Synology usage series 32 – Setup Wifi WPA2 Enterprise with Freeradius+Openldap/Client Certificate

Authentication with client certificate

If you want authentication using client certificate, follow the instruction below.

Radius Server Setting

  1. SSH to DS as root
  2. Create a root certificate (CA+server cert)

    # cd /opt/etc/raddb/certs
    # cp server.pem root.pem
    # cat ca.pem >> root.pem

    ** note. Order is important here. Must copy server.pem to root.pem first. Then concat ca.pem to the root.pem.
    Order does matter.

  3. Edit /opt/etc/raddb/eap.conf, changes highlighted in red below

    certificate_file = ${certdir}/root.pem
    CA_file = ${cadir}/root.pem

  4. Edit /opt/etc/raddb/sites-enabled/default, go to authorize { } section and add the following lines inside authorize section.
    authorize {
            update control {
                    EAP-TLS-Require-Client-Cert = Yes
  5. Restart freeradius# /opt/etc/init.d/S55freeradius restart

Vista/Windows 7 Wifi Client Setting

Manage wireless networks

  • At Network and Sharing Center menu, click Manage wireless networks.
  • Right-click the highlighted the SSID and select Properties.
  • Click security tab

    Choose a network authentication method: Select ‘Smart Card or other certificate’

    Click ‘Cache user information…’

    Click Setting button.

    In ‘When connecting’, click ‘verify that Use a certificate on this computer’ and uncheck the ‘Use simple certificate selection’.

    Click Validate server certificate

    In the ‘Trusted Root Certification Authorities’ listbox, select your radius CA cert.

    Also make sure to click the ‘Use different user name for this connection’ or something like that.

    Click OK twice to finish the setting.

Leave a Reply

Your email address will not be published. Required fields are marked *