Дерево страниц
Перейти к концу метаданных
Переход к началу метаданных

TLS authorisation configuration

To configure TLS authorization:

  1. Generate a client certificate;
  2. Configure radius-server local;
  3. Download and install the generated certificate on the client device.

Generating a client certificate

To generate a client certificate, you need to create a private-key, generate a csr, issue a client certificate, and create a pkcs12 container.

Generating a private-key

A private-key must be created for each client certificate. The RSA algorithm is used, the key size in bits is set in the range from 1024 to 4096 (optional, by default – 2048 bits).

The command has the form:

crypto generate private-key rsa [key size 1024-4096] filename <Filename for key .pem>

If a “?” is written after filename, the tooltip will show a list of key files in the crypto:private-key/ directory.

wlc# crypto generate private-key rsa filename ?
  WORD(1-31  Name of file

  ----FILE----
  default_ca_key.pem
  default_cert_key.pem
  tester.pem
  wlc-sa.key

It is possible to select a file that already exists and overwrite it:

wlc# crypto generate private-key rsa 1024 filename tester.pem
Destination file already exists.
Do you really want to overwrite it? (y/N): y
..........++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

If there are too many files, only a part of the certificates will be listed:

wlc# crypto generate cert csr tester.csr ca ?
  CRYPTO FILES  Select file:

  ----FILE----
  E828C1000002.pem                  E828C1000004.pem                  E828C1000006.pem
  E828C1000008.pem                  E828C100000A.pem                  E828C100000C.pem
  E828C100000E.pem                  E828C1000010.pem                  E828C1000012.pem
  E828C1000014.pem                  E828C1000016.pem                  E828C1000018.pem
  E828C100001A.pem                  E828C100001C.pem                  E828C100001E.pem
  E828C1000020.pem                  E828C1000022.pem                  E828C1000024.pem
  E828C1000026.pem                  E828C1000028.pem                  E828C100002A.pem
  E828C100002C.pem                  E828C100002E.pem                  E828C1000030.pem
  E828C1000032.pem                  E828C1000034.pem                  E828C1000036.pem
  E828C1000038.pem                  E828C100003A.pem                  E828C100003C.pem
  E828C100003E.pem                  E828C1000040.pem                  E828C1000042.pem
  E828C1000044.pem                  E828C1000046.pem                  E828C1000048.pem
  E828C100004A.pem                  E828C100004C.pem                  E828C100004E.pem
  E828C1000050.pem                  E828C1000052.pem                  E828C1000054.pem
  E828C1000056.pem                  E828C1000058.pem                  E828C100005A.pem
  E828C100005C.pem                  E828C100005E.pem                  E828C1000060.pem
  E828C1000062.pem                  E828C1000064.pem                  E828C1000066.pem
  E828C1000068.pem                  E828C100006A.pem                  E828C100006C.pem
  E828C100006E.pem                  E828C1000070.pem                  E828C1000072.pem
  E828C1000074.pem                  E828C1000076.pem                  E828C1000078.pem
  E828C100007A.pem                  E828C100007C.pem                  E828C100007E.pem
  E828C1000080.pem                  E828C1000082.pem                  E828C1000084.pem
  E828C1000086.pem                  E828C1000088.pem                  E828C100008A.pem
  ...

In this case, part of a word and a “?” can be entered to see the filtered entries:

wlc# crypto generate cert csr tester.csr ca d?
  CRYPTO FILES  Select file:

  ----FILE----
  default_ca.pem                    default_cert.pem

The work with files is similar to the rest of the certificate generation commands.

private-key generation example
wlc# crypto generate private-key rsa 4096 filename tester.pem
.+...+..................+....+...+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+............+...........+.....................+.....+....+..
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Generating a csr

When generating the csr, select the private-key (the file generated in the previous step), specify the common-name in the format <username>@<domain> and select the file to save the csr (filename). It is recommended to use real username and domain in common-name.

