Linux - EAP-TLS

How to Connect to Wi-Fi Using EAP-TLS on Linux

EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) is one of the most secure Wi-Fi authentication methods. It uses client and server certificates for mutual authentication without relying on passwords.

Option 1: GUI with NetworkManager

1. Click the Wi-Fi icon and select your network.
2. In the authentication window, choose the following:

• Security:

  WPA & WPA2 Enterprise

• Authentication:

  TLS

• Identity: Your username (optional, some setups require it)
• CA Certificate: Path to your CA file (e.g.,

  /etc/ssl/certs/ca-cert.pem

  )
• User Certificate: Your client certificate (e.g.,

  .pem

  )
• Private Key: The corresponding private key file (e.g.,

  .key

  )
• Private Key Password: If applicable
• Anonymous Identity: Leave blank Click Connect.

Option 2: CLI Using

wpa_supplicant

1. Create a Config File

sudo nano /etc/wpa_supplicant/wpa_supplicant.conf

2. Add the Following Configuration:

3. Start the Connection:

Then acquire an IP address:

sudo dhclient wlan0

Certificate Notes

• .pem

  and

  .crt

  files are accepted formats.
• If you have a

  .p12

  or

  .pfx

  file, extract the contents using OpenSSL:

Troubleshooting

• Use

  journalctl -u NetworkManager

  or

  dmesg

  to check for connection errors.
• Ensure the RADIUS server certificate matches the domain name (important for newer distros).
• File permissions must allow

  wpa_supplicant

  to access your certificates.

Security Tip

Protect your private key file with restrictive permissions:

chmod 600 client-key.pem

. Never share your certificate bundle outside trusted environments.

Related Topics

• Linux EAP-PEAP
• Linux TTLS + PAP
• Client Configuration Overview
• Certificate Revocation