To set up EAP-TLS—or another EAP method that uses client certificates—you will need a RADIUS server. The primary role of the RADIUS server is to authenticate and allow (or reject) connections to the Wi-Fi network. When a Wi-Fi client connects, your Wi-Fi Access Point will delegate authentication to your RADIUS server.
<aside> 👉 This is not a complete configuration, but it should get you to a good, working starting point.
</aside>
pacman -Syu
reboot
pacman -Syu vim ack freeradius step-cli make tmux
ln -s /usr/bin/vim /usr/local/bin/vi
ln -s /usr/bin/step-cli /usr/local/bin/step
cd /etc/raddb/certs
step ca bootstrap --team example --team-authority accounts
step ca certificate radius.domain.com server.pem server.key
step ca roots > ca.pem
Finally, copy the intermediate CA PEM block from server.pem and prepend it to ca.pem.
So, ca.pem will have intermediate CA, then root CA.
And server.pem will contain the leaf certificate, then the intermediate CA.
Make sure all certificate files in /etc/raddb/certs are owned by radiusd:radiusd with 640 (or tighter) permissions.
I started with the RADIUS config that came with the package, making the most minimal changes to get it working and secured.
For the /etc/raddb/mods-enabled/eap file:
certificate_file = ${certdir}/server.pem contains only the leaf cert for the RADIUS server
ca_file = ${cadir}/ca.pem should contain the intermediate and rootcheck_crl = no and check_all_crl = no — I tried check_crl = yes but my client failed to join the network even though a CRL endpoint is present in the certificates.cipher_list = "HIGH"ecdh_curve = “” and let OpenSSL decidetls_max_version = "1.3"check_cert_cn to check usernames, but it would be better to use unlang to do this.