Optional parameters:

  • alternative-name  alternative username (5-255 characters);
  • country  country code (2 characters);
  • email-address  e-mail address (3-64 characters);
  • locality  client's location (1-128 characters);

  • organization  organization name (1-64 symbols); 
  • organizational-unit  name of the organization's structural subdivision (1-64 symbols);
  • state  name of region/area (1-128 symbols).
Example of csr generation with minimum number of completed fields
wlc# crypto generate csr private-key tester.pem common-name tester@wlc.root filename tester.csr
Example of csr generation with all completed fields
crypto generate csr private-key tester.pem alternative-name IP:10.10.10.10 common-name tester@wlc.root country ru email-address test@test.com locality 4_floor organization ELTEX organizational-unit wireless state Novosibirsk_oblast filename tester.csr

The created csr can be viewed by using the show crypto certificates csr <filename> command:

Example of created certificate
wlc# show crypto certificates csr tester.csr
Version:                                1
Subject name:
    C(countryName):                     ru
    ST(stateOrProvinceName):            Novosibirsk_oblast
    L(localityName):                    4_floor
    O(organizationName):                ELTEX
    OU(organizationalUnitName):         wireless
    CN(commonName):                     tester@wlc.root
    emailAddress(emailAddress):         test@test.com
Signature:
    Algorithm:                          sha256WithRSAEncryption
    Value:                              32:DE:27:BE:38:E0:B4:1A:BE:57:0C:50:5E:05:D5:9F:3D:ED:
                                        12:EC:27:3F:42:17:3D:36:EC:72:4A:52:AF:0C:C1:FB:6A:CA:
                                        12:27:E7:C2:31:0A:5A:2D:5D:C3:5D:6B:80:6E:86:D1:66:06:
                                        4F:21:AC:A9:40:E7:1F:CC:FD:D0:9B:C4:D7:F0:56:84:19:07:
                                        1E:D4:28:0F:C9:36:26:D6:D1:9F:25:F6:73:04:DB:9A:31:94:
                                        79:BE:8D:8E:97:05:0E:F8:A7:CD:A7:F8:80:6E:E1:A2:7B:D5:
                                        D7:1F:73:8E:D0:C3:2E:F3:D2:EF:87:E0:9A:F8:F3:6B:A6:4D:
                                        E3:6C:5A:B7:6E:2A:61:DE:BF:8E:FB:94:D5:DC:40:15:39:70:
                                        43:AA:9B:B1:76:43:BA:7E:52:FD:46:6F:E3:1B:C0:19:09:86:
                                        6E:71:9B:37:BD:A5:B9:0C:E8:66:4E:8E:DF:E0:9B:70:07:48:
                                        15:CD:6F:8E:80:87:56:89:74:17:9D:C3:D5:2A:92:C4:BB:16:
                                        D9:09:E7:8A:EB:D0:3B:C4:A8:74:92:92:C3:39:40:3D:8E:62:
                                        7D:A7:B6:22:D9:5D:50:5D:BB:CD:B5:0D:47:D2:F6:C1:D6:FF:
                                        FA:18:58:15:A9:52:B1:D3:3C:94:A4:40:4B:15:D1:48:F8:53:
                                        E8:A8:3A:35
Subject Public Key Info:
    Algorithm:                          RSA
    Key size:                           2048
    Exponent:                           65537
    Modulus:                            00:AE:90:97:89:02:4D:49:6F:D7:45:9F:19:8D:4B:F7:30:6B:
                                        5C:DF:FE:2B:D0:E4:85:66:45:2E:2E:98:20:E8:B8:A2:42:29:
                                        C1:1A:A1:44:B4:DD:B1:BE:93:45:1F:0E:7A:A6:A9:C1:5B:D6:
                                        DD:74:4C:E6:DE:D2:B9:12:5A:8F:33:DE:21:64:08:BE:1B:D5:
                                        1B:C2:2C:07:AB:4D:40:3F:87:C7:60:41:EC:9C:48:35:D0:16:
                                        70:DD:A7:28:26:34:A4:54:E4:55:14:72:2A:0A:39:A8:39:E5:
                                        4A:CA:1F:D9:10:4C:7B:BC:BE:F4:08:64:CE:A0:43:7D:FA:EB:
                                        B4:7C:F7:0B:D6:AF:C9:AA:37:B9:9A:10:6F:3D:2F:D7:71:FC:
                                        DB:6C:76:E5:9F:25:DC:80:D6:BB:71:E7:9C:31:42:F8:A3:D4:
                                        67:E3:5D:F8:FB:9A:EF:44:E4:E3:C1:8C:00:23:9D:C0:37:76:
                                        23:9D:B5:B3:C4:45:D7:84:C9:10:4D:26:56:CF:6D:AA:F3:10:
                                        34:AC:C4:AC:7B:7A:CA:D1:BC:D6:D6:84:74:AB:42:FB:AE:56:
                                        EC:26:09:DF:A1:2B:B1:AD:D5:F7:78:8C:89:0D:B1:5F:A9:D1:
                                        23:63:8E:8E:BF:AE:26:F8:EC:39:8A:4C:45:5C:3B:AB:BE:40:
                                        23:7D:73:F2:A7
X509v3 Subject Alternative Name:
    Names:                              IP Address:10.10.10.10
    Critical:                           No


