Importing the root CA

EAP Configuration: Article 5 of 5

The final step to configuring EAP for FreeRADIUS is to add the CA (Certificate Authority) to every client machine that performs EAP authentication.

Before proceeding with this step, make sure that you have already done the following:

If you have done all of these steps, you are ready to go ahead with adding the CA certificate to all the client machines.

The simplest way to do this is to copy the file ca.der file from the /etc/raddb/certs directory to Windows desktop, and then double-click on it. This should start the process of importing the certificate into the Windows certificate store.

If double-clicking on the file does not work, see the EAP-TLS Howto on the main FreeRADIUS site for more detailed instructions, with screenshots. That document calls the CA certificate root.der rather than ca.der, but it has the same meaning.

Once the ca.der file is imported onto the client system, ensure that the Verify server’s identity by validating the certificate option is checked in the 802.1X supplicant (e.g. Windows laptop). Other supplicants (e.g. Mac OSX, or wpa_supplicant) use different methods for configuring a known certificate. See their documentation for more information.

Note: if you would prefer a command line tool instead of clicking through windows, see Command line testing for EAP configuration.

Protected EAP properties

For a step-by-step walk through of how to get to this window, see our guide to EAP configuration.

Then, login using the user name and password from the PAP howto. (Which we assume you have already followed.) If all goes well, the server should send back an Access-Accept packet.

When the above method is used, the following authentication types should just work:

  • PEAPv0

    • EAP-GTC
    • EAP-MSCHAPv2
  • EAP-TTLS

    • PAP
    • CHAP
    • MS-CHAP
    • EAP-MD5
    • EAP-MSCHAPv2

At this point, there are only a few things that can go wrong. See the EAP problems page for some common problems and solutions.

If everything works, then congratulations, you have successfully configured the hardest parts of EAP authentication. If you are still struggling after following all these steps, consider posting your issues to the FreeRADIUS users mailing list.

Need more help?

Network RADIUS has been helping clients around the world design and deploy their RADIUS infrastructure for 20 years. We specialize in complex systems and have seen pretty much every variation and problem out there. If you want help from the people who wrote FreeRADIUS, visit our quote page to contact us for a consultation.

Read more...

EAP configuration articles

Getting started with FreeRADIUS

FreeRADIUS and Active Directory

Additional resources