FreeRADIUS for WPA & WPA2 Enterprise: Windows 7, Android, Symbian, iPhone
This article perfectly describes the FreeRADIUS configuration for WPA2 Enterprice, and I successfully configured the FreeRADIUS2 + WPA2 + EAP-TLS bundle (user authentication via WIFI WPA / WPA2 Enterprise, using certificates). Therefore, I will not bother either myself or you, with a translation.
Nevertheless, the article lacks information on the intricacies of configuring Android, Nokia Symbian, iPhone and Windows 7 clients for the above combination.
Which I am going to do in this complementary article.
It turned out that Android understands only binary certificates and only with the file extension (* .crt) for the certification authority. If your certificate of a certification authority is in text form, then it is very easy to convert it to * nix:
Or use the online converter here .
User certificates (required in the format (* .p12) and with the same file extension) and the certification authority must be located on the device’s SD card. We go into the Android configuration: “Settings” , go to “Security” , and select “Install from SD card”. Here you install the certificate of the certification authority and then the user certificate.
You can also do this by sending an email with the attached files if the email client is already configured. After downloading letters, their attachments are usually located in the Downloads folder on the SD card. There is no need to move certificates from this folder anywhere.
We return to the Android configuration and go to “Wireless networks” , select “WiFi settings” , “add WIFI network” . Here we select Security 802.1x Enterprise , we select "EAP method" , "TLS", select the previously installed certificate of the certification authority and user certificate, respectively. Do not forget to write the username in the Identification code field (in Nokia you can simply indicate "use the login from the certificate" ***), which should correspond to the Common Name "/ CN =" in the user's personal certificate.
Not all Windows 7 files (* .p12) are opened by clicking, it is better to install them using the certificate manager. The certificate of the
certification authority must be installed before installing the user certificate. As in the rest and everywhere.
The certificate of the certification authority should be installed in the "Trusted Root Certificates" , and the personal certificate in the "Personal Certificates", respectively.
The screenshots below show the necessary settings:
If your certificate of a certification authority is not included in this list, then most likely the same thing happened to you as with me, see the last paragraph of the article. or just restart the machine.
Compared to Windows 7 and Android, Nokia’s setup is much simpler.
After copying the user and certification authority certificates to the device’s memory card, go to the location of these files by the file manager and simply open them. You will be asked to enter the password for the certificates (if installed), new names for the certificates and a new password for the user certificate (it will sometimes be asked when connecting the device to the network, so do not make it too complicated).
Going into the WIFI connection settings ** create a new Wireless LAN access point, enter the network name, Select Infrastructure , select Security Settings 802.1x , select WPA EAP mode. now we select the newly created access point, go to the WLAN security settings , select the EAP plug- in settings , uncheck everything, leave only EAP-TLS , go to EAP-TLS and select the previously installed ones: a personal certificate (the one that was p12), An authoritative certificate (the one that was pem or crt or der) and leave all other items as they are, including "use the username - from the certificate" ***.
** for Nokia E5 it is:
Control Panel> Settings> Connection> Destinations
** for Nokia X6 it is:
Control Panel> Settings> System> Communication> Connection Manager
Despite the fact that iTunes is needed for the USB cable, and I don’t really know if I can connect a flash card, I also held the iPhone for the first time in my life, it was easiest to configure.
On the phone, I set up mail and sent the root certificate in binary form ( * .DER ) and a personal certificate ( * .p12 ) there. In the mailer, I just opened the attachments, the operating system immediately realized what kind of files it was and suggested installing them (Accept).
First installed root then personal. Then we go “Settings” , “Wi-FI” , “Other”, enter the Network Name, then go to “Security”, select “WPA2 Enterprice” in the fieldUsername, enter the username (which must match the Common Name "/ CN =" in the user's personal certificate), select "EAP-TLS" in the "Mode" field , enter the "Identification" menu and select the personal certificate that was installed earlier, click "Join " . When connected, it may display a message about who we are connecting to (the CN field from the server certificate will be displayed), you need to say “Accept” . *** Nokia and Windows 7 (selected from installed personal certificates, but can also be manually entered), compared to Android and iPhone, it is not necessary to manually enter the login.
It is also worth paying attention to such a nuance as the validity period of these two certificates. The following curious thing happened to me: * nix server was not synchronized with the time server and the certificate generated for the user did not start its operation only an hour after its creation, in fact, as it is written in the certificate body. I did not pay attention to it and for this reason I could not connect to the network. Having understood the problem, I just waited one hour.
In Windows, it is possible to use an Ethernet connection according to the same authentication principle - using certificates. Most switches, even SMBs, can authenticate clients using Radius. This increases the level of network security, so that no one can just "stick" into it.
To configure a wired connection, you need to enable " Wired AutoConfig " in Windows Services . A similar tab will appear in the adapter’s properties for the wireless " Authentication " connection .
