Categories
Network radius WIFI WPA2

EAP/TLS Wifi

Involved components

  • Access Point
  • OPNsense
    • Freeradius server
    • RadSecProxy
  • (Android) WIFI Client
Components of a radius based WIFI setup
Components of a radius based WIFI setup

Involved certificates/CAs

CAs

  • Radius CA
  • WIFI CA

Certificates

  • Client certificates (WIFI CA)
  • Freeradius server certificate (Radius CA)
  • RadSecProxy certificate (Radius CA)

Preparations/configuration for android clients

  • EAP method: TLS
  • CA certificate: Radius CA

Exporting/Importing certificates

In order to make the OPNsense CAs/certificates usable by android devices, they require some minor tweaks:

The exported CA certificate needs to be converted to DER format:

linux # openssl x509 -outform der -in CA_crt.pem -out CA_crt.der

Client certificates/keys need to be in PKCS12 format (and protected by password, otherwise android devices will refuse import):

linux # openssl pkcs12 -export -out WIFIClient.p12 -in WIFIClient_crt.pem -inkey WIFIClient_prv.pem
Enter Export Password:
Verifying - Enter Export Password:

Leave a Reply

Your email address will not be published. Required fields are marked *