Setting up WPA2 Enterprise - EAP-TLS



  • Steps I have taken:

    • Installed FreeRadius 2

    • Setup FreeRadius 2

    • Created a CA in pfSense cert manager

    • Created a server cert in pfSense cert manager

    • Created a user cert in pfSense cert manager

    • Setup FreeRadius to use CA + server cert

    • Exported the CA cert and imported it on my iPhone

    • Exported the user cert as p12 and added a password with OpenSSL (on my Mac) and imported it on my iPhone (p12 certs without password cannot be imported on iOS)

    I can now connect to my network.
    But is it correct you do not need an username/password with the above configuration?
    Do I just create an user cert for all users that want to connect to my wifi network?



  • Hi Panja,

    I think I have the same question as you. I don't want to make a whole new thread, as I believe if your question is answered, mine will be too. Can you do machine only authentication with TLS? The location this server is going will NOT have access to our internal network (and therefore no LDAP, AD, etc)

    The only difference in set up steps I did, was I didn't create a server cert in pfSense cert manager… and I exported both the CA.crt and client .p12 from pfSense cert manager into my Windows 7 client. Basically I followed the steps outlined in EAP-TLS in https://doc.pfsense.org/index.php/Using_EAP_and_PEAP_with_FreeRADIUS

    However, on connecting in Windows, I either receive an error (if " use a different username for connection" is not checked, as it tries to use my LDAP windows credentials) or if I do check that box, it then prompts me for a username. (of which nothing seems to work).

    I can successfully connect the windows host via PEAP and an arbitrary username/password created in freeRadius though, so I know my freeradius, pfSense and AP are working correctly and talking.

    thanks,
    Andrew


  • LAYER 8 Global Moderator

    I have multiple iphones and ipad using eap-tls, you do not need an actual user account just a cert for that device.  See you ran into the need password issue..  As you found easy enough to get around with openssl.

    You need to install the key as well.  Which should of been in your .p12 package for the user cert you created..  You should see your certs installed under general, profiles & devices.




  • Thanks mate, I have it running now.  8)


  • LAYER 8 Global Moderator

    Nice..  Now if we could get enterprise support on devices like nest, harmony hub, game consoles, etc..  Could completely get rid of wpa2-psk…  Well still might need it for guests, since would be a bit difficult to explain installation of certs to most users..  But guess could just run open with a captive portal for them as well, and not even need a psk ssid.


Log in to reply