Join WLAN Pi to a 802.1X WiFi with EAP-TLS

One of my most used tools is definitely my WLAN Pi. It’s so flexible and has various tools installed. I can capture packets and power it over PoE. 

I often plug it in using its usb interface to my computer and then connect it to a LAN for troubleshooting purposes. But sometimes, it’s necessary to troubleshoot from remote. In these cases I need a second interface to connect to a working network, which is reachable from remote. With this setup, I can SSH into the Pi and use its eth0 for troubleshooting.

A lot of my customer are using certificate based authentication in their WLAN and do not allow clients to join the network using PSK. Windows and Mac have pretty wizards, that allow using a certificate to authenticate, but with linux, it’s a little bit more difficult.

Get the certificate

If the Radius Server of the WLAN allow user based certificates, then you can log in on a domain computer and grab your certificate.

  1. Open mmc
  2. Request a new certificate (Personal – Certificates – All Tasks – Request New Certificate…)
  3. Export the certificate with private key AND WRITE DOWN THE EXPORT PASSWORD (only forgot it about 100 times)
  4. Copy the .pfx certificate using SCP to your Pi

Convert the .pfx certificate

Because of the missing wizard that automatically configures the certificates, we need to manually convert them:

  1. The client certificate
    openssl pkcs12 -in MetzgerC.pfx -clcerts -nokeys -out client.crt
  2. The private key
    openssl pkcs12 -in MetzgerC.pfx -nocerts -out privatekey.pem -nodes
  3. The CA Cert

    openssl pkcs12 -in MetzgerC.pfx -cacerts -nokeys -chain -out ca.cer

I copied the all the certificates into the /etc/wpa_supplicant folder, that’s maybe no the best place, but works perfectly.

Configure supplicant

The next step is to configure the supplicant to use the certificates.

vi /etc/wpa_supplicant/wpa_supplicant.conf

#######
network={
    ssid="YourSSID"     
    key_mgmt=WPA-EAP    
    proto=WPA2
    eap=TLS
    pairwise=CCMP
    group=CCMP
    identity="MetzgerC"
    ca_cert="/etc/wpa_supplicant/ca.cer"
    client_cert="/etc/wpa_supplicant/client.crt"
    private_key="/etc/wpa_supplicant/privatekey.pem"
    private_key_passwd="THE-PASSWORD-YOU-HOPEFULLY-WROTE-DOWN"
}

Configure interface

Afterwards we need to tell the wlan interface to use this configuration. Edit the /etc/network/interfaces

vi /etc/network/interfaces

#############

iface wlan0 inet dhcp   
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
Cedric Metzger
Network Engineer at ITRIS One AG

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.