How to Configure 802.1x EAP-TLS to Secure the Wireless Environment with Self-Signed Certificate?

Zyxel_KathyLin
Zyxel_KathyLin Posts: 58  Zyxel Employee
First Answer First Comment Friend Collector
edited June 2022 in Authentication

This example shows how to use Android/iOS phone import the self-sign certificate from NXC to get the wireless connection with 802.1x EAP-TLS protected. We need a certificate which is generated by the NXC.

image.png

 Configure Certificate

1     Go to CONFIGURATION > Object > Certificate > My certificates, and add a self-signed certificate. In Subject Information, Set the NXC’s IP in the Host IP Address.

In Enrollment Options, select Create a self-signed certificate

image.png

2     Export the self-signed certificate from My certificates. Double click the self-signed certificate and scroll down the page to press Export Certificate Only. Save the certificate.

image.png image.png

3     Go to Trusted Certificate and import the self-signed certificate.

image.png image.png

4     Go to My certificate and Export the “Self-signed certificate with Private Key”. Double click the self-signed certificate and scroll down the page to press Export Certificate with Private Key. Save the certificate and add file extension(*.pfx, *.p12 or *.crt).

image.png

5     Import the self-signed certificate into Android phone. (Here I copied the certificate to the Android phone storage then import them. I send the mail with certificate to iPhone and install it.)

Android: In step “e”, the “CREDENTIAL USE” must select as “Wi-Fi”

a

image.png

b

image.png

c

image.png

  d

image.png

e  

image.png


iOS:

a

image.png

b

image.png

c

image.png

d

image.png

e

image.png

f

image.png

g

image.png

h

image.png

i

image.png


Configure AP profile

1     Go to CONFIGURATION > Object > AP Profile > SSID> Security List, and add a Security profile

image.png


2     Go to CONFIGURATION > Object > AP Profile > SSID> SSID List, and add an SSID profile.

image.png

3     Go to CONFIGURATION > Wireless > AP Management > AP Group, and add this SSID into the default group.

image.png

Test the Result

1     Use Android/iOS phone and connect to the SSID Zyxel-EAPTLS.

Android:

a

image.png

b

image.png

c

image.png

d

image.png

e

image.png

iOS:

a

image.png

b

image.png

c

image.png

d

image.png

e

image.png


f

image.png

g

image.png

i

image.png

2     Check the station information On NXC station info. Go to Configuration > Wireless > Station info.

image.png

Comments

  • Zyxel_KathyLin
    Zyxel_KathyLin Posts: 58  Zyxel Employee
    First Answer First Comment Friend Collector

    What Could Go Wrong?

    1     Users must import the certificate which is signed by NXC, and credential use must select Wi-Fi.

    2     When pressing disconnecting on the Android phone, we might need to import the certificates again.

    3     Different Android/iOS firmware versions may have different certificate importing behavior. Please ensure the certificates are imported successfully.

    4     The Windows PC doesn’t support self-signed certificate.

    5     Go to CONFIGURATION > Object > Certificate > My Certificates, click the self-signed certificate and click edit. It shows validation result=self-signed in certification path.

    image.png


    6     When the customer connects to a SSID with 802.1x security, there is a certificate trust request pop-up screen with the detailed information of the certificate in iOS.

    image.png