- for a client authenticating itself to the AP using a certificate alone, you don't need RADIUS at all
The required settings in
/interface wireless security-profile, or in
/caps-man security, are as follows:
authentication-types=wpa2-eap eap-methods=eap-tls tls-mode=verify-certificate tls-certificate=the-certificate-of-the-AP
The certificate of the CA signing the AP's certificate must be known to the client. And on Windows 10, the client certificate must be stored among user ones, not machine ones.
I already tried that,
this is security policy
Flags: * - default
0 name="CertifiedAccess" mode=dynamic-keys authentication-types=wpa2-eap unicast-ciphers=aes-ccm group-ciphers=aes-ccm wpa-pre-shared-key="" wpa2-pre-shared-key="" supplicant-identity="" eap-methods=eap-tls tls-mode=verify-certificate tls-certificate=wifi_server mschapv2-username="" mschapv2-password="" disable-pmkid=no static-algo-0=none static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key="" radius-mac-authentication=no radius-mac-accounting=no radius-eap-accounting=no interim-update=0s radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username radius-called-format=mac:ssid radius-mac-caching=disabled group-key-update=5m management-protection=disabled management-protection-key=""
this are certificates i have on my router
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
0 K A T name="LocalCA" digest-algorithm=sha256 key-type=rsa common-name="LocalCA" key-size=2048 subject-alt-name="" days-valid=365 trusted=yes key-usage=key-cert-sign,crl-sign
2 K I T name="wifi_client" digest-algorithm=sha256 key-type=rsa common-name="wifi_client" key-size=2048 subject-alt-name="" days-valid=365 trusted=yes key-usage=tls-client ca=LocalCA
3 K I T name="wifi_server" digest-algorithm=sha256 key-type=rsa common-name="wifi_server" key-size=2048 subject-alt-name="" days-valid=365 trusted=yes key-usage=digital-signature,data-encipherment,key-agreement,tls-server,tls-client ca=LocalCA
I imported certificates to windows 10 home laptop
LocalCA.crt to Trusted Root Certification Authorities
wifi_client.crt - I have no idea where to put this, if I use automaticly during import it ends up in other people category in certmgr I've tried couple places and finally gave up due to not getting results
So basically i followed with connection creation like this
wpa2ent1.JPG
wpa2ent2.JPG
wpa2ent3.JPG
at this point I was expecting similar window during connection selection
wpa2ent4.JPG
but instead i get information that I can't connect because this connection requires certificate
You do not have the required permissions to view the files attached to this post.