Setting up EAP-TLS for 802.1X Wireless
Currently, I have already installed and properly set up my FreeRadius on my pfSense box.
The following is what I did:
- Setup an account/password on the user section
- Setup an authentication interface for FreeRadius to listen to
- Create a CA, server and client certificate in Cert Manager
- Set FreeRadius to use certificates created in pfSense Cert Manager
- Install CA cert on my wireless clients
- Setup my wireless clients to establish wireless connection using either 802.1X EAP-TLS/TTLS/PEAP with the CA Certs and the account/password created in Step 1
Ok, everything works fine. My wireless clients is able to authenticate properly with FreeRadius, however, WITHOUT the client cert.
I maybe wrong but isn't RADIUS suppose to check my wireless client for it's client server and verify for it's validity before accepting the authentication? Did I misunderstood how EAP-TLS works?
If I'm right, how do I setup FreeRadius to check for client cert before accepting a wireless client into the network?
Thanks in advance.
P.S - I have enabled 'Check Cert Issuer' and 'Check Client Certificate CN' option found in 'EAP' tab.