Page History
...
Set Up a Certificate Authority (CA):
- To use certificate-based authentication, you need a trusted Certificate Authority (CA) that issues certificates to both the client devices and the RADIUS server.
- This can be an external CA (e.g., VeriSign, Let’s Encrypt) or an internal enterprise CA for organizations that want to manage their own certificates.
Steps:
- Set up a CA that can issue both client certificates and server certificates.
- Ensure that both the client and RADIUS server are configured with certificates signed by the CA.
- Issue certificates to users (client devices) that will connect to the Wi-Fi network.
Configure the RADIUS Server to Support EAP-TLS:
- The RADIUS server must be configured to use EAP-TLS for authentication.
- The server needs a server certificate signed by the CA and must be able to validate client certificates during the authentication process.
Steps:
- Install the RADIUS server certificate signed by the CA.
- Configure the RADIUS server to authenticate users using EAP-TLS by validating the client's digital certificate.
- Configure the RADIUS server to handle certificate revocation lists (CRL) or use Online Certificate Status Protocol (OCSP) to check the status of client certificates.
- Example configuration for FreeRADIUS (a popular open-source RADIUS server)
draw.io Diagram border true diagramName certiauth simpleViewer false width links auto tbstyle top lbox true diagramWidth 271 revision 1
Configure the Wi-Fi Access Point for WPA2/WPA3-Enterprise:
- The Wi-Fi AP must be configured to use WPA2-Enterprise (or WPA3-Enterprise) security mode.
- The AP should also be configured to use the RADIUS server for authentication and EAP-TLS as the supported authentication method.
Steps:
- Set the Security Mode on the AP to WPA2-Enterprise or WPA3-Enterprise.
- Specify the RADIUS server IP address and shared secret on the AP, so that the AP can forward authentication requests to the RADIUS server.
- Enable EAP-TLS as the authentication method.
draw.io Diagram border true diagramName apconfig simpleViewer false width links auto tbstyle top lbox true diagramWidth 451 revision 1
Configure the Passpoint Profile for Certificate-Based Authentication:
- Passpoint profiles on client devices include settings that define how the device should connect to the Wi-Fi network. For EAP-TLS, the profile should specify that certificate-based authentication is required.
- The profile will also contain the identity provider (IDP) information, allowing the device to automatically connect to networks using the correct certificates.
Steps:
- The ANQP (Access Network Query Protocol) settings should be configured on the AP to inform clients that EAP-TLS is available.
- The Passpoint profile on the client device must include:
- The CA certificate (for server verification).
- The client certificate (issued by the network or organization).
- The private key associated with the client certificate.
draw.io Diagram border true diagramName passpointconfig simpleViewer false width links auto tbstyle top lbox true diagramWidth 431 revision 1
Install Certificates on Client Devices:
- The client device (laptop, smartphone, tablet, etc.) must have a client certificate and private key installed. This certificate is typically issued by the organization or service provider offering the Wi-Fi network.
Steps:
- Install the client certificate and corresponding private key on the client device.
- Ensure that the device trusts the CA certificate of the RADIUS server to validate the server's identity during the authentication process.
Overview
Community Forums
Content Tools
Tasks