The setting is similar to a wireless connection.
That's all, good luck to everyone!
Nevertheless, the article lacks information on the intricacies of configuring Android, Nokia Symbian, iPhone and Windows 7 clients for the above combination.
Which I am going to do in this complementary article.
Android:
(Verified on version 2.3)It turned out that Android understands only binary certificates and only with the file extension (* .crt) for the certification authority. If your certificate of a certification authority is in text form, then it is very easy to convert it to * nix:
openssl x509 -inform PEM -outform DER -in CA-MYCOMPANY.pem -out CA-MYCOMPANY.crtOr use the online converter here .
User certificates (required in the format (* .p12) and with the same file extension) and the certification authority must be located on the device’s SD card. We go into the Android configuration: “Settings” , go to “Security” , and select “Install from SD card”. Here you install the certificate of the certification authority and then the user certificate.
You can also do this by sending an email with the attached files if the email client is already configured. After downloading letters, their attachments are usually located in the Downloads folder on the SD card. There is no need to move certificates from this folder anywhere.
We return to the Android configuration and go to “Wireless networks” , select “WiFi settings” , “add WIFI network” . Here we select Security 802.1x Enterprise , we select "EAP method" , "TLS", select the previously installed certificate of the certification authority and user certificate, respectively. Do not forget to write the username in the Identification code field (in Nokia you can simply indicate "use the login from the certificate" ***), which should correspond to the Common Name "/ CN =" in the user's personal certificate.
Windows 7:
Not all Windows 7 files (* .p12) are opened by clicking, it is better to install them using the certificate manager. The certificate of the
certmgr.msccertification authority must be installed before installing the user certificate. As in the rest and everywhere.
The certificate of the certification authority should be installed in the "Trusted Root Certificates" , and the personal certificate in the "Personal Certificates", respectively.
The screenshots below show the necessary settings:
If your certificate of a certification authority is not included in this list, then most likely the same thing happened to you as with me, see the last paragraph of the article. or just restart the machine.
Nokia Symbian:
Compared to Windows 7 and Android, Nokia’s setup is much simpler.
After copying the user and certification authority certificates to the device’s memory card, go to the location of these files by the file manager and simply open them. You will be asked to enter the password for the certificates (if installed), new names for the certificates and a new password for the user certificate (it will sometimes be asked when connecting the device to the network, so do not make it too complicated).
Going into the WIFI connection settings ** create a new Wireless LAN access point, enter the network name, Select Infrastructure , select Security Settings 802.1x , select WPA EAP mode. now we select the newly created access point, go to the WLAN security settings , select the EAP plug- in settings , uncheck everything, leave only EAP-TLS , go to EAP-TLS and select the previously installed ones: a personal certificate (the one that was p12), An authoritative certificate (the one that was pem or crt or der) and leave all other items as they are, including "use the username - from the certificate" ***.
** for Nokia E5 it is:
Control Panel> Settings> Connection> Destinations
** for Nokia X6 it is:
Control Panel> Settings> System> Communication> Connection Manager
iPhone:
Despite the fact that iTunes is needed for the USB cable, and I don’t really know if I can connect a flash card, I also held the iPhone for the first time in my life, it was easiest to configure.
On the phone, I set up mail and sent the root certificate in binary form ( * .DER ) and a personal certificate ( * .p12 ) there. In the mailer, I just opened the attachments, the operating system immediately realized what kind of files it was and suggested installing them (Accept).
First installed root then personal. Then we go “Settings” , “Wi-FI” , “Other”, enter the Network Name, then go to “Security”, select “WPA2 Enterprice” in the fieldUsername, enter the username (which must match the Common Name "/ CN =" in the user's personal certificate), select "EAP-TLS" in the "Mode" field , enter the "Identification" menu and select the personal certificate that was installed earlier, click "Join " . When connected, it may display a message about who we are connecting to (the CN field from the server certificate will be displayed), you need to say “Accept” . *** Nokia and Windows 7 (selected from installed personal certificates, but can also be manually entered), compared to Android and iPhone, it is not necessary to manually enter the login.
It is also worth paying attention to such a nuance as the validity period of these two certificates. The following curious thing happened to me: * nix server was not synchronized with the time server and the certificate generated for the user did not start its operation only an hour after its creation, in fact, as it is written in the certificate body. I did not pay attention to it and for this reason I could not connect to the network. Having understood the problem, I just waited one hour.
About wired connections in Windows
In Windows, it is possible to use an Ethernet connection according to the same authentication principle - using certificates. Most switches, even SMBs, can authenticate clients using Radius. This increases the level of network security, so that no one can just "stick" into it.
To configure a wired connection, you need to enable " Wired AutoConfig " in Windows Services . A similar tab will appear in the adapter’s properties for the wireless " Authentication " connection .
The setting is similar to a wireless connection.
That's all, good luck to everyone!