Page History

...

1. 1. 1. 1. 1. 1. Set Up a Certificate Authority (CA):

                  • To use certificate-based authentication, you need a trusted Certificate Authority (CA) that issues certificates to both the client devices and the RADIUS server.
                  • This can be an external CA (e.g., VeriSign, Let’s Encrypt) or an internal enterprise CA for organizations that want to manage their own certificates.

                  Steps:

                  • Set up a CA that can issue both client certificates and server certificates.
                  • Ensure that both the client and RADIUS server are configured with certificates signed by the CA.
                  • Issue certificates to users (client devices) that will connect to the Wi-Fi network.

               2. Configure the RADIUS Server to Support EAP-TLS:

                  • The RADIUS server must be configured to use EAP-TLS for authentication.
                  • The server needs a server certificate signed by the CA and must be able to validate client certificates during the authentication process.

                  Steps:

                  • Install the RADIUS server certificate signed by the CA.
                  • Configure the RADIUS server to authenticate users using EAP-TLS by validating the client's digital certificate.
                  • Configure the RADIUS server to handle certificate revocation lists (CRL) or use Online Certificate Status Protocol (OCSP) to check the status of client certificates.
                  • Example configuration for FreeRADIUS (a popular open-source RADIUS server)

                    1. draw.io Diagram
                       border true diagramName certiauth simpleViewer false width links auto tbstyle top lbox true diagramWidth 271 revision 1

               3. Configure the Wi-Fi Access Point for WPA2/WPA3-Enterprise:

                  • The Wi-Fi AP must be configured to use WPA2-Enterprise (or WPA3-Enterprise) security mode.
                  • The AP should also be configured to use the RADIUS server for authentication and EAP-TLS as the supported authentication method.

                  Steps:

                  • Set the Security Mode on the AP to WPA2-Enterprise or WPA3-Enterprise.
                  • Specify the RADIUS server IP address and shared secret on the AP, so that the AP can forward authentication requests to the RADIUS server.
                  • Enable EAP-TLS as the authentication method.

                  • draw.io Diagram
                    border true diagramName apconfig simpleViewer false width links auto tbstyle top lbox true diagramWidth 451 revision 1

               4. Configure the Passpoint Profile for Certificate-Based Authentication:

                  • Passpoint profiles on client devices include settings that define how the device should connect to the Wi-Fi network. For EAP-TLS, the profile should specify that certificate-based authentication is required.
                  • The profile will also contain the identity provider (IDP) information, allowing the device to automatically connect to networks using the correct certificates.

                  Steps:

                  • The ANQP (Access Network Query Protocol) settings should be configured on the AP to inform clients that EAP-TLS is available.
                  • The Passpoint profile on the client device must include:
                    • The CA certificate (for server verification).
                    • The client certificate (issued by the network or organization).
                    • The private key associated with the client certificate.

                    • draw.io Diagram
                      border true diagramName passpointconfig simpleViewer false width links auto tbstyle top lbox true diagramWidth 431 revision 1

               5. Install Certificates on Client Devices:

                  • The client device (laptop, smartphone, tablet, etc.) must have a client certificate and private key installed. This certificate is typically issued by the organization or service provider offering the Wi-Fi network.

                  Steps:

                  • Install the client certificate and corresponding private key on the client device.
                  • Ensure that the device trusts the CA certificate of the RADIUS server to validate the server's identity during the authentication process.

                  • Example on Windows/macOS/Linux:

                    • Use the system’s certificate manager to install the certificates and configure the Wi-Fi connection settings to use EAP-TLS.
                    • For Android and iOS devices, profiles can be pushed by the network provider or manually installed via the settings menu.

               6. EAP-TLS Authentication Workflow: When a client with a Passpoint profile and a client certificate attempts to connect to a Passpoint-enabled network that supports EAP-TLS, the following occurs:

                  Steps:

                  1. The client sends a TLS handshake request to the Wi-Fi access point.
                  2. The AP forwards this request to the RADIUS server.
                  3. The RADIUS server responds with its own certificate for the client to verify.
                  4. The client validates the server's certificate using the CA certificate it trusts.
                  5. The client sends its client certificate to the RADIUS server for authentication.
                  6. The RADIUS server validates the client's certificate using the CA that issued it.
                  7. Upon successful mutual authentication, the client is granted access to the Wi-Fi network.
                  8. A secure TLS session is established between the client and the network.