DN WPA-Enterprise WiFi with client certificates
- Charles Twist
This article describes support for WPA-Enterprise in DN from version 0.2.41 onwards. WPA-Enterprise uses Extensible Authentication Protocol (EAP) to Authenticate WiFi clients and there are a number of different types defined.
Previous to 0.2.41 WPA-Enterprise support was limited and fixed to EAP-PEAP with name and password but without a certificate authority.
EAP Types supported from version 0.2.41 onwards
DN supports EAP types EAP-PEAP and EAP-TLS.
EAP-PEAP uses a name and password to authenticate the DN
EAP-TLS uses client certificates along with a certificate authority to authenticate the DN.
Certificate Preparation
Two certificate files are required to configure EAP-TLS on the DN. These must be in the correct format and have the correct filename extensions.
Certificate Authority
The CA certificate file must be in PEM format and have the filename extension .pem. If the CA is supplied in an eduroam catalog file which is XML then it needs to be extracted from that file using a text editor and saved as a text file as follows.
Line from catalog
<CA format="X.509" encoding="base64">MIIF3 etc mwHoqfAl</CA>
Create a text file called something like myca.pem
Add First line as -----BEGIN CERTIFICATE----- and last line as -----END CERTIFICATE----- and then copy all the data between <CA format="X.509" encoding="base64"> and </CA>
to the file between first and last lines so it will end up as
-----BEGIN CERTIFICATE-----
MIIF3 etc mwHoqfAl
-----END CERTIFICATE-----
Client Certificate
The Client certificate file must be in PKCS12 format and have the filename extension .p12. It can optionally have a password to encrypt the certificate file and a further password to encrypt the private key.
Android requires certificate files to be in “legacy” format if they have been created using openssl version 3 or later. To convert a client certificate file use the following openssl version 3 commands.
Given a client certificate created with openssl version 3 called client.p12
Convert this by
openssl pkcs12 -nodes < client.p12 > certbag.pem
and then
openssl pkcs12 -export -legacy -in certbag.pem > clientlegacy.p12
Now use the file clientlegacy.p12 as client certificate and delete the file certbag.pem
Certificate Upload
Before certificates can be used for WiFi Authentication they must be uploaded to the DN. This is done via the Web Interface accessed from MENU, SETTINGS, WIFI, ADVANCED.
Transfer certificates to the device that will be used to connect to DN WiFi Advanced Configuration eg a smartphone so they are available in the file manager.
Switch the DN to WIFI ADVANCED mode
Connect smartphone to the WiFI network that the DN provides eg DN-DPCA09163
Wait for the “Login” web page to display as follows
Tap on CERTIFICATE FILES
Tap on Choose File and then browse to either your CA file (.pem) or client file (.p12) and then click UPLOAD CERTIFICATE FILE
File should then appear in the list of CERTIFICATE FILES.
Repeat for the second file.
Once both files are uploaded then click on DONE.
DN Configuration
Once the certificate files are in place, select WIFI SETUP from the main menu on the web page.
Either select an existing SSID or Add a new one and select SECURITY TYPE as WPA-Enterprise
Then Select TLS from EAP TYPE
Select the .pem file that was previously uploaded as CA FILE
Enter user name if needed and then choose client certificate file and enter passwords if needed for the certificate encryption and separate key encryption if used.
The press APPLY and then DONE on the next screen. That should then install the new WiFi network configuration and connect to the network if its all configured correctly.
Certificate Delete
To delete a certificate go to CERTIFICATE FILES again and select the file to delete from the list.
Then Click on DELETE. File will then be removed from the list.
Editing WiFi Configurations
It is recommended that you delete the existing WiFi configuration and then recreate it with the new settings rather than trying to edit a EAP-TLS configuration.