One of my most used tools is definitely my WLAN Pi. It’s so flexible and has various tools installed. I can capture packets and power it over PoE.
I often plug it in using its usb interface to my computer and then connect it to a LAN for troubleshooting purposes. But sometimes, it’s necessary to troubleshoot from remote. In these cases I need a second interface to connect to a working network, which is reachable from remote. With this setup, I can SSH into the Pi and use its eth0 for troubleshooting.
A lot of my customer are using certificate based authentication in their WLAN and do not allow clients to join the network using PSK. Windows and Mac have pretty wizards, that allow using a certificate to authenticate, but with linux, it’s a little bit more difficult.
Get the certificate
If the Radius Server of the WLAN allow user based certificates, then you can log in on a domain computer and grab your certificate.
- Open mmc
- Request a new certificate (Personal – Certificates – All Tasks – Request New Certificate…)
- Export the certificate with private key AND WRITE DOWN THE EXPORT PASSWORD (only forgot it about 100 times)
- Copy the .pfx certificate using SCP to your Pi
Convert the .pfx certificate
Because of the missing wizard that automatically configures the certificates, we need to manually convert them:
- The client certificate
openssl pkcs12 -in MetzgerC.pfx -clcerts -nokeys -out client.crt - The private key
openssl pkcs12 -in MetzgerC.pfx -nocerts -out privatekey.pem -nodes - The CA Cert
openssl pkcs12 -in MetzgerC.pfx -cacerts -nokeys -chain -out ca.cer
I copied the all the certificates into the /etc/wpa_supplicant folder, that’s maybe no the best place, but works perfectly.
Configure supplicant
The next step is to configure the supplicant to use the certificates.
vi /etc/wpa_supplicant/wpa_supplicant.conf ####### network={ ssid="YourSSID" key_mgmt=WPA-EAP proto=WPA2 eap=TLS pairwise=CCMP group=CCMP identity="MetzgerC" ca_cert="/etc/wpa_supplicant/ca.cer" client_cert="/etc/wpa_supplicant/client.crt" private_key="/etc/wpa_supplicant/privatekey.pem" private_key_passwd="THE-PASSWORD-YOU-HOPEFULLY-WROTE-DOWN" }
Configure interface
Afterwards we need to tell the wlan interface to use this configuration. Edit the /etc/network/interfaces
vi /etc/network/interfaces ############# iface wlan0 inet dhcp wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf