TLS authorisation configuration
To configure TLS authorization:
- Generate a client certificate;
- Configure radius-server local;
- Download and install the generated certificate on the client device.
Generating a client certificate
To generate a client certificate, you need to create a private-key, generate a csr, issue a client certificate, and create a pkcs12 container.
Generating a private-key
A private-key must be created for each client certificate. The RSA algorithm is used, the key size in bits is set in the range from 1024 to 4096 (optional, by default – 2048 bits).
The command has the form:
crypto generate private-key rsa [key size 1024-4096] filename <Filename for key .pem>
If a “?” is written after filename, the tooltip will show a list of key files in the crypto:private-key/ directory.
wlc# crypto generate private-key rsa filename ? WORD(1-31 Name of file ----FILE---- default_ca_key.pem default_cert_key.pem tester.pem wlc-sa.key
It is possible to select a file that already exists and overwrite it:
wlc# crypto generate private-key rsa 1024 filename tester.pem Destination file already exists. Do you really want to overwrite it? (y/N): y ..........++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ..................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
If there are too many files, only a part of the certificates will be listed:
wlc# crypto generate cert csr tester.csr ca ? CRYPTO FILES Select file: ----FILE---- E828C1000002.pem E828C1000004.pem E828C1000006.pem E828C1000008.pem E828C100000A.pem E828C100000C.pem E828C100000E.pem E828C1000010.pem E828C1000012.pem E828C1000014.pem E828C1000016.pem E828C1000018.pem E828C100001A.pem E828C100001C.pem E828C100001E.pem E828C1000020.pem E828C1000022.pem E828C1000024.pem E828C1000026.pem E828C1000028.pem E828C100002A.pem E828C100002C.pem E828C100002E.pem E828C1000030.pem E828C1000032.pem E828C1000034.pem E828C1000036.pem E828C1000038.pem E828C100003A.pem E828C100003C.pem E828C100003E.pem E828C1000040.pem E828C1000042.pem E828C1000044.pem E828C1000046.pem E828C1000048.pem E828C100004A.pem E828C100004C.pem E828C100004E.pem E828C1000050.pem E828C1000052.pem E828C1000054.pem E828C1000056.pem E828C1000058.pem E828C100005A.pem E828C100005C.pem E828C100005E.pem E828C1000060.pem E828C1000062.pem E828C1000064.pem E828C1000066.pem E828C1000068.pem E828C100006A.pem E828C100006C.pem E828C100006E.pem E828C1000070.pem E828C1000072.pem E828C1000074.pem E828C1000076.pem E828C1000078.pem E828C100007A.pem E828C100007C.pem E828C100007E.pem E828C1000080.pem E828C1000082.pem E828C1000084.pem E828C1000086.pem E828C1000088.pem E828C100008A.pem ...
In this case, part of a word and a “?” can be entered to see the filtered entries:
wlc# crypto generate cert csr tester.csr ca d? CRYPTO FILES Select file: ----FILE---- default_ca.pem default_cert.pem
The work with files is similar to the rest of the certificate generation commands.
Generating a csr
When generating the csr, select the private-key (the file generated in the previous step), specify the common-name in the format <username>@<domain> and select the file to save the csr (filename). It is recommended to use real username and domain in common-name.
Optional parameters:
- alternative-name – alternative username (5-255 characters);
- country – country code (2 characters);
- email-address – e-mail address (3-64 characters);
locality – client's location (1-128 characters);
- organization – organization name (1-64 symbols);
- organizational-unit – name of the organization's structural subdivision (1-64 symbols);
- state – name of region/area (1-128 symbols).
wlc# crypto generate csr private-key tester.pem common-name tester@wlc.root filename tester.csr
crypto generate csr private-key tester.pem alternative-name IP:10.10.10.10 common-name tester@wlc.root country ru email-address test@test.com locality 4_floor organization ELTEX organizational-unit wireless state Novosibirsk_oblast filename tester.csr
The created csr can be viewed by using the show crypto certificates csr <filename> command:
Generating a certificate signed by a CA from RADIUS
After generating the client csr, it has to be signed it with a CA certificate from the RADIUS server.
The commandof certificate generation has the form:
crypto generate cert csr <csr file name> ca <CA certificate file name> private-key <CA certificate key file name> filename <crt file name for saving>
Creating a PKCS #12 container with key and certificates
The .p12 format, also known as PKCS #12, is a standard container format used to store and exchange encrypted or signed data. It can contain private keys, certificates, certificate chains, and other related information. It is recommended to use the .p12 format specifically because it is supported by almost all operating systems, firmware, and devices, including Windows, macOS, Linux, Android, and iOS. .p12 format containers can be password protected, which provides an additional layer of security. The password can be used to encrypt private keys and certificates, making them accessible only to authorized users. The .p12 format can store not only certificates, but also an entire certificate chain, simplifying the process of installing and updating certificates on different devices.
The container generation command has the following form:
crypto generate pfx private-key <Client certificate key file name> cert <Client certificate file name> ca <CA file name> password ascii-text <Container password> filename <File name for certificate saving (.p12)>
wlc# crypto generate pfx private-key tester.pem cert tester.crt ca default_ca.pem password ascii-text 12345678 filename tester.p12
Radius-server local configuration
Enable tls mode domain in the radius-server local settings:
wlc(config-radius)# tls mode domain
Configuring SSID and RADIUS profile
For TLS authorization to work correctly, RADIUS profile and SSID profile must be configured to work with the required domain:
configure
wlc
ssid-profile default-ssid
description default-ssid
ssid wlc_tls_ssid
radius-profile tls-radius
exit
radius-profile tls-radius
auth-address 192.168.1.1
auth-password ascii-text encrypted 8CB5107EA7005AFF
domain wlc.root
exit
User configuration
To complete the WLC configuration, specify the generated certificate in the settings of the user for which it was generated. In the example common-name tester@wlc.root, so navigate to the settings of the tester user in the wlc.root domain and specify the name of this user's certificate file with the command:
crypto cert <file name>
wlc# configure wlc(config)# radius-server local wlc(config-radius)# domain wlc.root wlc(config-radius-domain)# user tester wlc(config-radius-user)# crypto cert tester.crt
Once configured, apply the changes:
wlc# commit wlc# confirm
Installing a client certificate
Exporting a client certificate
To configure TLS-authorization, install the certificate container and the server CA certificate on the client device. To do this, export them from the WLC. This can be done with the copy command using ftp, http, https, scp, sftp, tftp protocols, as well as to USB and MMC devices.
