Implement EAP-TLS with pfSense and FreeRADIUS


This guide shows how pfSense can be configured to implement EAP-TLS for a more secure method of WiFi authentication.

Create Certificate Authority and Certificates

  1. Create a Certificate Authority by navigating to System>Cert. Manager>CAs. Name it something like FreeRADIUS CA.
  1. Navigate to the Certificates tab and create an internal server certificate using the certificate authority we created in the previous step. We used “FreeRADIUS Server Certificate” for the descriptive name and the common name, and “FreeRADIUS CA” as the certificate authority. Make sure the certificate type is set to “Server Certificate”.
  1. Also under the Certificates tab, create your user certificates using the same certificate authority (FreeRADIUS CA). We used “FreeRADIUS User Certificate” as the descriptive name, and “your-username” as the common name.

Install and Configure FreeRADIUS Server

  1. Install the FreeRADIUS package by navigating to System>Package Manager>Available Packages.
  2. Navigate to Services>FreeRADIUS
  3. Under the Users tab, add a user with the same name as the common name of the user certificate that was created in the previous step. We used your-username. Also, complete the password field if you would like to require the user to enter a password when connecting to the WiFi in addition to providing the correct certificate. If you leave the password field blank, the user will only need to provide the correct certificate to authenticate and connect to the WiFi network.
  1. Under the NAS/Clients tab, add a new client. In the Client IP Address field, enter the IP address of the access point that will act as the client connecting to the RADIUS server. In the Client Shortname field, enter the hostname of the access point. Here we used as the Client IP Address, and omada as the hostname in Client Shortname. Enter a password for the Client Shared Secret, which we will later need to use in the configuration of the access point for its connection to the RADIUS client. Confirm that UDP is set as the Client Protocol.
  1. Under Interfaces tab, add a new item with Authentication as the Interface Type and 1812 as the Port. Add a second item with Accounting as the Interface Type and 1813 as the Port, and a third item with Status as the Interface Type and 1816 as the Port. When you’re done, the Interfaces tab should look like this:
  1. Under the EAP tab, check the box to Disable Weak EAP Types. Select the certificate of the certificate authority we created (FreeRADIUS CA) as the SSL CA Certificate, and select the server certificate we created (FreeRADIUS Server Certificate) as the SSL Server Certificate. In the EAP-TLS section, select Include Length. In the EAP-TTLS section, select TLS as the Default EAP Type. Under the EAP-PEAP section, select TLS as the Default EAP Type.

Configure User Device

  1. Export the certificate authority (FreeRADIUS CA) and the user certificate you created (FreeRADIUS User Certificate) onto the user’s device. If you are using Window, add the certificate authority and the user certificate to the Windows certificate store as Trusted Root. If you’re using a mobile device, add the certificate authority and user certificate to the configuration for the WiFi connection.

Configure Access Point

[To be completed]


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.