Configuring WPA2 Enterprise with EAP-TLS in Mac OS X and Linux

January 29th, 2006

Setting up the CA

Follow the steps on setting up a Certificate Authority (CA) using OpenSSL.

Issuing the client certificate and private key

Once the CA has been configured, we will generate a private key and an unsigned public key digital certificate.

# openssl req -new -days 365 -newkey rsa:1024 \
-keyout sslkey.pem -out unsigned.pem

The unsigned public key digital certificate, stored in a PEM-encoded file named unsigned.pem will be sent to the CA for signing:

# openssl ca -in unsigned.pem -out cert.pem

Installing the client certificate and private key

The next step consists in installing the private key, public key digital certificate and CA public key certificate.

Linux

The private key, public key digital certificate and CA certificate files should get installed into a location where only root and wpa_supplicant can access them, for example, /etc/wpa:

# mkdir /etc/wpa
# chown root.root /etc/wpa
# chmod 700 /etc/wpa

Mac OS X

Mac OS X can only import private keys in PKCS#12 so we need to export all the previous items to a suitable format:

# openssl pkcs12 -export -in cert.pem -inkey key.pem \
-out client.p12 -name "host.domain"

Where "host.domain" denotes the FQDN of the host which this digital certificate and private key are intended for.

The output file client.p12 contains the private key and public key digital certificate. This bundle should get moved to the host using a secure distribution channel, like an SSH/SCP/SFTP session or a USB key. Also, the CA digital certificate, usually named cacert.pem, should also get copied to the host.

On Mac OS X, using the GUI, double click the cacert.pem file, and install the CA certificate into the X509Anchors keychain. This a system-wide keychain intended to store X.509 CA root digital certificates.

Next, using the GUI, double click on client.p12 file, supply the password that protects the private key stored in this file, and choose to install both the private key and public key into the login keychain. Next, make sure the private key has been installed:

Configuring the AirPort Express Wireless Access Point

Launch AirPort Admin Utility, select the desired base station and click the Configure icon from the toolbar:

Click the Change Wireless Security… button:

In this new window, fill in the information about the RADIUS server, like its IP address, shared secret and so on.

Configuring the Supplicant for WPA2 Enterprise

Linux

Create /etc/wpa_supplicant.conf using the following data:

ctrl_interface=/var/run/wpa_supplicant
ap_scan=2
network={
  scan_ssid=1
  ssid="iTunes"
  proto=WPA2
  key_mgmt=WPA-EAP
  pairwise=CCMP
  group=CCMP
  ca_cert="/etc/wpa/cacert.pem"
  client_cert="/etc/wpa/cert.pem"
  private_key="/etc/wpa/key.pem"
  eap=TLS
  identity="anonymous"
}

The identity directive is required, or else the EAP-TLS negotiation will fail.

ap_scan=2 and scan_ssid=1 are needed when the Wireless Acccess Point is configured to not broadcast the ESSID.

Mac OS X

Launch Internet Connect from the Wireless menu:

If no 802.1X icon appears on the toolbar, choose File -> New 802.1X Conection…. Click the 802.1X icon. The window will look like this:

From the Configuration drop-down, select Edit Configurations…:

A window like this will open:

Fill in both the “Description” and “Wireless Network” fields with the ESSID of the Wireless network. Leave “User Name” and “Password” blanked, since we are not using password-based authentication.

From the “Authentication” listbox, clear the checkbox for all the protocols except for TLS. Select the TLS protocol and click the Configure button. A new window will open for you to select the private key that will be used for the EAP-TLS authentication mechanism:

From the drop-down listbox, select the name of the private key that matches the name of the private key installed in the previous section.

Click the Connect button. The Supplicant will authenticate against the Wireless Access Point. At this point, it is possible that Mac OS X asks confirmation for accessing the private key stored in your keychain. It is recommended to “Always Allow” the Supplicant access to the private key.

Launch System Preferences -> Network and Configure… the AirPort interface:

Click the “+” button to add a Preferred network:

Just enter the ESSID of the Wireless network and choose WPA2 Enterprise from the Wireless Security drop-down listbox. Also, make sure the Configuration field shows the name of the 802.1X configuration we created previously using Internet Connect.

Leave the rest of the fields blank, since we are not using password-based authentication.

Posted in FreeBSD, Linux, Mac OS X, Networking, Security, Wireless | 12 Comments »

12 Responses to “Configuring WPA2 Enterprise with EAP-TLS in Mac OS X and Linux”

  1. salimsaay Says:
    March 11th, 2008 at 5:58 PM

    I want to use WPA-EAP with Openssl CA for distributed authentication in wireless mesh network, the device is Linsys 45gl router with OpenWrt firmware, is it posssible, thanks for any replly.

  2. Robert Says:
    September 6th, 2008 at 3:20 AM

    I am trying to configure the airport express to access a college campus network with 802.1x, PEAP Security. After an hour and a half with Apple supprt I could not get the Airport Express to show and then accept the certificate and connect. This ability does not seem to be available in the Admin Utility. Do you know how I can do this… Thanks

  3. Johann Says:
    October 16th, 2011 at 11:34 AM

    What an excellent piece of text! No idea how you were able to write this text..it’d take me long hours. Well worth it though, I’d suspect. Have you considered selling advertising space on your blog?

  4. secret shopping alabama Says:
    October 30th, 2011 at 4:36 PM

    Awesome read. I just passed this onto a colleague who was doing a little research on that. He just bought me lunch because I found it for him! So let me rephrase: Thanx for lunch!

  5. Samuel Tankersly Says:
    December 6th, 2011 at 2:57 PM

    I have observed that in the world these days, video games will be the latest rage with children of all ages. Occasionally it may be extremely hard to drag your children away from the activities. If you want the very best of both worlds, there are various educational video games for kids. Good post.

  6. www.aksescepat.com Says:
    December 10th, 2011 at 1:55 AM

    Jasa Setting Mikrotik Jasa Setting Proxy

  7. Junior Zuvich Says:
    December 21st, 2011 at 3:30 PM

    I think this is among the such a lot important info for me. And i’m satisfied studying your article. But want to commentary on some normal issues, The website taste is perfect, the articles is actually excellent : D. Excellent activity, cheers

  8. Robby Deguise Says:
    December 27th, 2011 at 10:24 AM

    According to the DMN the state legislature is thinking about getting involved.

  9. Edwardo Pervine Says:
    January 9th, 2012 at 12:56 PM

    Not even a little bit. Not to say nobody has tried to make me stop being a Mormon, but I’m not letting any of their nonsensical jabs bring me away from Heavenly Father.

  10. Olevia Moura Says:
    January 9th, 2012 at 4:26 PM

    HIMMAT WAALO KI HAAR NAHI HOTI

  11. Vicente Siegrist Says:
    January 20th, 2012 at 10:35 AM

    “Happiness is not in the mere possession of money; it lies in the joy of achievement, in the thrill of creative effort”-Franklin D. Roosevelt

  12. Ute Laureano Says:
    January 20th, 2012 at 4:37 PM

    With environmentalists stressing on the belief that there must be optimum utilization resources on earth, solar panels are a terrific way to use the suns electricity.

Leave a Reply