luca@sysadmin

WiFi Security with EAP-TLS

EAP Ascii

Introduction

In today’s cybersecurity landscape, ensuring secure and seamless wireless connectivity is no longer optional—it’s essential. To address emerging threats and streamline user access, I recently implemented EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) for our organization’s WiFi network.

This post covers the motivations behind this initiative, the technical approach, and the successful outcomes achieved.

🔑 Why Choose EAP-TLS?

Traditional WiFi security measures, such as password-based authentication, often fall short against advanced threats like phishing or brute force attacks. EAP-TLS, by leveraging digital certificates, ensures that only authorized devices can connect to the network.

Benefits of EAP-TLS:

  • Stronger Security: Certificates replace passwords, mitigating risks associated with weak or stolen credentials.
  • Improved User Experience: No need for users to manage complex passwords—authentication is seamless.
  • Scalability: Ideal for large organizations with diverse devices and users.

🌐 Our Vision: A Secure and Scalable WiFi Network

The goal was to create a WiFi authentication system that:

  1. Provides robust security through digital certificates.
  2. Scales effectively to meet the demands of a growing user base across multiple regions.
  3. Simplifies management for administrators through centralized tools.

To achieve this, we integrated:

  • Active Directory Certificate Services (ADCS)
  • FreeRADIUS
  • Meraki
  • Microsoft Intune
  • Azure Infrastructure

🔐 Crafting the Solution

1. Building the Foundation with ADCS

The backbone of our solution was a Certificate Authority (CA). Using Active Directory Certificate Services (ADCS), we set up an enterprise root CA named Agicap-CA. This CA handles certificate issuance, ensuring only authenticated devices can access the network.

2. Automating Certificate Management with SCEP

To simplify certificate distribution, we implemented Simple Certificate Enrollment Protocol (SCEP). SCEP automates certificate issuance and renewal, reducing manual effort and minimizing errors.

3. Secure Authentication with FreeRADIUS

FreeRADIUS, deployed on Debian servers, acts as the authentication server. Configured to trust Agicap-CA, FreeRADIUS ensures that only devices with valid certificates can access the WiFi network.

4. Network Management with Meraki

Using Meraki’s dashboard, we uploaded the root CA certificate (Agicap-CA) and configured the SSID to interact securely with FreeRADIUS servers. This guarantees that only authenticated devices connect to our network.

5. Centralized Device Management with Intune

With Microsoft Intune, we distributed root certificates and WiFi profiles across:

  • Windows
  • macOS
  • iOS
  • Android

This approach ensures consistent security policies and seamless onboarding for users.

6. Deploying on Azure with Terraform

For scalability and high availability, we deployed FreeRADIUS servers on Azure using Terraform. Load balancers ensure reliability, while infrastructure as code simplifies updates and scaling across regions.

📈 Results: A Robust WiFi Network

The implementation of EAP-TLS delivered measurable improvements:

  1. Enhanced Security: Digital certificates eliminate password vulnerabilities, ensuring only authorized devices connect.

  2. Seamless User Experience: Automated certificate management eliminates the need for complex passwords, improving convenience for users.

  3. Scalability and Reliability: Azure-hosted FreeRADIUS servers provide a scalable, resilient infrastructure capable of supporting our growing user base.

  4. Simplified Administration: Microsoft Intune enables centralized certificate and profile management, reducing the administrative burden.

🏁 Conclusion

Implementing EAP-TLS for our WiFi network was a strategic move that significantly improved our security posture and user experience. By leveraging tools like ADCS, FreeRADIUS, Meraki, Intune, and Azure, we built a system that is both secure and scalable.

Looking to enhance your WiFi security? Feel free to reach out for advice or collaboration!