Created a new certificate for the Windows 10 Professional Client - 2048bit - sha256 - common name: client001 5.
Freeradius configuration: - NAS/Clients - Added a entry for the Cisco Enterprise Wireless Access point - Shared secret etc - Most settings left default - Interface - Created a new interface for the Cisco Enterprise Wireless Access point to use - Most settings left default (Type - Authentication, Port 1812 etc) - Settings - Left default - EAP - Disable weak EAP types - Yes - Default EAP type - TLS - Ignore Unknown EAP Types - Yes - Certificates for TPS: - SSL CA Cert - internal Root CA selected - SSL Revocation List - internal Root CA Revocation List selected - SSL Server Certificate - radius.domain.local certificate selected - EAP-TLS - Left default - All other settings default - Users - None/Blank 6.
Existing pf Sense router - Added Free Radius3 package 2.
Created a new pf Sense CA - 2048bit - sha256 - common name: internal Root CA 3.
Configured Cisco Enterprise wireless access point to use the freeradius server with shared secret and created a SSID with WPA2 Enterprise. Exported the CA root certificate and imported into 'Trusted Root CA store' on the Windows 10 Client.
- I also created a certificate from this CA for the pf Sense web interface using this root CA and tested that the Windows 10 client is successfully trusting the root CA certificate i.e.
Advantages of purchasing a certificate from a public root certificate authority (CA) such as Veri Sign that is already trusted by the client are as follows: Mutual Authentication Mutual authentication requires not only the server authenticate the client but also the client authenticate the server.
In order to configure mutual authentication, where the client authenticates the RADIUS Server in addition to the RADIUS Server authenticating the client, the RADIUS Server for example Microsoft NPS must have a server certificate installed, the client must trust the server certificate, and the client must be configured to validate the server certificate.
I have summarised below the steps I have followed, important bits of configuration and importantly windows event log error entry: Main components: pf Sense (2.4.3) Freeradius 3 package pf Sense Certificate Authority Cisco enterprise access point Windows 10 Professional client (standalone not domain) Configuration Process: 1.
Server Certificate Issued to RADIUS server by a public or private Certificate Authority (CA).