Certificates-based wifi auth

lookash

Hello!

I'm trying to configure wifi authentication based on CA and RADIUS. Both (CA and RADIUS2) are packeges installed on pfsense (v2.2.4). Wifi ap is separated device.
My goal is to have authentication based on certificates (if user don't have required certificate, it will not connect to the network).

I really appreciate for guidence how to set up such solution (the more detailes the better)

Thanks in advance!

johnpoz

CA package? You mean the built in pfsense CA?

So your wanting to auth your wifi with eap-tls? I have this running currently, guess I could throw together a how to. I ran into one little issue with IOS devices like ipads and iphones and the .p12 package for the ca cert and user cert and key not having a password. But easy enough to work around with openssl to create a .p12 and put a password on.

I have windows 7 machines, android nexus phone and iphones and ipads all using eap-tls to auth to my wifi. Keep in mind that not all devices support wpa/wpa2 enterprise and you will still need to maintain a psk wifi ssid for these types of devices.

lookash

Hi johnpoz,

Yes, I meant built in CA.

As for wifi auth with eap-tls - YES, it's exactly what I would like to achieve. It would be great if you could put how to regarding this topic, especialy if you already have solved issues with client devices.

Thanks in advance!

conehead

hi,
any linkt to an excellent how to

thanks

asutherland

@johnpoz:

CA package? You mean the built in pfsense CA?

So your wanting to auth your wifi with eap-tls? I have this running currently, guess I could throw together a how to. I ran into one little issue with IOS devices like ipads and iphones and the .p12 package for the ca cert and user cert and key not having a password. But easy enough to work around with openssl to create a .p12 and put a password on.

I have windows 7 machines, android nexus phone and iphones and ipads all using eap-tls to auth to my wifi. Keep in mind that not all devices support wpa/wpa2 enterprise and you will still need to maintain a psk wifi ssid for these types of devices.

John, this would also help me greatly. I've tried several things and I can't seem to get EAP-TLS to work without Windows prompting for a username. I followed the directions here under EAP-TLS: https://doc.pfsense.org/index.php/Using_EAP_and_PEAP_with_FreeRADIUS

:) Andrew

johnpoz

what flavor of windows are you using? Did you get any other devices work with it? I have couple iphones, ipad, nexus phone 3 laptops running windows 7..

windowseaptls.png_thumb

asutherland

Windows 7 Enterprise x64. I haven't tried any other OS as I don't have any handy here. I do have an Android phone but wasn't sure about how to install certs.

Your screenshots look exactly like mine. Freerad-ca is the CA .crt you created in the Certificates section of pfSense?

I created a CA there, in pfSense Cert Manager, as well as Client certificate (exported as .p12) and then imported both of them here:

Client cert.p12 –-> Certificates - Current User > Personal > Certificates
CA cert.crt ---> Certificates - Current User > Trusted Root Certification Authorities > Certificates

I also tried adding to Local Computer cert stores as well, which didn't make a difference.

When you connect to your wireless, does it just... work? Or does it prompt you to select a certificate or to enter credentials? IF I select "use a different username for the connection" then I get the same prompt for certificate as in my screenshot, but with the option to type a username (no password). The certificates I can select from are either the one I created in pfSense (which I assume is what I want!) or my domain user certificate. The fact there is a checkbox for "use a different username" makes me feel like it's trying to authenticate with certificate AND credentials.

If I click through the certificate selection, it thinks about it for about 10 seconds and then prompts again with the same cert selection dialog.

Thanks for your help :)
Andrew

wirelessconfig.jpg_thumb

johnpoz

When I connect it just works.. I don't get prompted for anything.

Did you create a user in freeradius? With eap-tls you do not need a user account. Did you disable the other weak eap and set tls as default?

eapsettings.png_thumb

asutherland

@johnpoz:

Did you create a user in freeradius? With eap-tls you do not need a user account. Did you disable the other weak eap and set tls as default?

I did, just as a test to see if it was working via EAP-PEAP. (which it was). I then deleted the user account, as I don't want any user/pass authentication, only certificate.

Here are my settings in the EAP tab on freeradius. (EAP settings.jpg)

Every time I connect, I just get prompted with this: (Certificate.jpg). Pressing OK makes the system think for a moment, then re-prompt me with the same dialog. If I remove the Communications Server (client auth - used for other things) certificate from Current User > Personal > Certificates, so I only have the 1 certificate Windows can choose from, then Windows doesn't prompt me with the dialog. It just errors out saying it cannot connect to my AP.

Viewing my AP's log, I see "Wireless system with Mac address <my laptop's="" wireless="" mac="">deauthenticate reason 1"</my>… which according to http://www.cisco.com/c/en/us/td/docs/wireless/controller/3-2/configuration/guide/ccfig32/c32err.html means "1 - unspecifiedReason - Client associated but no longer authorized."

![EAP settings.jpg](/public/imported_attachments/1/EAP settings.jpg)
![EAP settings.jpg_thumb](/public/imported_attachments/1/EAP settings.jpg_thumb)

Certificate.jpg_thumb

asutherland

Figured it out!!!! 8) 8) 8) 8)

The problem was the user I created in Freeradius had a different name than the user certificate. I didn't think setting up a user was a required setting, since I didn't want any username/password auth. But it makes sense to me now.

I created a user with a blank password in Freeradius > Users and gave it the same name as my user cert. Immediately worked ;D

Thanks for all your help John.

Andrew

Derelict

You probably want those users to have a long, random password, not blank.

asutherland

@Derelict:

You probably want those users to have a long, random password, not blank.

Would it still allow the certificate only (TLS) authentication that way? Or would it prompt for a username/password when connecting?

Derelict

Try it and see.

asutherland

No problems!

I added a complex password, and it doesn't seem to care. Awesome ;D

johnpoz

"I didn't think setting up a user was a required setting,"

its not - but if you have one that matches you could have problems. I don't have any user accounts, but 7 different devices that auth with eap-tls..

users.png_thumb

MatHis

@johnpoz:

CA package? You mean the built in pfsense CA?

So your wanting to auth your wifi with eap-tls? I have this running currently, guess I could throw together a how to. I ran into one little issue with IOS devices like ipads and iphones and the .p12 package for the ca cert and user cert and key not having a password. But easy enough to work around with openssl to create a .p12 and put a password on.

I have windows 7 machines, android nexus phone and iphones and ipads all using eap-tls to auth to my wifi. Keep in mind that not all devices support wpa/wpa2 enterprise and you will still need to maintain a psk wifi ssid for these types of devices.

John, if you could put together a how-to what would be greatly appreciated. I have been trying to get the same setup as the OP.