How Do I Set Up PKI Infrastructure for RADIUS to Use Certificates and EAP-TLS?

Learn how to set up a Public Key Infrastructure (PKI) for RADIUS to use certificates and EAP-TLS for secure authentication.

How Does Certificate-Based Authentication Work?

Check out our quick overview video to learn how certificate-based authentication works with RADIUS.

Why Are Certificates Better Than Passwords for RADIUS?

When it comes to securing network access, using certificates for RADIUS authentication offers several advantages over traditional usernames and passwords:

  • User Convenience: With certificates, users can authenticate without needing to remember complex passwords. Once the certificate is installed on their device, authentication can happen seamlessly in the background.
  • Stronger Security: Certificates provide a higher level of security compared to passwords, which can be weak, reused, or easily compromised. While passwords contain around 10-20 characters on average, certificates use cryptographic keys that are typically 2048 bits or longer, making them nearly impossible to brute-force using current technology.
  • Phishing Resistance: Certificates are not susceptible to phishing attacks, where attackers trick users into revealing their passwords. Since certificates are stored securely on the device and cannot be easily shared, they are much harder for attackers to steal.
  • Prevents Shared Credentials: Unlike passwords, which can be shared among multiple users, certificates are unique to each user or device. This ensures that only authorized individuals can access the network and only the resources they are permitted to use.
  • Works for Devices and Users: Certificates can be issued to both users and devices, allowing for flexible authentication scenarios. This is particularly useful for IoT devices or shared workstations where user credentials may not be practical.

If these benefits align with your organization’s security goals, setting up PKI infrastructure for RADIUS to use certificates and EAP-TLS is a worthwhile investment.

Do I Need to Set Up My Own PKI for RADIUS?

If you want to use certificate-based authentication via EAP-TLS with RADIUS, you will need to have PKI infrastructure in place to issue and manage the certificates.

However, you can still use RADIUS without setting up your own PKI by using usernames and passwords (usually a user’s existing Entra ID or Active Directory credentials). This can be a good option if you want to get started quickly or if your organization does not have the resources to manage a PKI. Note that you will still need to distribute the RADIUS server’s trusted certificate to all client devices to ensure secure communication via the EAP-TTLS protocol. Without this, clients may not trust the RADIUS server, leading to failed authentication attempts. Learn more about distributing certificates in our MDM for RADIUS guide.

How Do I Create and Distribute Certificates for RADIUS?

To create certificates for RADIUS authentication, you’ll need to set up Private Key Infrastructure (PKI) for your organization. Specifically, you’ll need:

  1. Certificate Authority (CA): The role of a CA is to issue and manage digital certificates when they are requested. You can set up your own CA using tools like Microsoft Active Directory Certificate Services (ADCS) or use a cloud-based PKI service such as EZRADIUS Cloud PKI. A SCEP (Simple Certificate Enrollment Protocol) server (often integrated into your CA) is often used to handle certificate requests from devices in conjunction with an MDM solution.
  2. Mobile Device Management (MDM) Solution: An MDM solution, such as Microsoft Intune, is used to distribute the certificates to user devices securely, often via the SCEP protocol. The MDM can automate the installation of certificates on devices, ensuring that users have the necessary credentials to authenticate with RADIUS. Learn more about distributing certificates in our MDM for RADIUS guide.

Once you have your CA and MDM set up, you can begin issuing certificates to users and/or devices, along with the trusted certificate for your RADIUS server. These certificates will be used during the EAP-TLS authentication process to securely verify identities.

Should I Use User Certificates or Device Certificates for RADIUS?

When setting up certificate-based authentication for RADIUS, you have the option to use either user certificates or device certificates. The choice between the two depends on your organization’s security requirements and use cases:

  • User Certificates: These certificates are issued to individual users. They uniquely identify each user and are typically stored in the user’s profile within their device. User certificates are ideal for scenarios where you want to ensure that only specific users can access the network, regardless of the device they are using. However, the user will need to be signed in to the device to login using their certificate. If the user logs out or the device restarts, it will not be able to authenticate until the user signs back in.
  • Device Certificates: These certificates are issued to devices rather than individual users. They are stored in the device’s certificate store and can be used to authenticate the device itself. Device certificates are useful in scenarios where you want to allow any user to access the network from a specific device, such as shared workstations or IoT devices. Since the certificate is tied to the device, it can authenticate to RADIUS even if there are no users signed in.

In many cases, organizations choose to use a combination of both user and device certificates to provide flexibility and enhance security. For example, you might use device certificates for shared devices and user certificates for personal devices. Ultimately, the decision should be based on your specific security policies and operational needs.

Learn More About PKI in Our Video Webinar

Want to dive in even deeper on PKI concepts? Check out our video webinar that covers everything you need to know: