Validation of Radius Server Certificate and TLS Tunnel Establishment between Supplicant and Radius

1. The wireless laptop acts as a supplicant and authenticates using 802.1X.

2. The access point serves as the authenticator, converting the EAP protocol to the Radius protocol and forwarding it to the Radius server, and vice versa.

3. The Radius server validates the user's credentials. If the credentials are correct, a Radius Accept message with the appropriate return attributes is sent to the authenticator; otherwise, a Radius Reject message is sent.

The Radius server validates the Authenticator using the Radius Secret. If the Radius Secret is correct for the Radius Access Request from the Authenticator, the Radius server will respond with a Radius Access Challenge, Radius Accept, or Radius Reject. If the Radius Secret is not correct, the Radius server will not respond to the Authenticator.

The laptop or Supplicant will validate the Radius server certificate if the following setting is enabled on the computer.

I recommend ticking the check box to validate the Radius server certificate on the Supplicants.

Once the supplicants validate the server certificate, a TLS /SSL tunnel (logical) will be established between the supplicant and Radius server as below.

User credentials are passed inside the tunnel.

The Purpose of the Radius server certificate is to create an encrypted TLS tunnel that protects the user credentials from being intercepted.

Now we understand the need and purpose of the radius server certificate.

Let’s try to understand which Radius server certificate the supplicant will validate and which will be used to establish the TLS tunnel within the setup below.

In the above scenario, the Radius server with IP 192.168.2.128 acts as a Radius Proxy, which acts as a pass-through for the information received from the Authenticator to the Radius server 192.168.2.227.

The Radius-server with IP address 192.168.2.227 will present the Radius Server certificate to the supplicant, which you can view at the supplicant as below.

So, the TLS Tunnel will be established as follows. Users' Credentials are sent in the TLS tunnel, and between devices, they cannot intercept the credentials.

This is clearly documented in the standard.

For more details, Information Radius Authentication with Wireless, please refer to the article

https://www.wirelessnewbies.com/post/802-1x-authentication

For more information on IETF RFC 3579, https://datatracker.ietf.org/doc/html/rfc3579