Contact Us

Wi-Fi Authentication Using X509 Certificates – The Ultimate Guide

How to Setup Wi-Fi Authentication with X509 Certificates and EAP-TLS RADIUS
04 Jun 2024

How to Setup Wi-Fi Authentication with X509 Certificates

You have been tasked with enabling Wi-Fi authentication with certificates but don’t know where to start? You have come to the right place! In this blog we will give you a quick overview of the technology needed and links to guides on how to set it up. The best part? You can have a POC running in less than an hour (Yes, really from zero-to-hero that quickly)!

How To Distribute Certificates for Wi-Fi Authentication

The first thing to cover is distributing your certificates. For this, we need a certificate authority and then a way to get them to your devices. The legacy way of doing this is deploying an ADCS CA in Windows and then use group policy to push it to your users. However, just like the Walkman, this 90s technology has no place in the modern world where most of the infrastructure is in the cloud. For this we recommend a cloud PKI that is compatible with your MDM to enable the seamless pushing of certificates without the need of maintaining the infrastructure, we of course recommend using EZCA, you can see a video below on how you can integrate it with Intune, but it works with any MDM that supports SCEP Certificate issuance.

How To Distribute Certificates to Users that do Not Have a Managed Device

While MDMs cover 99% of devices, there are some users that might be using their personal devices or a device managed by another organization. In that scenario, you’ll have to have a method for them to authenticate and manually get a certificate. If you are using a modern cloud Certificate Authority, it can offer a portal where users can authenticate and create a certificate for their devices. Below you can see a video of the user experience of getting a certificate in the portal.

How To Setup Wi-Fi Certificate Authentication

Now that we have the certificates issued by a trusted Certificate Authority and distributed to all our devices, we need to set up the network infrastructure to accept the certificates. This is usually done through RADIUS. Adding a RADIUS service allows your network infrastructure to offload the authentication to that service and gives you the ability to set up detailed authorization policies for assigning users to different VLANs. While you can use NPS to achieve this, NPS only works if you have an on-premises infrastructure and lacks connectivity to modern IDPs such as Entra ID. With EZRADIUS you can setup a radius service in minutes! This groundbreaking RADIUS service allows you to do simple certificate-based authentication (If the certificate is issued by your certificate authority then it is trusted), and more advanced authorization methods such as checking the user group membership and assigning vlans based on Intune Device compliance. In the video below you can see how to set up the authorization policies.

How To Connect RADIUS Service to Network Infrastructure

Now that we have the RADIUS service squared away, we have to connect it to the network infrastructure in our RADIUS documentation we have many guides for how to connect different network devices to RADIUS. Once it is all connected, you are good to go and can authenticate with certificates. If you have any questions, feel free to schedule a meeting with one of our identity experts where they can help you understand how EZRADIUS will work for your specific use case, and answer any other questions you might have about securing wi-fi access for your organization using certificates!

You Might Also Want to Read