Generating a certificate signed by a CA from RADIUS

After generating the client csr, it has to be signed it with a CA certificate from the RADIUS server.

Example of CA certificate
wlc# sh crypto certificates cert default_ca.pem
Version:                                3
Serial:                                 43:60:5B:D5:8E:6B:0A:56:39:0D:0D:D2:6E:25:CF:31:37:F3:
                                        EB:24
Subject name:
    C(countryName):                     RU
    ST(stateOrProvinceName):            Russia
    L(localityName):                    Novosibirsk
    O(organizationName):                Eltex Enterprise Ltd
    CN(commonName):                     Eltex default certificate authority
Issuer name:
    C(countryName):                     RU
    ST(stateOrProvinceName):            Russia
    L(localityName):                    Novosibirsk
    O(organizationName):                Eltex Enterprise Ltd
    CN(commonName):                     Eltex default certificate authority
Validity period:
    Valid after:                        25.12.2023 09:32:54
    Invalid after:                      01.12.2123 09:32:54
Signature:
    Algorithm:                          sha256WithRSAEncryption
    Value:                              3C:7B:5B:A1:E9:E4:61:67:86:09:F0:54:BF:1F:18:47:7D:D3:
                                        F6:F0:B2:96:24:AC:88:41:EE:ED:69:43:1D:45:BD:5F:00:85:
                                        CE:6D:02:90:80:38:CC:1D:78:EE:58:6B:22:1D:D4:62:A0:6D:
                                        FB:1A:AB:E7:5C:29:99:1F:4E:FD:0D:92:85:35:6C:0E:22:78:
                                        3F:37:26:41:E3:6B:74:21:5F:AC:EF:2C:55:19:5E:44:AA:63:
                                        FE:40:6C:76:C4:29:F2:DB:35:E1:7B:CA:7C:E0:0B:D1:26:2E:
                                        D5:33:46:0A:F4:B0:E3:03:7D:0D:93:7E:D3:86:77:90:C9:EB:
                                        58:31:51:A7:09:76:D5:06:B1:70:14:E9:04:0B:5C:D1:1B:B0:
                                        44:45:41:6C:DC:CD:E6:B4:0A:85:04:1C:4A:31:63:3C:03:AE:
                                        3C:84:CB:01:C3:20:97:74:C8:42:63:A2:F1:B1:68:92:2F:9D:
                                        35:3E:61:97:37:4E:97:CD:75:78:72:C5:D1:B7:8F:5F:78:E0:
                                        B3:96:BA:0D:DB:4D:E5:B0:43:BC:D1:94:42:02:FD:5B:A6:7A:
