Freeradius Certifikate

Hello all,
I have the following problem but do not really have a solution. I run an internal Radius server for 802.1x authentication. This has worked fine with self singned certificates until now. Now the first smartphones (e.g. Google Pixel 6) are coming which does not allow self singned authentication anymore. The Radius server is internal, so it has no public IP. How can I get a certificate so that I no longer have to use selfsigned? I am grateful for any suggestions. we use Freeradius with the Daloradius addon.

Many greetings

Frank

Hi @Frank09, and welcome to the LE community forum :slight_smile:

If the server has no Internet access, you will have to get creative.

Is there a system that can see both (the Internet and that radius server)?
If so, it might be able to obtain a cert (via DNS authentication) and place it into the radius server.

4 Likes

So I can set up a web server or a reverse proxy to generate the certificates. But in the certificate is the DNS name of the web server then entered. Can this work so that I simply copy the certificate to the radius?

You do not need to setup a web server. But, you will need to have a domain name in the public registry and its related DNS records.

Some DNS providers allow API access that an ACME client (certbot, acme.sh, ...) can use to update your DNS with the TXT record needed to authenticate your domain and issue the cert. Different clients support different DNS providers.

Or, you could use the certbot client with its --standalone option. This creates a temporary web server to do the domain name authentication on port 80 (http). This still needs a public domain name and the DNS A record to point to the IP the client runs on.

BUT, I don't know anything about Radius or how it manages certs. And, I don't know how the public domain name you'd create relates to your internal Radius access. We do not often see Radius here so you may want to ask about this on one of its support forums. I quickly read the docs and some github issues and it seems to have some peculiar requirements.

2 Likes