Clients

1. General
2. Linux (Network Manager)
3. Android 10 & 11
4. Raspberry Pi OS (buster)

These are some instructions for connecting various clients to a WPA2/WPA3 Enterprise network using EAP-TLS authentication. "user@example.com" is used as the client identity in some of the examples, just replace this with your actual client identity. There are also some notes on Management Frame Protection compatibility, which is a feature enabled on the router that adds additional security to the connections.

General

These are the fields that you will see on most clients when attempting to connect to the wireless network. They might have slightly different names or be in a different order.

Security -> WPA2 Enterprise or WPA3 Enterprise - sometimes WPA & WPA2 Enterprise or WPA/WPA2/WPA3 Enterprise
Authentication -> TLS
Identity -> user@example.com - the value of emailAddress when you created the client certificate
CA Certificate -> ca.pem - the full path to the file
Domain -> radius.example.com - the value of DNS.1 in the xpextensions file
CA Certificate Password -> empty
User Certificate -> user@example.com.pem - the full path to the file
Private Key -> user@example.com.pem - it's in the same file
Private Key Password -> enter the password that you added to client.cnf when you created the certificate

It's important to note that if a client does not fill in the CA Certificate and Domain fields, the identity of the RADIUS server will not be verified. This is critical to the overall security of EAP-TLS, so I strongly recommend that those two fields are always filled in.

Linux (Network Manager)

• Update the permissions for the pem files

  chmod 600 ca.pem  # not necessary, but doesn't hurt
  chmod 600 "user@example.com.pem"
  

• Fill in the fields in Network Manager as specified under General
• There's a checkbox in the settings for the network (Under "Identity") to allow/disallow this connection for other users
• Management Frame Protection can likely be required for the wireless network, but will depend on the system

Android 10 & 11

• The Client p12 file is installed by tapping it - you'll be prompted for the key password and to give it a name
• You can put the client p12 file in the safe folder after it is installed
• The CA Certificate is installed through "WiFi Preferences" -> "Advanced" -> "Install certificates" - you will have to name it
• Once these certificates are installed they should show up in the drop downs when you attempt to connect to the network
  • EAP method -> TLS
  • CA certificate -> select the name you gave to the certificate earlier
  • Online Certificate Status -> "Do not validate" - It's not clear to me what this does exactly, but I believe it attempts to validate something on the internet after the connection is established. Since the CA Certificate we created only exists locally, it will fail if you choose something other than "Do not validate".
  • Domain -> radius.example.com
  • User certificate -> select the name you gave to the p12 file earlier
  • Identity -> user@example.com - the value of emailAddress when you created the client certificate
• Management Frame Protection can be required for the wireless network

Raspberry Pi OS (buster)

• Change the owner of the pem files to root and update the permissions

  sudo chown root:root ca.pem
  sudo chown root:root "user@example.com.pem"
  sudo chmod 600 ca.pem  # not necessary, but doesn't hurt
  sudo chmod 600 "user@example.com.pem"
  

• Edit /etc/wpa_supplicant/wpa_supplicant.conf and add the following lines - fill in the empty values

  network={
         ssid=""
         key_mgmt=WPA-EAP
         pairwise=CCMP
         group=CCMP
         eap=TLS
         identity=""
         ca_cert=""
         client_cert=""
         private_key=""
         private_key_passwd=""
         domain_match="radius.example.com"
  }
  

• Make sure the permissions are set correctly on wpa_supplicant.conf so non-root users can't read it - they aren't secure by default and I haven't found a way to encrypt private_key_passwd

  sudo chmod 600 /etc/wpa_supplicant/wpa_supplicant.conf
  

• Add the following to /etc/dhcpcd.conf

  ###
  # Added for WPA2 Enterprise support
  ###
  interface wlan0
  env ifwireless=1
  env wpa_supplicant_driver=wext,n180211
  ###
  

• Restart dhcpcd

  sudo systemctl restart dhcpcd
  
  # to switch between multiple wireless networks (index is the order in wpa_supplicant.conf)
  wpa_cli select_network 1 -i wlan0
  wpa_cli select_network 0 -i wlan0
  

• Management Frame Protection needs to be disabled or optional for the wireless network (this should eventually be supported)