Understanding WPA Enterprise EAP-TLS
Securing your wireless network has become increasingly critical as the number of connected devices continues to grow. One effective solution is WPA Enterprise with EAP-TLS (Extensible Authentication Protocol-Transport Layer Security), which provides robust authentication and encryption for enterprise-level wireless networks.
EAP-TLS is a popular authentication method that utilizes digital certificates to establish a mutual trust between the client (supplicant) and the authentication server (the RADIUS server in this case). This ensures that only authorized devices can access the network, enhancing overall security.
In an EAP-TLS implementation, the authentication server presents its certificate to the client, which the client verifies. The client then presents its own certificate to the authentication server, which is also verified. This mutual authentication process ensures that both the client and the server are who they claim to be, providing an additional layer of security beyond traditional username and password authentication.
Configuring Ubiquiti Devices for WPA Enterprise EAP-TLS
Ubiquiti’s Unifi network devices, such as the USG (Unifi Security Gateway) and Unifi Access Points, provide the necessary functionality to implement WPA Enterprise EAP-TLS on your network. Let’s dive into the step-by-step process of setting up this secure wireless authentication solution.
1. Prepare the Ubiquiti USG for RADIUS Authentication
The first step is to configure the RADIUS server on your Ubiquiti USG. The USG runs a FreeRADIUS implementation, which means the configuration follows the standard FreeRADIUS conventions.
- Modify the EAP Configuration: The default EAP type on the USG is set to MD5, which is considered insecure. You’ll want to change this to TLS, which will require clients to present a certificate for authentication.
# Navigate to the /etc/freeradius/eap.conf file
default_eap_type = tls
- Import the RADIUS Server’s Certificate: The client devices (supplicants) need to trust the RADIUS server’s certificate. You can export the certificate from the USG and import it into the client’s trusted certificate store.
# The server certificate is located at /etc/freeradius/certs/server.crt
# Copy this file to a secure location and distribute it to your client devices
- Import the Client Certificate Authority (CA) Certificate: To allow the RADIUS server to validate client certificates, you’ll need to import the CA certificate that issued the client certificates. Place this certificate in the
/config/auth/directory on the USG to ensure it persists across reboots and firmware upgrades.
# Copy the CA certificate to the /config/auth/ directory on the USG
- Create a Post-Config Script: To ensure the RADIUS configuration changes are applied on every USG reboot or reprovisioning, you’ll want to create a post-config script that will automatically apply the necessary changes.
“`bash
#!/bin/bash
# Set a timestamp-based log file name
LOG_FILE=”/config/scripts/post-config.log.$(date +”%Y%m%d-%H%M%S”)”
# Copy the CA certificate to the appropriate location
cp /config/auth/ca.crt /etc/freeradius/certs/ca.pem
# Copy the EAP configuration file to the appropriate location
cp /config/auth/eap.conf /etc/freeradius/eap.conf
# Restart the FreeRADIUS service to apply the changes
systemctl restart freeradius
“`
Save this script as /config/scripts/post-config.d/fix-radius.sh and make it executable with chmod +x /config/scripts/post-config.d/fix-radius.sh.
Your Ubiquiti USG is now configured to use the RADIUS server with EAP-TLS authentication.
2. Configure the Wireless Network for WPA Enterprise EAP-TLS
Next, you’ll need to configure your Ubiquiti wireless network to use WPA Enterprise EAP-TLS authentication.
-
Create a RADIUS Profile: In the Unifi Network app, navigate to the “Settings” section and create a new RADIUS profile. Enter the RADIUS server details, including the IP address and shared secret, which you obtained from the previous step.
-
Create the WPA Enterprise WLAN: In the Unifi Network app, create a new wireless network and select “WPA2 Enterprise” (or “WPA3 Enterprise” if your devices support it) as the security type. Associate the RADIUS profile you created in the previous step with this network.
-
Distribute Client Certificates: For each client device that needs to connect to the WPA Enterprise network, you’ll need to generate and distribute a client certificate. This certificate should be issued by the same CA that the RADIUS server trusts (the one you imported in the previous step).
# Generate a client certificate for a user named "iPhoneDave"
openssl req -newkey rsa:2048 -nodes -keyout iPhoneDave.key -x509 -days 365 -out iPhoneDave.crt
openssl pkcs12 -export -inkey iPhoneDave.key -in iPhoneDave.crt -out iPhoneDave.pfx
The resulting .pfx file contains the client’s private key and certificate, which should be imported into the device’s certificate store.
Your Ubiquiti wireless network is now configured for WPA Enterprise EAP-TLS authentication. Clients with the proper certificates will be able to securely connect to the network.
Monitoring and Troubleshooting
To ensure the EAP-TLS authentication is working as expected, you can monitor the radius.log file on the Ubiquiti USG. Successful authentication attempts should look similar to the following:
Tue Apr 25 12:34:56 2023 : Received Access-Accept from 172.16.0.10:1812 to 172.16.0.1:57475 id 1821 length 44
Tue Apr 25 12:34:56 2023 : Sending Access-Accept of id 1821 to 172.16.0.1:57475
If you encounter any issues, double-check the configuration steps, ensure the client certificates are valid and trusted by the RADIUS server, and verify the network settings on your access points.
Conclusion
By implementing WPA Enterprise EAP-TLS on your Ubiquiti network, you can significantly enhance the security of your wireless infrastructure. This authentication method ensures that only authorized devices can access your network, reducing the risk of unauthorized access and providing an additional layer of protection for your sensitive data.
Remember, securing your wireless network is an ongoing process, and it’s important to stay up-to-date with the latest security best practices. Regularly review and update your configurations to maintain the highest level of protection for your network and its users.
For more information on Ubiquiti networking solutions and IT support, visit https://itfix.org.uk/networking-support/.
