Now that you have your access point and FreeRADIUS server ready to go to work, how do your clients talk to it?
All clients need a copy of ca.crt. Mac and Linux clients get their own [hostname].crt and [hostname].key files. Windows clients use [hostname].p12.
Your Windows and Mac clients have built-in graphical tools for importing and managing their certificates, and configuring their supplicants. What do you do on Linux? I haven't found anything that makes the job any easier than editing plain old text files. Go back to Recipe 4.7, and start with the configuration for /etc/wpa_supplicant.conf. Change it to this:
## /etc/wpa_supplicant.conf
network={
ssid="alrac-net"
scan_ssid=1
key_mgmt=WPA-EAP
pairwise=CCMP TKIP
group=CCMP TKIP
eap=TLS
identity="alice sysadmin"
ca_cert="/etc/cert/ca.crt"
client_cert="/etc/cert/stinkpad.crt"
private_key="/etc/cert/stinkpad.key"
private_key_passwd="verysuperstrongpassword"
}The value for identity comes from /etc/raddb/users on the FreeRADIUS server. Certificates and keys can be stored anywhere, as long as wpa_supplicant.conf is configured correctly to point to them.
Continue with the rest of Recipe 4.7 to test and finish configuring wpa_supplicant.
Be sure that .key files are mode 0400, and owned by your Linux user. .crt files are 0644, owned by the user.
You can have multiple entries in wpa_supplicant.conf for different networks. Be sure to use the:
network{
}format to set them apart.
NetworkManager (http://www.gnome.org/projects/NetworkManager/) is the best Linux tool for painlessly managing multiple network profiles. It is bundled with Gnome, and is available for all Linux distributions.