                                        CC:33:B5:4E:CF:8C:2C:91:16:E8:3E:14:2C:ED:48:5A:2C:CD:
                                        E4:1C:B6:3D:F7:B4:5D:C8:F9:89:6B:E4:DC:31:CD:C8:27:C5:
                                        6C:1F:B4:DA
Public key info:
    Algorithm:                          RSA
    Key size:                           2048
    Exponent:                           65537
    Modulus:                            00:B7:D2:A2:88:E1:4D:80:62:26:43:09:82:85:4B:5F:7C:B3:
                                        77:0E:D5:E3:7C:62:F5:5A:12:16:71:4E:DA:48:A3:B5:6A:3F:
                                        83:F2:9B:BA:89:E7:0F:52:C5:F1:F2:DD:D2:7E:42:3A:F1:8A:
                                        AF:EC:0D:3C:47:C2:9A:7E:DC:27:B6:AA:4C:B0:3F:AE:5D:4F:
                                        93:17:A9:9F:60:B3:29:3B:46:7C:BA:F7:6C:73:95:F2:0E:BC:
                                        71:00:D7:47:BC:5E:4F:FB:8F:B8:E2:50:91:41:30:CE:73:DA:
                                        1F:17:2D:94:21:02:24:D5:FA:EA:1A:18:C6:1C:DB:9F:B2:2A:
                                        27:0B:2F:65:35:A7:FB:1E:32:40:28:85:CD:F8:B1:46:68:48:
                                        AB:7E:E7:5F:4E:B7:0D:8D:40:1A:03:76:24:A2:63:10:0A:C2:
                                        69:CD:DA:3E:E3:A0:C0:EF:9F:BA:B4:D5:37:89:F7:E8:9E:79:
                                        C2:8E:1A:65:45:4B:7F:1D:F5:44:C5:BD:C8:D9:81:C3:6B:C2:
                                        A0:1A:C7:A0:78:B1:D3:F3:C4:9A:A2:A1:25:82:94:EC:56:B9:
                                        F2:45:60:EC:24:B2:3B:1A:32:C9:B5:47:8F:B9:DC:24:CC:2D:
                                        89:67:05:0D:8C:50:4F:D8:6B:A1:48:57:30:71:16:95:0A:49:
                                        5C:48:41:0B:15
X509v3 Subject key identifier:
    ID:                                 CE:26:E0:9F:6B:39:95:5F:2C:AC:99:87:70:EA:90:7D:7E:C7:
                                        86:40
    Critical:                           No
X509v3 Authority key identifier:
    ID:                                 CE:26:E0:9F:6B:39:95:5F:2C:AC:99:87:70:EA:90:7D:7E:C7:
                                        86:40
    Critical:                           No
X509v3 Basic Constraints:
    CA:                                 Yes
    Critical:                           Yes

The commandof certificate generation has the form:

