How To Set Up Certificate Authentication For WiFi with EAP-TLS on Ubuntu

This page will cover the basics of setting up EAP-TLS certificate-based-authentication on Ubuntu to a Wi-Fi or wired ethernet network setup for RADIUS with our EZRADIUS Cloud RADIUS solution. These set of instructions should be the same with any other Linux distribution that runs GNOME with NetworkManager.

Prerequisites

In order to set up EAP-TLS on your Ubuntu machine, you will need to make sure to have the policy setup and the following setup:

  • Create EZRADIUS policy and connected to router
  • Install client certificate to be used by the device, where certificate was created by a CA trusted by the policy

Here is a tutorial on how to setup Cloud RADIUS for your Meraki Network.

1. How to Get RADIUS server CA certificate and setup client certificate and private key

The fist step in authenticating to a network with EAP-TLS is to install the RADIUS Sever CA certificate enabling the client to trust the certificate.

  1. To install the server certificate CA, we first have to get it from EZRADIUS. Go to the EZRADIUS portal and go to the policies tab Click on Cloud RADIUS Policy in the EZRADIUS portal
  2. For the expected policy, find the “Server Certificate” section and identify the “Download CA Certificate” button Download the Server Certificate CA on the portal by clicking on the button
  3. Now we are going to assume, you already have a client certificate and private in pem format. If you don’t have one, you can create a user certificate in EZCA if your PKI administrator has enabled self service Entra ID User Certificates
  4. Find your PEM Certificate and Private Key files on your machine Find your client certificate on your machine
  5. If the private key is unencrypted, encrypt the private key with OpenSSL using the following command
openssl rsa -aes256 -in $FILE_WITH_PRIVATE_KEY -out $FILE_NAME_FOR_ENCRYPTED_PRIVATE_KEY

2. How To Connect to EAP-TLS Wi-Fi Network on Linux

  1. Open Wi-Fi on settings and select the desired Wi-Fi network Step 1 connect to EAP-TLS Linux Open Wi-Fi and select network to connect to
  2. Make sure “Security” is set to “WPA & WPA2 Enterprise” For Wifi Certificate Authentication Make sure Security is WPA & WPA2 Enterprise
  3. Change Authentication method to “TLS” To authenticate to wifi with certificates in Linux Set authentication method to TLS
  4. Put “anonymous” in identity Enter “anonymous” as the connecting identity
  5. Select the CA certificate you downloaded, and the client certificate and the encrypted private key files Select the certificates and private key you want to use for EAP-TLS on Linux
  6. Enter the private key password Enter private key password
  7. Click “Connect” to connect to network Click Connect to connect to your EAP-TLS Wifi on Linux
  8. You should now be connected to the network with certificate authentication using EAP-TLS Connected to Wi-Fi network with EAP-TLS in Linux using certificate authentication

3. How to Connect to EAP-TLS Wired Ethernet Network on Linux

  1. Install and prepare the EZRADIUS EAP-TLS credentials
  2. Open settings and go to the “Network” tab and open the wired connection settings How to setup EAP-TLS authentication with certificate for wired connection in Linux
  3. In the Wired connection settings window, go to “Security” and enable 802.1x Security and fill the form with the prepared credentials (same as wireless connections) and click “Apply” How to setup certificate credentials to authenticate to wired connection in Linux
  4. You should now be connected to the network Finish setting up credential authentication to wired ethernet with EAP-TLS in Linux