The command to transfer a container with a certificate has the following form:
copy crypto:pfx/<Container name> <DESTINATION>
where <DESTINATION> – popy path.
Exporting the RADIUS server CA certificate
copy crypto:cert//<CA certificate file name> <DESTINATION>
where <DESTINATION> – copy path.
Installing certificates for Android devices with Android version 11 and higher
To install certificates on Android device, copy the contents of the archive to the client device.
- Open the phone settings and choose "Biometrics and security" → "Other security settings" → "Credential storage";
4. If there are old certificates, delete them with the "Clear credentials" button;
5. To load new certificates, click the "Install from device storage" button;
6. The root and user certificates are installed by clicking the "WI-FI certificate" button.
7. Select the location of the extracted archive;
8. To load the root certificate, select the "default_ca.pem" file, then enter its name;
9. To load a client certificate, select the “tester.p12” file, then enter the password specified in the certificate and the name.
Installing certificates for iOS devices
To install a certificate on your iOS device, send the certificate files (*.crt and *.p12) by mail to your e-mail address and open them on your phone or download the files to your phone via usb.
Installing the root certificate
Having opened an email with an attached file using standard iOS applications (Safari, Mail), click on the file with *.crt extension. When installing the certificate, the system will warn about the unreliability of the profile, allow the installation and the certificate will be successfully installed.
Installing the client certificate
Installing a user certificate is the same as installing a root certificate. Next, enter the certificate password. The password corresponds to the Password parameter of the certificate, which is located in the .txt file.
Installing certificates for Windows
- Open the .p12 file. There is no need to change the parameters. Click “Next”.
2. Enter the password. It matches the Password certificate parameter that was specified when generating the container on wlc.
3. Confirm the installation of the user certificate.
4. If the user certificate and root certificate are successfully installed, the following screen is displayed.
Connecting to a TLS enabled SSID
Connecting from Android
- In the Wi-Fi menu, find the previously created TLS-SSID SSID.
2. Set the network connection parameters:
EAP method: TLS
Certificate: default-ca
User certificate: user
Authorization: tester
The value of the "Authorization" parameter is set according to the user name in the certificate.
Domain: wlc-30
The value of the Domain parameter is set according to the value of the CN (commonName) parameter in the default_cert.pem server certificate.
3. If the parameters are entered correctly, authorization will be successful.
Connecting with Windows
To create and configure a new connection, open "Network ans Sharing Center" → "Set up a new connection or network".
In the window that opens, select "Manually connect to a wireless network" and click "Next".
Enter information about the wireless network:
- Netwotk name;
- Security Type: WPA2-Enterprise.
Check the "Start this connection automatically". Click "Next".
The network has been successfully added. Next, configure the connection settings.
Open the "Security" section, select the authentication method "Microsoft: Smart Card or other certificate (EAP-TLS)". Click "Settings".
Check the followings:
- Use certificate on this computer;
- Use simple certificate selection;
- Confirm server authentication using certificate verification;
- Use a different user name for the connection.
In the Trusted Root Certification Authorities list, select the root certificate “Eltex default certificate authority”. This is the CA certificate that was installed when the client certificate was installed.
Click "ОК".
In the opened window choose "Advanced settings".
Specify the authentication mode – "User authentication". Click "ОК".
Find the desired network and click "Connect". Select the user certificate to connect to the network and enter the user login. Click "ОК".
If the parameters are entered correctly, the connection will be successful.
Connecting with Ubuntu
Create a new connection to the network:
Specify ssid:
Enter the parameters to connect to the network:
- Security – WPA & WPA2 Enterprice;
- Authentication – TLS;
- Identity – user name on the radius server;
- CA certificate – CA certificate (downloaded from wlc separately);
- User certificate – container with client certificate;
- User private key – container with client certificate (also contains the key);
- User key password – import password specified during container generation.
If the parameters are entered correctly, the connection will be successful.
Connecting with iOS
In the Wi-Fi settings menu, find the desired network. When connecting to the network, enter your personal login, select EAP-TLS mode. Click "Identity" and choose the certificate. Go back to entering password and click "Join". In the opened window click "Trust".
Updating and replacing the server certificate
There are commands to update the default CA certificate and/or server certificate:
wlc# update crypto default ca wlc# update crypto default cert
To replace the server certificate, download the new certificate, CA certificate, and server certificate key and place them in the crypto:cert/ and crypto:private-key/ directories. After downloading the files, you should specify the server and CA certificates and the server certificate key in the radius-server local settings. The default certificate is specified by default.
configure radius-server local crypto private-key my_cert_key.pem crypto cert my_cert.pem crypto ca my_ca.pem
After updating or replacing certificates, reboot the WLC or restart the RADIUS server:
wlc(config)# radius-server local wlc(config-radius)# no enable wlc(config-radius)# do commit wlc(config-radius)# do restore wlc(config-radius)# do rollback
After upgrading or replacing the server certificate, reissue the client certificates.