A device that acts as a RADIUS server must have an EAP/TLS certificate. If this is missing, authentication will fail.
An EAP/TLS certificate can be created on a suitable router with Smart Certificate and then imported to the router operating the RADIUS server, or it can be obtained from another router per SCEP client.
This article describes how to check whether the EAP/TLS certificate is missing and how to obtain one via Smart Certificate or via SCEP client.
For routers without a WLAN module, the SCEP client currently cannot select the usage type EAP/TLS in LANconfig and WEBconfig. Currently, obtaining certificates by means of the SCEP client can only be set up from the command-line interface (CLI). In this case, LANCOM Systems recommends creating and uploading the certificate separately, for example by means of Smart Certificate (see step 2).
Whether the certificate is generated with Smart Certificate or obtained from another router via the SCEP client, you must ensure that the router in question generates the certificate with the SHA-256 signature algorithm. Otherwise, end devices may not be able to authenticate at the RADIUS server. Please see this Knowledge Base article regarding this issue.
- LCOS as of version 9.10 (download latest version)
- LANtools as of version 9.10 (download latest version)
- Any web browser for access using WEBconfig
- SSH client, e.g. PuTTY
- Previously installed RADIUS authentication
- Authentication of RADIUS clients by username and password (PEAP)
- Central-site gateway, WLAN controller or router with VPN 25 option (to create an EAP/TLS certificate by Smart Certificate)
1) Check for an existing EAP/TLS certificate:
1.1) Using SSH, connect to the router with root privileges and enter the command show eap.
If the message no valid EAP/TLS root CA certificate present or no valid EAP/TLS device certificate present is displayed, there is no EAP/TLS certificate available.
Alternatively, you can create an EAP trace. If the messages missing root certificate, hope you know what you're doing ... and missing device certificate, giving up are displayed, there is no EAP/TLS certificate available.
2) Creating an EAP/TLS certificate via Smart Certificate and uploading the certificate:
2.1) Create a TLS server certificate
as described in this Knowledge Base article
The TLS client certificate is not required because authentication is not done by certificate, but by username and password (PEAP).
2.2) Connect to the router with a browser and switch to the menu File Management → Upload Certificate or File.
2.3) Enter the following parameters:
- File Type: From the drop down menu, select EAP/TLS - Container as PKCS#12 file (*.pfx, *.p12).
- File Name/Location: Enter the storage location of the EAP/TLS certificate created in step 2.1.
- Passphrase: Enter the passphrase set in step 2.1.
2.4) Authentication at the RADIUS server is now possible.
3) Obtaining the EAP/TLS certificate via SCEP client:
3.1) Configuration steps on the router with the active Certification Authority (CA):
Except for steps 3.1.2) and 3.1.4), the following steps are not required on a WLAN controller that is already set up and functioning. This is because administration of the access points requires the CA and the SCEP client.
For certificates to be generated, the device must be set with the correct time of day.
3.1.1) Open the configuration of the router from which the EAP/TLS certificate is to be obtained and navigate to the menu Certificates → Cert. authority (CA).
3.1.2) Make sure that the checkmark is set for Certificate authority active (CA) and save the CA Distinguished Name for later use.
3.1.3) Write the configuration back to the device to generate the General challenge password.
3.1.4) Open the configuration in LANconfig, navigate to the menu Certificates → Certificate handling and save the General challenge password for later use.
3.1.5) In LANconfig, open the configuration for the router, navigate to the menu Certificates → SCEP client and set a checkmark next to SCEP client usage activated.
3.2) Configuration steps on the router with active RADIUS server:
3.2.1) In LANconfig, open the configuration for the router, navigate to the menu Certificates → SCEP client and set a checkmark next to SCEP client usage activated.
3.2.2) Navigate to the menu Certificates → SCEP Client → CA table.
3.2.3) Create a new entry and enter the following information:
- Name: Enter a descriptive name.
- URL: Enter the URL in the format https://<IP address of the CA>/cgi-bin/pkiclient.exe.
- In this case the router itself is not the CA, so you need to use the IP address of the router with the active CA.
- e.g. https://192.168.0.1/cgi-bin/pkiclient.exe
- Distinguished name: Enter the CA distinguished name (see step 3.1.2).
- Activate the registration authority: Enable automatic approval (RA-Auto-Approve).
3.2.4) Navigate to the menu Certificates → SCEP Client → Certificate table.
3.2.5) Create a new entry and enter the following parameters:
- Name: Enter a descriptive name.
- CA distinguished name: Enter the CA distinguished name (see step 3.1.2).
- Subject: Store a Subject (e.g. /CN=RADIUS SERVER/O=LANCOM SYSTEMS/C=DE).
- Challenge password: Store the General challenge password (see step 3.1.4).
- Extended key usage: Enter critical, serverAuth and clientAuth.
- Key length: From the drop-down menu, select the value 2048.
- Usage type: From the drop-down menu, select EAP/TLS.
3.2.6) Authentication at the RADIUS server is now possible.