Switching back to self-signed certs for freeradius Wi-Fi authentication
I use freeradius to control access to our Wi-Fi.
It’s probably overkill, but I find it a useful way of doing VLAN steering while broadcasting just one SSID.
(Invariably, I don’t broadcast just one SSID, as there are plenty of devices which can’t cope with EAP authentication, but oh well…)
Initially, I was using self-signed certificates generated within freeradius (well, by openssl), but then I ran into a problem with Android 13.
At the time, I “solved” it by switching to use Let’s Encrypt certs.
I have been using Let’s Encrypt certs for this for a while, and it has worked really well… with the exception of Sandra’s iPhone.
With Sandra’s iPhone, every 90ish days - when the Let’s Encrypt cert renews - Sandra is disconnected from the Wi-Fi, until she manually enters her RADIUS password and accepts the new certificate.
I don’t know why, and I haven’t been able to work out why, this affects Sandra’s phone, and not, say, her iPad, or the Apple TV.
And, while it is just one device, only every three or so months, it is annoying enough to need a fix.
So I’ve fixed it.
Unfortunately, I’ve fixed it by moving away from Let’s Encrypt certs, back to some self-signed certs within freeradius…
What I did differently this time was:
-
I read through each of the .cnf files within
/etc/freeradius/certs
. The only changes I made were to (a) passwords, and (b) default_days (i.e. the expiry period, increasing it from one year to ten years. Perhaps not ideal, but this is for our internal Wi-Fi. -
within
/etc/freeradius/certs
, I destroyed the old certificates withmake destroycerts
-
then, I regenerated the certificates with
./bootstrap
-
I changed the config in
/etc/freeradius/mods-enabled/eap
to remove the Let’s Encrypt config, and add the config to use the newly-generated self-signed certs:
tls-config tls-common {
private_key_password = VerySecurePassword123!
private_key_file = /etc/freeradius/certs/server.pem
certificate_file = /etc/freeradius/certs/server.crt
-
I restarted freeradius:
systemctl restart freeradius
(I didn’t need to usefreeradius -X
this time; it “just worked”)! -
I tail’d the log files while I “forgot” the Wi-Fi connection on my phone and Sandra’s phone, and set them up again. No complaints, and the new CA is valid for 10 years.
I’ve yet to do the Apple TV…
But, fingers crossed, this will keep me good until the sooner of me deciding that using RADIUS is just a bad idea, and ten years.
What I’d like to do is enable cert-based RADIUS authentication for ethernet cabled connections too so that, by default, plugging into a port on our UniFi in-wall APs drops clients onto the “guest” network but, if I use my own laptop, it will get onto a non-guest network.
That’s sounds fun.
Or I go the other way, and get rid of “trusted” networks completely, and rely on either VPNs to get me into segmented network portions or… just rely on TLS’d connections and MFA from untrusted networks.
You may also like:
- A working wireless plug-and-play display solution for Linux laptops (and others OSs)
- Android 13, GrapheneOS, freeradius, Wi-Fi authentication, and Let's Encrypt
- systemctl reboot --firmware-setup
- In praise of restic (the backup tool)
- Shrinking initrd.img to deal with /boot being too small to upgrade the kernel on Debian
- Six months with the Xreal Air 2 Pro glasses
- Using CSS selectors in FreshRSS to automatically retrieve the full text of partial text RSS feeds
- What's the best laptop I could get for no more than £50?
- The wireless ambidextrous Penguin Posturite mouse and Linux
- Changing the default resize value in nautilus-image-converter
- Geek Code: a piece of web history
- Comparing Lenovo's Active Pen and Active Pen 2 for writing on a ThinkPad X1 Yoga Gen 2 using Debian Linux
- Scanning to Debian 12 with a Fujitsi ix500
- Creating a partition larger than 2TB on an SSD on Linux
- Multiplayer Quake III Arena on Linux (client and server)