EAP TLS Configuration

July 4th, 2024 – 5:57 am
Categorized as Computing Note and tagged as ,
Written by La Ecrivain

The Microsoft documentation for EAP Host troubleshooting can be found at https://learn.microsoft.com/en-us/windows/win32/eaphost/enabling-tracing as of 7/3/24. The Microsoft documentation on Netsh commands is available at https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc779693(v=ws.10) as of 7/3/24.

There is a helpful FreeRADIUS HowTo at https://deployingradius.com/documents/configuration/certificates.html as of 7/3/24. The official FreeRADIUS documention contains similar information but the official documentation seems more spread out than this one page quick reference.

The Microsoft documentation for importing into the Trusted Root Certification Authorities store is available at https://learn.microsoft.com/en-us/windows-hardware/drivers/install/trusted-root-certification-authorities-certificate-store as of 7/3/24.

Foxpass has a helpful guide for installing certificates on Windows for WiFi available at https://docs.foxpass.com/docs/install-scep-certificate-manually-on-windows as of 7/3/24. TP-Link has a great guide for configuring the clients available at https://www.tp-link.com/se/support/faq/3456/ as of 7/3/24. The TP-LINK configuration leaves a security gap related to validating the server’s identity. The Server identity needs to be validated, and the user should not be prompted to trust new servers or certification authorities. Kaplan Soft also has a Windows 10 EAP-TLS configuration available at https://www.kaplansoft.com/tekradius/Docs/Windows10EAP-TLSConfiguration.pdf as of 7/3/24. Fortinet also has a certificate import guide available at https://docs.fortinet.com/document/fortiauthenticator/6.6.0/examples/905663 as of 7/3/24. These guides show the old style wireless configuration and not the new one for Windows 11, which requests a SHA-1 hash of the sever certificate. None of these guides use the SHA-1 hash.

The official FreeRADIUS documentation for creating certificates can be found at https://freeradius.org/documentation/freeradius-server/4.0.0/raddb/certs/index.html as of 7/3/24.