crypto generate cert csr <csr file name> ca <CA certificate file name> private-key <CA certificate key file name> filename <crt file name for saving>
Example of client certificate generation
wlc# crypto generate cert csr tester.csr ca default_ca.pem private-key default_ca_key.pem filename tester.crt
Certificate request self-signature ok
subject=C = ru, ST = Novosibirsk_oblast, L = 4_floor, O = ELTEX, OU = wireless, CN = tester@wlc.root, emailAddress = test@test.com
Example of generated certificate
wlc# sh crypto certificates cert tester.crt
Version:                                1
Serial:                                 56:5D:6F:19:3F:AB:17:5A:B5:7A:81:0F:0A:2A:AD:7F:9B:20:
                                        87:41
Subject name:
    C(countryName):                     ru
    ST(stateOrProvinceName):            Novosibirsk_oblast
    L(localityName):                    4_floor
    O(organizationName):                ELTEX
    OU(organizationalUnitName):         wireless
    CN(commonName):                     tester@wlc.root
    emailAddress(emailAddress):         test@test.com
Issuer name:
    C(countryName):                     RU
    ST(stateOrProvinceName):            Russia
    L(localityName):                    Novosibirsk
    O(organizationName):                Eltex Enterprise Ltd
    CN(commonName):                     Eltex default certificate authority
Validity period:
    Valid after:                        25.12.2023 09:40:47
    Invalid after:                      01.12.2123 09:40:47
Signature:
    Algorithm:                          sha256WithRSAEncryption
    Value:                              B5:8A:92:2A:A8:F0:82:0A:97:0D:D5:D1:5D:33:5F:F3:E2:A1:
                                        EE:3D:3D:F6:87:09:D0:4A:1F:E4:43:D8:E8:36:E5:A0:88:E2:
                                        80:80:59:EA:24:57:02:3D:3D:0A:21:4C:9C:FC:D8:88:27:3E:
                                        DF:96:75:A5:48:26:64:61:CE:ED:C9:91:AA:F4:10:63:2A:2D:
                                        95:8A:85:7E:55:68:8D:F3:08:F7:F4:08:61:1E:78:D5:51:75:
                                        89:23:E7:B5:49:18:55:E5:57:25:4C:3D:7E:65:73:60:AF:DC:
                                        50:72:2B:69:C8:A7:E7:03:7B:D7:C9:FF:5F:B2:17:3E:F0:71:
                                        46:E0:7F:14:77:00:D1:BB:B3:01:0F:4E:D0:F4:20:06:72:C2:
                                        62:53:D4:4C:84:E1:FD:95:3A:FE:18:77:AE:D8:ED:83:6C:47:
                                        4C:43:41:64:8E:60:38:8F:04:99:97:BE:C3:CB:DB:20:85:90:
                                        A9:0E:88:3D:D0:47:65:1D:CB:F5:9B:D9:87:36:9C:9B:CA:02:
                                        43:3F:45:34:F0:82:63:DA:A4:D3:88:07:10:E9:BD:F5:0C:BD:
                                        3C:E1:8A:2B:33:B9:07:F6:32:2A:D7:ED:91:8F:C3:F7:B2:C2:
                                        D1:B4:2A:F5:30:56:F2:5D:FF:DC:AC:03:C8:75:BA:D2:3F:3D:
                                        39:BD:59:2F
Public key info:
    Algorithm:                          RSA
    Key size:                           1024
    Exponent:                           65537
    Modulus:                            00:B0:52:66:23:B2:31:DE:EB:9F:44:BF:62:58:86:67:71:F0:
                                        79:A0:77:42:11:75:A3:F3:36:69:47:B5:5A:AD:64:98:9C:D4:
                                        29:E8:5D:89:E0:BB:90:6C:69:19:75:FC:B9:3F:B8:A5:D0:2E:
                                        47:59:A9:59:A1:6A:55:2E:70:3E:B3:AD:A8:FE:9B:33:C6:6C:
                                        90:B7:BD:4F:8D:C3:5C:6F:D5:39:9C:87:A1:54:C6:D2:E6:AC:
                                        F1:6A:23:77:36:6F:65:96:41:F5:06:08:EE:EA:C7:4C:C6:DA:
                                        F9:CA:9B:C5:69:3D:FF:18:09:8E:C9:E6:FE:3B:68:85:7B:F2:
                                        88:85:01

Creating a PKCS #12 container with key and certificates

The .p12 format, also known as PKCS #12, is a standard container format used to store and exchange encrypted or signed data. It can contain private keys, certificates, certificate chains, and other related information. It is recommended to use the .p12 format specifically because it is supported by almost all operating systems, firmware, and devices, including Windows, macOS, Linux, Android, and iOS. .p12 format containers can be password protected, which provides an additional layer of security. The password can be used to encrypt private keys and certificates, making them accessible only to authorized users. The .p12 format can store not only certificates, but also an entire certificate chain, simplifying the process of installing and updating certificates on different devices.

