Linux - EAP-TLS

Linux - EAP-TLS

How to Connect to Wi-Fi Using EAP-TLS on Linux

EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) is one of the most secure Wi-Fi authentication methods. It uses client and server certificates for mutual authentication without relying on passwords.

Option 1: GUI with NetworkManager

  1. Click the Wi-Fi icon and select your network.
  2. In the authentication window, choose the following:
  • Security: WPA & WPA2 Enterprise
  • Authentication: TLS
  • Identity: Your username (optional, some setups require it)
  • CA Certificate: Path to your CA file (e.g., /etc/ssl/certs/ca-cert.pem)
  • User Certificate: Your client certificate (e.g., .pem)
  • Private Key: The corresponding private key file (e.g., .key)
  • Private Key Password: If applicable
  • Anonymous Identity: Leave blank

Click Connect.

Option 2: CLI Using wpa_supplicant

1. Create a Config File

sudo nano /etc/wpa_supplicant/wpa_supplicant.conf

2. Add the Following Configuration:

network={
    ssid="YourNetworkSSID"
    key_mgmt=WPA-EAP
    eap=TLS
    identity="your-username@example.com"
    ca_cert="/etc/ssl/certs/ca-cert.pem"
    client_cert="/etc/ssl/certs/client-cert.pem"
    private_key="/etc/ssl/private/client-key.pem"
    private_key_passwd="your-password-if-needed"
}

3. Start the Connection:

sudo wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf

Then acquire an IP address:

sudo dhclient wlan0

Certificate Notes

  • .pem and .crt files are accepted formats.
  • If you have a .p12 or .pfx file, extract the contents using OpenSSL:
# Extract client cert and private key from P12
openssl pkcs12 -in client.p12 -out client-cert.pem -clcerts -nokeys
openssl pkcs12 -in client.p12 -out client-key.pem -nocerts -nodes

Troubleshooting

  • Use journalctl -u NetworkManager or dmesg to check for connection errors.
  • Ensure the RADIUS server certificate matches the domain name (important for newer distros).
  • File permissions must allow wpa_supplicant to access your certificates.

Security Tip

Protect your private key file with restrictive permissions: chmod 600 client-key.pem. Never share your certificate bundle outside trusted environments.


    • Related Articles

    • Linux - EAP-PEAP

      How to Connect to Wi-Fi Using EAP-PEAP on Linux EAP-PEAP (Protected Extensible Authentication Protocol) is a secure and common method for enterprise Wi-Fi authentication. It uses a TLS tunnel and then authenticates using a username and password ...

    • Chromebook OS - EAP-TLS

      How to Connect to Wi-Fi Using EAP-TLS on a Chromebook EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) is a highly secure enterprise Wi-Fi authentication method that uses certificates instead of passwords. Chromebooks support ...

    • Android – EAP-TLS

      How to Connect to Wi-Fi Using EAP-TLS on Android EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) is one of the most secure Wi-Fi authentication methods. It uses client and server certificates for mutual authentication, and ...

    • Windows – EAP-TLS

      This page describes the steps required to connect a Windows desktop system to a WPA2-Enterprise secured network using TLS authentication with client certificates. Installing Root CA Certificate For your Windows users to be able to authenticate using ...

    • Linux - TTLS + PAP

      How to Connect to Wi-Fi Using TTLS + PAP on Linux TTLS + PAP is a secure Wi-Fi authentication method used in enterprise and academic networks. This guide covers how to connect using both graphical tools and the command line on a Linux system. Option ...