WiFi Certicate based Authentication Test

[Andres Garay]

Hi, I want to do a very basic proof of concept WiFi authentication using certificates.

I use Meraki APs, TekRADIUS LT (licensed) and have downloaded the free version of TekCert for testing.

Has anybody done this kind of deployment with Meraki APs, or is there a basic starter guide I could use to try to begin?

Thanks

Andres

[Yasin KAPLAN]

Hi,

You should just need to configure your AP for WPA-Enterprise, set TekRADIUS as your RADIUS server. Create a client entry in TekRADIUS Manager for AP or WLAN controller.

You need to create a server certificate for TekRADIUS for server authentication and client certificates for client authentication. Export client certificates in .pfx format and deploy them (Import in to Windows Certificate Store / Current User / Personal folder) in the clients. EAP-TLS must be preferred EAP authentication in the clients (This is default in Windows 10 clients).

Best regards,

Yasin KAPLAN

[Andres Garay]

Thanks Yasin.

Then on the TekRADIUS GUI I would select that certificate from the drop down under Settings -> Service Parameters -> Certificate, right?

I will continue the test and report back. Probably the biggest part will be the certificate creation and export, but will play around with TekCert

Andres

[Yasin KAPLAN]

You are welcome. I'll be waiting for your feedback.

[Andres Garay]

Hi, a couple of follow up questions:

On my Wireless controller (Meraki Cloud), the RADIUS port would be the TekRADIUS Authentication port (1812) or the TekRADIUS TLS port (2083)? 

Also, on the TekRADIUS settings -> Service Parameters, the default EAP Method should be EAP-TLS?

Thanks

Andres

[Yasin KAPLAN]

You should set it to 1812. You can leave the default value for EAP Method.

[Andres Garay]

Sorry to keep asking but I need a bit of more guidance. 

I have created the RADIUS client as Default, with the proper secret. Configured the Meraki dashboard settings to use RADIUS on port 1812 using the secret. Generated server and client certificates and installed the on the server and PC respectively.

Then configured the PC to connect following the instructions on the User manual.

Do I have to assign the values TLS-Server-Certificate, TLS-Client-Certificate and Authentication-Method as type "Check" to a user named Default? Or no need for that?

For some reason I'm not able to get this working yet.

Andres

[Yasin KAPLAN]

You do not have to configure TLS-Server-Certificate, TLS-Client-Certificate and Authentication-Method attributes for your setup. Can you send TekRADIUS log entries (Accessible through File menu) after setting log level to developer at Settings / Service Parameters for an authentication attempt?

Best regards,

Yasin KAPLAN

[Andres Garay]

An update for the group. I sent Yasin a copy of the logs and he suggested that I use user authentication instead of machine authentication. I also reviewed that the certificates used for testing were properly signed by the TekCert server.

The proof of concept is working as intended with Meraki APs and hopefully will get to make it into a production system soon

[Yasin KAPLAN]

Thanks for your feedback Andres. We are waiting for your news for the production deployment.

[Andres Garay]

Hi Yasin, group, has anyone done this basic proof of concept test with Android and iOS devices? I'm wondering if a WPA2-Enterprise WiFi profile can be created manually and if the certificates can be easily installed, or if all needs to be deployed via an MDM solution

[Yasin KAPLAN]

Have you seen this https://support.google.com/a/answer/7396025 ?

[Yasin KAPLAN]

Please follow instructions at https://www.kaplansoft.com/TekRADIUS/Docs/Windows10EAP-TLSConfiguration.pdf  for Windows 10 EAP-TLS configuration.