The container generation command has the following form:

crypto generate pfx private-key <Client certificate key file name> cert <Client certificate file name> ca <CA file name> password ascii-text <Container password> filename <File name for certificate saving (.p12)>
Example of container generation
wlc# crypto generate pfx private-key tester.pem cert tester.crt ca default_ca.pem password ascii-text 12345678 filename tester.p12

Radius-server local configuration

Enable tls mode domain in the radius-server local settings:

wlc(config-radius)# tls mode domain

Configuring SSID and RADIUS profile

For TLS authorization to work correctly, RADIUS profile and SSID profile must be configured to work with the required domain:

configure
	wlc
		ssid-profile default-ssid
    		description default-ssid
    		ssid wlc_tls_ssid
    		radius-profile tls-radius
  		exit
	    radius-profile tls-radius
    		auth-address 192.168.1.1
    		auth-password ascii-text encrypted 8CB5107EA7005AFF
    		domain wlc.root
  		exit

User configuration

To complete the WLC configuration, specify the generated certificate in the settings of the user for which it was generated. In the example common-name tester@wlc.root, so navigate to the settings of the tester user in the wlc.root domain and specify the name of this user's certificate file with the command:

crypto cert <file name>
Example:
wlc# configure
wlc(config)# radius-server local
wlc(config-radius)# domain wlc.root
wlc(config-radius-domain)# user tester
wlc(config-radius-user)# crypto cert tester.crt

Once configured, apply the changes:

wlc# commit
wlc# confirm
radius-server local configuration example:
radius-server local
  nas ap
    key ascii-text encrypted 8CB5107EA7005AFF
    network 192.168.1.0/24
  exit
  nas local
    key ascii-text encrypted 8CB5107EA7005AFF
    network 127.0.0.1/32
  exit
  domain default
  exit
  domain wlc.root
    user tester
      password ascii-text encrypted 8CB5107EA7005AFF
      crypto cert tester.crt
    exit
  exit
  virtual-server default
    no proxy-mode
    auth-port 1812
    acct-port 1813
    enable
  exit
  enable
  tls mode domain
  crypto private-key default_cert_key.pem
  crypto cert default_cert.pem
  crypto ca default_ca.pem
exit

Installing a client certificate

Exporting a client certificate

To configure TLS-authorization, install the certificate container and the server CA certificate on the client device. To do this, export them from the WLC. This can be done with the copy command using ftp, http, https, scp, sftp, tftp protocols, as well as to USB and MMC devices.

The command to transfer a container with a certificate has the following form:

copy crypto:pfx/<Container name> <DESTINATION>

where <DESTINATION> – popy path. 

Example of a certificate export command using tftp
wlc# copy crypto:pfx/tester.p12 tftp://100.110.1.79:/tester.p12
|******************************************| 100% (2861B) Success!

Exporting the RADIUS server CA certificate

​copy crypto:cert//<CA certificate file name> <DESTINATION>

where <DESTINATION> – copy path. 

Example of a certificate export command using tftp
wlc# ​copy crypto:cert/default_ca.pem tftp://100.110.1.79:/default_ca.pem

|******************************************| 100% (2861B) Success!

Installing certificates for Android devices with Android version 11 and higher

To install certificates on Android device, copy the contents of the archive to the client device.

  1. Open the phone settings and choose "Biometrics and security" → "Other security settings" → "Credential storage";


4.  If there are old certificates, delete them with the "Clear credentials" button;
5. To load new certificates, click the "Install from device storage" button;
6. The root and user certificates are installed by clicking the "WI-FI certificate" button.

7. Select the location of the extracted archive;

8. To load the root certificate, select the "default_ca.pem" file, then enter its name;

 

9. To load a client certificate, select the “tester.p12” file, then enter the password specified in the certificate and the name. 

   

Installing certificates for iOS devices

To install a certificate on your iOS device, send the certificate files (*.crt and *.p12) by mail to your e-mail address and open them on your phone or download the files to your phone via usb.

