Switching from PEAP to EAP-TLS … How do I bind certs to users?

  • Hey guys, I am stuck on something here and could use some help.  Right now I have a PEAP setup for wifi at home where users are authenticated by individual names and passwords in the user section of FreeRadius.  Next I want to switch to EAP-TLS which will require client certs to enter the picture.  The thing I can't figure out is how to associate the client certs with the users I have entered into Freeradius.  Is there something I am missing here?

    To give some background here I should say that the CA cert and Server cert I have were generated by the pfsense Cert manager (which to my understanding is the preferred method).  In the following tutorial I see how the client cert bonding is done when the users are entered into PF user management.  While this tut is meant for setting up openvpn I think this overlaps enough with what I am trying to do with wifi:


    Does anyone have some ideas?

  • I never could figure that one myself. I also noticed that revocation lists didn't seem to have any effect. (even after restarting radius per instruction) (keep in mind this was with 2.1.5 and I have since reverted back to just using peap)

    Also you might wanna ask a mod to move this thread to the packages forum as radius is a package and wireless isn't the only use.

  • I think it just goes off the Common Name in the certificate.

    So, make sure you generate the certificates such that the CN field matches the name of the user, and then enable the "Check Client Certificate CN" setting in the FreeRadius EAP tab.

  • LAYER 8 Global Moderator

    I have been playing with this myself.. From my initial testing I was not able get it working… Been on the road this week, will play again maybe this weekend.

    I got eap-tls working.. Client was able to connect, but then I wanted to test with a client that did not have machine cert installed to restrict and that didn't seem to be working.  As long as he trusted the CA cert with no client cert installed was able to connect.

  • LAYER 8 Global Moderator

    Ok finally got back to this.. I want to use just eap-tls, so there really is no reason to create a user in freeradius, just create the user cert in the CA.  If there is no user there is no way to auth without the cert.  So this solves my problem, now that I figured out how to install the certs on apple ios devices I can play with this more and switch over to wpa2 enterprise only for my normal wlan and just leave psk for guests to use.