This article serves to give an overview on how to setup EAP-TLS authentication for Airtame devices within an enterprise environment. The article is divided into different sections that will detail how to setup EAP-TLS using Windows Certificate Authority servers and how to convert the certificates using OpenSSL.  

☝️This guide is written for an organization’s IT/Security department and gives specific details to create client-side certificates for the Airtame.  Please consult your IT department before making any changes to your network or security posture. 

What is EAP-TLS?

EAP Transport Layer Security (EAP-TLS), defined in RFC 5216, is an IETF open standard that uses the Transport Layer Security (TLS) protocol, and is well-supported among wireless vendors. EAP-TLS is the original, standard wireless LAN EAP authentication protocol.

EAP-TLS is still considered one of the most secure EAP standards available, although TLS provides strong security so long as the user understands potential warnings about false credentials and is universally supported by all manufacturers of wireless LAN hardware and software. 

Unlike most TLS implementations of HTTPS, such as on the World Wide Web, most implementations of EAP-TLS require client-side X.509 certificates without giving the option to disable the requirement, even though the standard does not mandate their use. 

The requirement for a client-side certificate, however unpopular it may be, is what gives EAP-TLS its authentication strength and illustrates a convenience vs. security trade-off. With a client-side certificate, a compromised password is not enough to break into EAP-TLS enabled systems because the intruder still needs to have the client-side certificate; indeed, a password is not even needed, as it is only used to encrypt the client-side certificate for storage. The highest security available is when the "private keys" of client-side certificate are housed in smart cards or certificate stores. This is because there is no way to steal a client-side certificate's private key from a smart card or certificate store without stealing the card or device itself. It is more likely that the physical theft of a smart card or device would be noticed (and the smart card immediately revoked) than a (typical) password theft that could go unnoticed.

Below is the signal flow for EAP-TLS and the authentication procedure for EAP-TLS:

 

The following is the procedure for setting up EAP-TLS to work with Airtame.  In this document, we will be using Windows Server 2016 with the Directory Services role installed, a Windows Server 2016 with the Certificate Authority role installed and a Windows Server 2016 with the Network Protection and Access Services (NPAS) role installed to be the RADIUS server.  OpenSSL will be used to extract the private key from the PKCS12 file and to change file formats.d

Creating the Airtame service account in Active Directory

A successful EAP-TLS implementation will require the person setting this up to have “domain admin” access to Active Directory.

The first step will be to create a managed service account for the Airtame.  It’s possible to either create a shared service account for all Airtame devices on your network or to create individual service accounts for each of the Airtames.  This requirement will be applicable to the organization’s security policy.

After the New User window opens, give the Airtame a unique name and populate the appropriate fields and hit ‘next’.

Enter a unique password and untick the box that says “User must change password at next logon”.  Then click the ‘next’ button and click finish in the next window.

Setting up your RADIUS server to authenticate your Airtame.

EAP-TLS can be used in WPA2-Enterprise networks using 802.1x to authenticate users.  EAP-TLS uses certificates to allow the Airtame and your RADIUS server to mutually authenticate and mutually verify the server (RADIUS) and the host (Airtame).  I will be using a server running Windows Server 2016 with the Network Policy and Access Services role (NPAS) to function as the RADIUS server in our example.  We will configure the Connection Request Policies and the Network Policies.

Creating the Connection Request Policy

  1. Log into your NPAS server and open the Network Policy Server console.
  2. Navigate to NPS(Local)>Policies>Connection Request Policies.
  3. Right click on Connection Request Policies and choose New.
  4. On Specify Connection Policy Name and Connection Type enter a Policy name: and click Next.
  5. On Specify Conditions click Add.
  6. Select NAS Port Type as a condition.
  7. For NAS Port Type check Wireless - IEEE 802.11 and Wireless - Other click OK.
  8. Click Next.
  9. On Specify Connection Request Forwarding leave the defaults and click Next.
  10. On Specify Authentication Methods leave the defaults and click Next.
  11. On Configure Settings click Next.
  12. Review the settings On Completing Connection Request Policy Wizard and click Finish
  13. Right click the Connection Policy created and select Move up so its processing order is before any other policies.