Installing the root certificate

Having opened an email with an attached file using standard iOS applications (Safari, Mail), click on the file with *.crt extension. When installing the certificate, the system will warn about the unreliability of the profile, allow the installation and the certificate will be successfully installed.

Installing the client certificate

Installing a user certificate is the same as installing a root certificate. Next, enter the certificate password. The password corresponds to the Password parameter of the certificate, which is located in the .txt file.

  

 

Installing certificates for Windows

  1. Open the .p12 file. There is no need to change the parameters. Click “Next”.

2. Enter the password. It matches the Password certificate parameter that was specified when generating the container on wlc.

3. Confirm the installation of the user certificate.

4. If the user certificate and root certificate are successfully installed, the following screen is displayed.

Connecting to a TLS enabled SSID

Connecting from Android

  1. In the Wi-Fi menu, find the previously created TLS-SSID SSID.

2. Set the network connection parameters:

EAP method: TLS

Certificate: default-ca

User certificate: user

Authorization: tester

The value of the "Authorization" parameter is set according to the user name in the certificate.
Domain: wlc-30
The value of the Domain parameter is set according to the value of the CN (commonName) parameter in the default_cert.pem server certificate.

3. If the parameters are entered correctly, authorization will be successful.

Connecting with Windows

To create and configure a new connection, open "Network ans Sharing Center"  "Set up a new connection or network".

In the window that opens, select "Manually connect to a wireless network" and click "Next".


Enter information about the wireless network:

  • Netwotk name;
  • Security Type: WPA2-Enterprise.

Check the "Start this connection automatically". Click "Next".

The network has been successfully added. Next, configure the connection settings.

Open the "Security" section, select the authentication method "Microsoft: Smart Card or other certificate (EAP-TLS)". Click "Settings".

Check the followings:

  • Use certificate on this computer;
  • Use simple certificate selection;
  • Confirm server authentication using certificate verification;
  • Use a different user name for the connection.

In the Trusted Root Certification Authorities list, select the root certificate “Eltex default certificate authority”. This is the CA certificate that was installed when the client certificate was installed.

Click "ОК".

In the opened window choose "Advanced settings".

Specify the authentication mode – "User authentication". Click "ОК".

Find the desired network and click "Connect". Select the user certificate to connect to the network and enter the user login. Click "ОК".

If the parameters are entered correctly, the connection will be successful.

Connecting with Ubuntu

Create a new connection to the network:

Specify ssid:

Enter the parameters to connect to the network:

  • Security – WPA & WPA2 Enterprice;
  • Authentication – TLS;
  • Identity – user name on the radius server;
  • CA certificate – CA certificate (downloaded from wlc separately);
  • User certificate – container with client certificate;
  • User private key – container with client certificate (also contains the key);
  • User key password – import password specified during container generation.

If the parameters are entered correctly, the connection will be successful.

Connecting with iOS

In the Wi-Fi settings menu, find the desired network. When connecting to the network, enter your personal login, select EAP-TLS mode.  Click "Identity" and choose the certificate. Go back to entering password and click "Join". In the opened window click  "Trust".

    

Updating and replacing the server certificate

There are commands to update the default CA certificate and/or server certificate:

wlc# update crypto default ca 
wlc# update crypto default cert 

To replace the server certificate, download the new certificate, CA certificate, and server certificate key and place them in the crypto:cert/ and crypto:private-key/ directories. After downloading the files, you should specify the server and CA certificates and the server certificate key in the radius-server local settings. The default certificate is specified by default.

Installing certificates in radius server settings
configure
	radius-server local
		crypto private-key my_cert_key.pem 
		crypto cert my_cert.pem 
		crypto ca my_ca.pem

After updating or replacing certificates, reboot the WLC or restart the RADIUS server:

radius-server local restore
wlc(config)# radius-server local 
wlc(config-radius)# no enable 
wlc(config-radius)# do commit 
wlc(config-radius)# do restore
wlc(config-radius)# do rollback

After upgrading or replacing the server certificate, reissue the client certificates.

  • Нет меток