2

Googling anything involving RADIUS configuration has been hell, as many of the terms get mixed together, making search results useless, so...

I have a RADIUS server offering EAP-TTLS based communication using a certificate signed by a private CA to which I have both the public and private keys. I already have this server configured to accept requests from a given IP address.

How do I properly install the public CA key on a box such that:

  • The box will use it to verify the RADIUS server is who it says it is

  • That the communication is encrypted

  • That the box will not trust any other root CA for authenticating users logging onto the box

Tim Morris
  • 135
  • 5

2 Answers2

1

Really depends on if your client is a RedHat, Debian, or Arch based distro.

How you issue the certs depend on what OS the CA is on.

To import the CA Server’s certificate on CentOS, Fedora, or RedHat based system, copy the certificate into /etc/pki/ca-trust/source/anchors/, then run the sudo update-ca-trust command.

For Debian based systems copy your CA public key to /usr/local/share/ca-certificates/ then run the sudo update-ca-certificates command.

That solves most of your concerns. Next you need to issue machine certificates to each client. On Linux this is usually done by generating Certificate Signing Requests (CSR) using OpenSSL. Then you sign those requests from your private CA. Copy and install the signed certificates back to the client. Now the CA trusts the client and the client trusts the CA.

For more information read this.

HackSlash
  • 332
  • 4
  • 16
  • The project that spawned this question is long dead, but I appreciate the answer nonetheless. It appears to solve what I was going after (I cannot test it physically) so I'll mark it as the answer. – Tim Morris May 25 '23 at 02:53
0

You need a client to do the authentication folike wpa suplicant in linux.

https://help.ubuntu.com/community/Network802.1xAuthentication

Marinus
  • 227
  • 1
  • 3
  • 10