly, add your AP to the configuration file so that FreeRADIUS will process the authenticate request sent from the AP. Open the terminal and run the following command:
$ sudo nano /etc/freeradius/clients.conf
Add the following contents to the file:
client AP1 { #’AP1’ is the alias of your access point
ipaddr = 192.168.0.100/24 #The IP address of AP1
secret = testing123
#The ’secret’ will be the ‘Authentication Password’
#in Omada Controller’s RADIUS profile settings
}
Note: For WPA-Enterprise encryption, EAPs themselves rather than the Controller will be the clients of RADIUS, so please make sure IPs of all the EAPs are enclosed in the clients.conf.
Then press Ctrl+X and save the file.
Step 3. Edit the FreeRADIUS EAP configuration to enable TLS
Edit the EAP configuration:
$ sudo nano /etc/freeradius/mods-enabled/eap
Find the eap field, Change the default_eap_type to tls. Like:
eap{
default_eap_type = tls
…
…
…
Then press Ctrl+X and save the file.
Step 4. Make the certificates
FreeRADIUS makes certificates by using OpenSSL. The configuration files and CAs are located at /etc/freeradius/certs. First, switch to that folder:
$ sudo -s
$ cd /etc/freeradius/certs
Note that you need to clean up all the CAs each time before you recreate them, or openssl will output ‘Nothing to be done’ and it won’t regenerate new CAs. Delete the existing files by the following command:
$ rm -f *csr *key *p12 *pem *crl *crt *der *mk *txt *attr *old serial dh
You can edit those *.cnf files to meet your requirements. Here we just leave them all to default for testing purpose. After cleaning up the CAs, run make command to generate new CAs.
$ make
Step 5. Start the FreeRADIUS server
You can run the FreeRADIUS server in debug mode with log by using the following command:
$ sudo freeradius -X
The output should be as follows. Once there is ‘Ready to process requests’ means FreeRADIUS server has started correctly.
Step 6. Config the wireless network authentication settings
In this step, you will config the wireless network security to WPA-Enterprise and set the RADIUS profile. The Authentication Password of the RADIUS server is ‘testing123’, as we just set in /etc/freeradius/clients.conf. Authentication Server IP is your RADIUS server’s IP. Authentication port is 1812 by default for RADIUS services.
If you are using Omada Controller, refer to Omada SDN Controller User Guide | TP-Link Chapter 4.4.1--> WPA-Enterprise.
If you are using standalone mode of EAP, refer to configuring_eap_standalone_eap (tp-link.com) Chapter 2.2 Config SSIDs--> WPA-Enterprise.
Step 7. Install the certificates on Clients and verify the authentication
Copy the generated ca.der and client.p12 file (in Step 4.) to the Client such as a laptop or a desktop with a wireless adapter. Note that some smartphones have poor compatibility and may occur errors while installing the CAs. You are supposed to use a Windows PC to do the following test.
To install the CAs on Windows 10/11, just double-click them and follow the steps. If you are using Windows7, you may not be able to install the CAs due to compatibility issues.
Install ca.der:
Then, install client.p12. Note that the password of the private key is ‘whatever’ by default (if you haven’t changed the configurations by editing /etc/freeradius/certs/*.cnf).
Step 8. Connect to the SSID using a certificate
For Windows11:
Go to WLAN settings --> Find your SSID --> Click Connect --> Connect using a certificate. Then you will connect to the wireless network by EAP-TLS method. You can check the terminal outputs on the RADIUS server to see the logs.
For Windows10:
Go to Control Panel-->Network and Internet-->Network and Sharing Center-->Set up a new connection or network
Select Manually connect to a wireless network, and click Next.
Fill in your Network name (SSID), choose the Security type to WPA2-Enterprise, and click Next.
Click Change connection settings.
Under Security label --> Choose a network authentication method, select Microsoft: Smart card or other certificate, and then click settings.
Uncheck the box ‘Verify the server’s identity by validating the certificate’, and click OK on all the pop-ups.
Now, in WLAN Settings, you can connect the SSID using a certificate.
Get to know more details of each function and configuration please go to Download Center to download the manual of your product.