Creating the Network Policy

  1. Right click Network Policies and select New.
  2. On Specify Network Policy Name and Connection Type enter a Policy name: and click Next.
  3. On Specify Conditions click Add.
  4. Select NAS Port Type as a condition.
  5. For NAS Port Type check Wireless - IEEE 802.11 and Wireless - Other click OK.
  6. Click Next.
  7. On Specify Access Permissions make sure Access granted is selected and click Next.
  8. On Configure Authentication Methods click Add and choose Microsoft: Smart Card or other certificate for Add EAP and click OK.
  9. Uncheck any boxes under Less secure authentication methods.
  10. Select Microsoft: Smart Card or other certificate for EAP types and click Edit
  11. Verify the Certificate issued to: drop down shows the correct certificate and issuer which is the Active Directory CA server. Then click OK.
  12. Click Next.
  13. On Configure Constraints click Next.
  14. On Configure Settings, you will choose the RADIUS attributes.  The RADIUS attributes vary from vendor to vendor, so please consult your wireless appliance administration guides.
  15. Review the settings on Completing New Network Policy and Click Finish.
  16. Right click the Network Policy created and select Move up so its processing order is before any other policies. 

Creating your user certificate

1. After creating the Airtame service account, we will need to create the user certificate for the service account we just created. There are several different ways to do this.  If your organization uses ‘Auto-Enrollment’ and allows private keys to be exportable, you can simply log into a domain joined computer with the service account we just created, and the certificate will automatically be created. 

⚠️However, if your organization doesn’t allow for private keys to be exportable, you will need to create a certificate template on the Certificate Authority server that will allow its private key to be exported.  The link below will show you how to create a certificate template by duplicating a pre-configured template.  While following the instructions in the link below, be sure to duplicate the ‘User’ certificate template rather than the ‘Web Server’ certificate template used in the example below.  We want to duplicate the ‘User’ template as its intended purposes area for client authentication. Once you’ve created the template to allow the private key to be exported, repeat the instructions at the beginning of this step (step 1) and continue. ***Create and Manage Certificate Templates in Windows Server 2016

2. Once you’re logged into a domain computer with the service account you created, go to your Start Menu and type ‘mmc’ to open the console. 

Next, click ‘File’ and click ‘Add/Remove Snap-in’.  Select ‘Certificates’, click Add and click OK.

Open the ‘Personal’ drop down menu as detailed in the graphic below. Select ‘Certificates’ and you will see the ‘airtame-svc’ user account to the right.  Right click the certificate, choose ‘All Tasks’ and click ‘Export’

Once the Export window opens, click next and you will see the window below.  Mark the tick boxes in the graphic and click ‘Next’.

When you export the private key, you need to make some security considerations. You will need to restrict the certificate to specific users or users in an Active Directory group OR give the private key a password.  In this example, I will give the private key a password. Once you complete this task, click ‘Next’.

Now we will specify the name and path for our new PKCS12/.pfx file to be exported. Once finished, click ‘Next’.

Now you are at the last page of the Certificate Export Wizard.  Confirm the file is correct and that the line for ‘Export Keys’ says ‘Yes’.   Then click ‘Finish’.


3. At this time, we are going to extract the certificate and the private key from the .pfx (PKCS12) certificate in order to create two files.  A file for the certificate and a file for the private key.  In order to do this, we are going to use OpenSSL. Click on the start menu and type ‘CMD’. Once the application is visible, right click the application and ‘Run as Administrator’.

From the Command Prompt, navigate to the directory where your OpenSSL installation is located and run the following commands. (Replace ‘filename’ with the path to your .pfx file and ‘key’ with the path where you want to place your key file.)
⚠️ Be prepared to enter the private key password you created previously upon executing the following commands. 

To export the private key from the .pfx file, enter the following OpenSSL command:
openssl pkcs12 -in filename.pfx -nocerts -nodes -out key.pem
To export the certificate file from the .pfx file, enter the following OpenSSL command: openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

4. Now that we have our certificate file and key file, we need to download the Certificate Authority certificate in Base64 format.
The easiest way to retrieve the CA certificate is to access the ‘web enrollment’ page of your CA.  

a. From the webpage, select ‘Download a CA certificate, certificate chain or CRL’.

b. Choose Base64 and ‘Download CA certificate chain’

c. Once the CA certificate has been downloaded, we have to change the format of the CA certificate to become a PEM file.  We will use OpenSSL to convert it:

Repeat the steps in step 3 to open OpenSSL.  (Be sure to replace the word certificate with the full path to the CA certificate)Once you’re in the Command Prompt, enter the following command:

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem 


5. At this point we have all 3 certificates we need to set up EAP-TLS in the Airtame application.

Service account .pem file
Service account private key .pem file
CA certificate .pem file

Open the Airtame application and begin the initial setup of the device:

1. In the Airtame setup menu within the Airtame application, select the WiFi network you wish to connect to your Airtame device and fill out the fields below.

2. At this point, your Airtame device will get authenticated to your enterprise network.  If you wish to configure more Airtames to connect to your enterprise network, simply reuse the CA certificate, host certificate and key associated to the service account.

That's all! 

If you run into any issues along the way, click on the icon on the bottom-right of this page to start a chat session with us.

Did this answer your question?