Page History

...

1. 1. 1. 1. 1. 1. Set Up a Certificate Authority (CA):

                  • To use certificate-based authentication, you need a trusted Certificate Authority (CA) that issues certificates to both the client devices and the RADIUS server.
                  • This can be an external CA (e.g., VeriSign, Let’s Encrypt) or an internal enterprise CA for organizations that want to manage their own certificates.

                  Steps:

                  • Set up a CA that can issue both client certificates and server certificates.
                  • Ensure that both the client and RADIUS server are configured with certificates signed by the CA.
                  • Issue certificates to users (client devices) that will connect to the Wi-Fi network.

               2. Configure the RADIUS Server to Support EAP-TLS:

                  • The RADIUS server must be configured to use EAP-TLS for authentication.
                  • The server needs a server certificate signed by the CA and must be able to validate client certificates during the authentication process.

                  Steps:

                  • Install the RADIUS server certificate signed by the CA.
                  • Configure the RADIUS server to authenticate users using EAP-TLS by validating the client's digital certificate.
                  • Configure the RADIUS server to handle certificate revocation lists (CRL) or use Online Certificate Status Protocol (OCSP) to check the status of client certificates.
                  • Example configuration for FreeRADIUS (a popular open-source RADIUS server)

                    1. draw.io Diagram
                       border true diagramName certiauth simpleViewer false width links auto tbstyle top lbox true diagramWidth 271 revision 1

               3. Configure the Wi-Fi Access Point for WPA2/WPA3-Enterprise:

                  • The Wi-Fi AP must be configured to use WPA2-Enterprise (or WPA3-Enterprise) security mode.
                  • The AP should also be configured to use the RADIUS server for authentication and EAP-TLS as the supported authentication method.

                  Steps:

                  • Set the Security Mode on the AP to WPA2-Enterprise or WPA3-Enterprise.
                  • Specify the RADIUS server IP address and shared secret on the AP, so that the AP can forward authentication requests to the RADIUS server.
                  • Enable EAP-TLS as the authentication method.

                  • draw.io Diagram
                    border true diagramName apconfig simpleViewer false width links auto tbstyle top lbox true diagramWidth 451 revision 1