How To Set Up Certificate Authentication For WiFi with EAP-TLS on Ubuntu

This page will cover the basics of setting up EAP-TLS certificate-based-authentication on Ubuntu to a Wi-Fi or wired ethernet network setup for RADIUS with our EZRADIUS Cloud RADIUS solution. These set of instructions should be the same with any other Linux distribution that runs GNOME with NetworkManager.

We have instructions on how to do it manually, and also how to use bash scripts to automatically setup the network with a client SCEP certificate.

Prerequisites

In order to set up EAP-TLS on your Ubuntu machine, you will need to make sure to have the policy setup and the following setup:

  • Create EZRADIUS policy and connected to router
  • Install client certificate to be used by the device, where certificate was created by a CA trusted by the policy

Here is a tutorial on how to setup Cloud RADIUS for your Meraki Network.

How To Manually Set Up EAP-TLS Certificate Based Authentication for Wi-Fi on Ubuntu

1. How to Get RADIUS server CA certificate and setup client certificate and private key

The fist step in authenticating to a network with EAP-TLS is to install the RADIUS Sever CA certificate enabling the client to trust the certificate.

  1. To install the server certificate CA, we first have to get it from EZRADIUS. Go to the EZRADIUS portal and go to the policies tab Click on Cloud RADIUS Policy in the EZRADIUS portal
  2. For the expected policy, find the “Server Certificate” section and identify the “Download CA Certificate” button Download the Server Certificate CA on the portal by clicking on the button
  3. Now we are going to assume, you already have a client certificate and private in pem format. If you don’t have one, you can create a user certificate in EZCA if your PKI administrator has enabled self service Entra ID User Certificates
  4. Find your PEM Certificate and Private Key files on your machine Find your client certificate on your machine
  5. If the private key is unencrypted, encrypt the private key with OpenSSL using the following command
openssl rsa -aes256 -in $FILE_WITH_PRIVATE_KEY -out $FILE_NAME_FOR_ENCRYPTED_PRIVATE_KEY

NOTE: Make sure that the private key and the certificate file are separate. This is a limitation with NetworkManager.

2. How To Connect to EAP-TLS Wi-Fi Network on Linux

  1. Open Wi-Fi on settings and select the desired Wi-Fi network Step 1 connect to EAP-TLS Linux Open Wi-Fi and select network to connect to
  2. Make sure “Security” is set to “WPA & WPA2 Enterprise” For Wifi Certificate Authentication Make sure Security is WPA & WPA2 Enterprise
  3. Change Authentication method to “TLS” To authenticate to wifi with certificates in Linux Set authentication method to TLS
  4. Put “anonymous” in identity Enter “anonymous” as the connecting identity
  5. Select the CA certificate you downloaded, and the client certificate and the encrypted private key files Select the certificates and private key you want to use for EAP-TLS on Linux
  6. Enter the private key password Enter private key password
  7. Click “Connect” to connect to network Click Connect to connect to your EAP-TLS Wifi on Linux
  8. You should now be connected to the network with certificate authentication using EAP-TLS Connected to Wi-Fi network with EAP-TLS in Linux using certificate authentication

3. How to Connect to EAP-TLS Wired Ethernet Network on Linux

  1. Install and prepare the EZRADIUS EAP-TLS credentials
  2. Open settings and go to the “Network” tab and open the wired connection settings How to setup EAP-TLS authentication with certificate for wired connection in Linux
  3. In the Wired connection settings window, go to “Security” and enable 802.1x Security and fill the form with the prepared credentials (same as wireless connections) and click “Apply” How to setup certificate credentials to authenticate to wired connection in Linux
  4. You should now be connected to the network Finish setting up credential authentication to wired ethernet with EAP-TLS in Linux ||||||| parent of cac799d1 (Update docs for EZRADIUS with script)

How to Set Up EAP-TLS Certificate Based Authentication with SCEP Certificate for Wi-Fi on Ubuntu

