Raspberry Pi EAP-TLS Wi-Fi with nmcli (network-manager)

by ·2 Comments

Prerequisites:

– raspbian OS
– CA cert, client cert and cert password, client key

You can use .p12 file and convert it to .pem, it will include client cert and client key in the same file. Let’s say you download .p12 file from PfSense cert manager. Convert it with:

openssl pkcs12 -in test.p12 -out test.pem
Enter Import Password: leave empty
Enter PEM pass phrase: testing1234
Verifying - Enter PEM pass phrase: testing1234

First, delete openresolv and dhcpcd5 because it’s conflicting with native network management:

apt purge openresolv dhcpcd5

Disable wpa_supplicant:

systemctl disable wpa_supplicant

Install nmcli:

apt install network-manager

Comment out everything in /etc/network/interfaces and in /etc/wpa_supplicant/wpa_supplicant.conf and then Reboot Pi

Create wifi connection:

nmcli c add type wifi ifname wlan0 con-name "My-Wifi" \
      802-11-wireless.ssid "WIFI-SSID" \
      802-11-wireless-security.key-mgmt wpa-eap \
      802-1x.eap tls \
      802-1x.identity test \
      802-1x.ca-cert /home/pi/CA.crt \
      802-1x.client-cert /home/pi/test.pem \
      802-1x.private-key /home/pi/test.pem \
      802-1x.private-key-password testing1234

Depending on the network-manager version, the commands above might not work, so just enter it manually line by line:

nmcli con add type wifi ifname wlan0 con-name My-Wifi ssid WIFI-SSID
nmcli con edit id wifi
nmcli> set 802-11-wireless.ssid WIFI-SSID
nmcli> set 802-11-wireless-security.key-mgmt wpa-eap
nmcli> set 802-1x.eap tls
nmcli> set 802-1x.identity test
nmcli> set 802-1x.ca-cert /home/pi/CA.crt
nmcli> set 802-1x.client-cert /home/pi/test.pem
nmcli> set 802-1x.private-key-password testing1234
nmcli> set 802-1x.private-key /home/pi/test.pem
nmcli> save
nmcli> quit

Check connection with:

nmcli connection
NAME                UUID                                  TYPE      DEVICE
My-Wifi             f0c28a28-934f-4dbc-823f-b3c1653bb047  wifi      wlan0

Start connection:

nmcli connection up My-Wifi

If you want to start over, you can delete connection with:

nmcli connection delete My-Wifi

You can also view and edit profile at /etc/NetworkManager/system-connections/My-Wifi.nmconnection

cat /etc/NetworkManager/system-connections/My-Wifi.nmconnection
[connection]
id=My-Wifi
uuid=f0c28a28-934f-4dbc-823f-b3c1653bb047
type=wifi
interface-name=wlan0
permissions=

[wifi]
mac-address-blacklist=
mode=infrastructure
ssid=WIFI-SSID

[wifi-security]
key-mgmt=wpa-eap

[802-1x]
ca-cert=/home/pi/CA.crt
client-cert=/home/pi/test.pem
eap=tls;
identity=test
private-key=/home/pi/test.pem
private-key-password=testing1234

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto

2 comments

  1. This blog post saved my bacon
    Not familiar with linux at all, besides seeing the sudo command once in an xkcd comic.
    Spent at least two weeks in between other things at work trying to figure out why after installing and configuring systemd-networkd it refused to auto connect with EAP-TLS, or not get an IP address etc. etc. then came across this blog post showing how to set up EAP-TLS.

    thank you so much

    Reply

  2. I am looking for a nmcli solution that will allow the setup of an enterprise wpa2 solution with eaptls
    can’t get hostapd working on fedora workstation i do get nmcli hotspot working but I wanted to use freeradius for authentication HELP!!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *