Child pages
  • 802.1X secured wifi installation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Supplicant configuration

Linux

 

...

  1. Copy the .ca file generated during certificate generation onto the computer.

 

...

  1. Select the network's SSID from the list in Network Manager.

 

...

  1. When asked, enter the following information, then press connect:

 

  1. CA certificate: Browse and select the .ca file

 

  1. Identity: the username

...

  1.  
    Password: the password

 

  1. Leave all other fields as they are

Android

 

...

  1. Copy the .ca file generated during certificate generation onto the phone.

 

...

  1. Open the “Settings” app, go to “Wi-Fi” → “Advanced settings” → “Install certificates”.

 

...

  1. Select the .ca file.

 

...

  1. Assign it a name of choice

 

...

  1. Under “Certificate use” select “WiFi”

 

...

  1. Once again, open the “Settings” app, go to “Wi-Fi”, and select the network's SSID from the list.

 

...

  1. When asked, enter the following information, then press connect:

 

  1. CA certificate: Select the earlier chosen name when installing the .ca file

 

  1. Identity: the username

...

  1.  
    Password: the password

 

  1. Leave all other fields as they are

Windows 10

  1. Select the network's SSID from the list of wireless networks
  2. Enter username and password
  3. When prompted whether to trust the server, confirm

Mac OS

 

  1. Select the network's SSID from the list of wireless networks
  2. Enter username and password
  3. When prompted whether to trust the server, confirm

iPhone

 

  1. Select the network's SSID from the list of wireless networks
  2. Enter username and password
  3. When prompted whether to trust the server, confirm

...

On Linux and Android supplicants it is required to install the .ca file generated during certificate generation in order to verify the RADIUS server's identity. In case the identity presented by the RADIUS server changes at any point, the supplicant fails to connect, and re-presents the user with the prompt for network credentials. It is possible to connect without installing the .ca file, but one needs to specify "No CA certificate required" or "Do not validate". In this case the supplicant will send credentials to any RADIUS server for that SSID without verifying its identity. It is possible to avoid sending the real user name in the unencrypted outer tunnel, by specifying a different value (normally 'anonymous') in the "Anonymous identity" field.

On Mac OS and iPhone supplicants, when connecting to the SSID for the first time, the server certificate's details are presented to the user and the user is asked if they want to trust the server. In case the identity presented by the RADIUS server changes at any point, the user will be prompted with a message, not containing any warning, sadly, that looks identical to the one displayed when connecting for the first time, where a user is extremely likely to press Trust once again. On Mac OS, it is also possible to copy the .ca file and install it, avoiding the prompt on first connect, on iPhone, on the iPhone this was tested on, this did not have any effect. It seems to be possible, but greatly complicated (involving installing a software from the App Store, and using it to create a configuration profile which then needs to be saved to a file, copied and imported onto the supplicant device) to configure the supplicant to not send the real user name in the unencrypted outer tunnel.

Windows 10 '@@@'

Sources

https://wiki.freeradius.org/guide/Basic-configuration-HOWTO

...