  1. Follow these instructions to install your client SCEP certificate
  2. Make sure the SCEP Certificate Authority is trusted by your EZRADIUS policy
  3. Copy the following script to a file, fill the values as required, and run it
    • If you are using an auto-generate server certificate, leave both CA_PATH and EZCA_SERVER_CA_STATIC_SCEP_URL empty. Set the EZCA_SERVER_CA_STATIC_SCEP_URL if the server certificate CA is a SCEP EZCA certificate, else, manually download the CA certificate and put the absolute path to the CA file in CA_PATH
    • Set the SSID of the wifi network in SSID

Bash Script to Automatically Setup EAP-TLS Certificate Based Authentication with SCEP Certificate for Wi-Fi on Ubuntu

#!/bin/bash

# User-set values
# CA_PATH=    # Set to the absolute path of the server certificate CA
# EZCA_SERVER_CA_STATIC_SCEP_URL=
# SSID=    # SSID of the wireless network

# NOTE: if the server certificate is set to be auto-generated, leave the CA_PATH empty and
# the script will install the autogenerated CA. If you are using a server certificate
# generated from EZCA, the script will also install it automatically if you put down your
# EZCA server certificate CA static scep URL


## ---------- ## ---------- ## ---------- ## ---------- ## ---------- ##

# Check all required executables exist
req_execs=("base64" "cat" "curl" "cut" "grep" "head" "mkdir" "nmcli" "sed")
for exe in "${req_execs[@]}"; do
        if [ ! $(command -v "$exe") ]; then
                echo "Required executable $exe not found"
                exit 1
        fi
done

SSID=${SSID:-'DEFAULT_SSID'}
CONNECTION_NAME=${CONNECTION_NAME:-'keytos-ezradius-eap-tls'}

SCEP_CER_DIR=${SCEP_CER_DIR:-"$HOME/.local/share/keytos/scep_certs"}
KEY_PWD_PATH=$SCEP_CER_DIR/key.pwd
ENCRYPTED_KEY_PATH=$SCEP_CER_DIR/key.encrypted.pem
CER_PATH=$SCEP_CER_DIR/certificate.pem

WIFI_NIC=$(nmcli -t -f DEVICE,TYPE device | grep wifi$ | head -n 1 | cut -d: -f1)
if [ -z "$WIFI_NIC" ]; then
        exit 1
fi

nmcli -f GENERAL.STATE con show "$CONNECTION_NAME" > /dev/null
if [ $? -eq 0 ]; then
        exit 0
fi

# Get CA for the auto-generated certificate, if server certificate is custom it must
# be manually installed and passed above
if [ ! -f $CA_PATH ]; then
        INSTALL_DIR=${INSTALL_DIR:-"$HOME/.local/share/keytos/ezradius"}
        mkdir -p $INSTALL_DIR

        CA_PATH=$INSTALL_DIR/server_ca_certificate.pem
        EZCA_SERVER_CA_STATIC_SCEP_URL=${EZCA_SERVER_CA_STATIC_SCEP_URL:-'https://portal.ezca.io/api/SCE
        curl ${EZCA_SERVER_CA_STATIC_SCEP_URL}?operation=GetCACert \
                | base64 \
                | sed '1i -----BEGIN CERTIFICATE-----' \
                | sed '$a -----END CERTIFICATE-----' \
                > $CA_PATH
fi

# Check files exist
if [ ! -f $CA_PATH ] || [ ! -f $CER_PATH ] || [ ! -f $ENCRYPTED_KEY_PATH ] || [ ! -f $KEY_PWD_PATH ]; then
        exit 1
fi

nmcli c add type wifi ifname "$WIFI_NIC" con-name "$CONNECTION_NAME" \
        802-11-wireless.ssid "$SSID" \
        802-11-wireless-security.key-mgmt wpa-eap \
        802-1x.eap tls \
        802-1x.identity 'anonymous' \
        802-1x.ca-cert "$CA_PATH" \
        802-1x.client-cert "$CER_PATH" \
        802-1x.private-key "$ENCRYPTED_KEY_PATH" \
        802-1x.private-key-password "$(cat $KEY_PWD_PATH)"