Switching back to self-signed certs for freeradius Wi-Fi authentication

I use freeradius to control access to our Wi-Fi.

It’s probably overkill, but I find it a useful way of doing VLAN steering while broadcasting just one SSID.

(Invariably, I don’t broadcast just one SSID, as there are plenty of devices which can’t cope with EAP authentication, but oh well…)

Initially, I was using self-signed certificates generated within freeradius (well, by openssl), but then I ran into a problem with Android 13.

At the time, I “solved” it by switching to use Let’s Encrypt certs.

I have been using Let’s Encrypt certs for this for a while, and it has worked really well… with the exception of Sandra’s iPhone.

With Sandra’s iPhone, every 90ish days - when the Let’s Encrypt cert renews - Sandra is disconnected from the Wi-Fi, until she manually enters her RADIUS password and accepts the new certificate.

I don’t know why, and I haven’t been able to work out why, this affects Sandra’s phone, and not, say, her iPad, or the Apple TV.

And, while it is just one device, only every three or so months, it is annoying enough to need a fix.

So I’ve fixed it.

Unfortunately, I’ve fixed it by moving away from Let’s Encrypt certs, back to some self-signed certs within freeradius…

What I did differently this time was:

	tls-config tls-common {
		private_key_password = VerySecurePassword123!
		private_key_file = /etc/freeradius/certs/server.pem
		certificate_file = /etc/freeradius/certs/server.crt

I’ve yet to do the Apple TV…

But, fingers crossed, this will keep me good until the sooner of me deciding that using RADIUS is just a bad idea, and ten years.

What I’d like to do is enable cert-based RADIUS authentication for ethernet cabled connections too so that, by default, plugging into a port on our UniFi in-wall APs drops clients onto the “guest” network but, if I use my own laptop, it will get onto a non-guest network.

That’s sounds fun.

Or I go the other way, and get rid of “trusted” networks completely, and rely on either VPNs to get me into segmented network portions or… just rely on TLS’d connections and MFA from untrusted networks.