How to get FreeRADIUS to authenticate with certs on my WIFI?

So I have WPA-Enterprise enabled on my wifi, using FreeRADIUS for the username and password on pfSense 2.5.2 working on my Linux laptop, android phone and ipad.

Now I would like to add a cert for my wifi connections, as well. On a linux laptop, I could not get it to work.

These are my general steps I took, perhaps someone can identify an error I have made ?

  1. Create a FreeRADIUS CA
  2. Create a FreeRADIUS cert for a server with 390 days duration.
  3. Under FreeRADIUS > EAP
    Default EAP Type: PEAP
    Minimum TLS Version: 1.0
    Certificates for TLS
    SSL CA Certificate: my FreeRadius CA
    SSL Server Certificate: my FreeRADIUS server cert
    Check Cert Issuer: checked (tried unchecked)
    Check Client Certificate CN: Checked (tried unchecked)
    All other settings I’ve left as default.
  4. Imported the FreeRADIUS CA to my laptop.
  5. Now I create a user cert for my FreeRADIUS user using the same name as I have used in FreeRADIUS. Export it to my laptop.
  6. On Linux Mint, I connect to my wifi, importing the cert.

It doesn’t connect when I use the cert, if I leave out the cert I can connect.

What I have no idea about is, where in FreeRADIUS is it telling clients it MUST use a certificate. Or does my AP have to do this or are certs optional on FreeRADIUS by design.

Everything is pointing to the cert not being correctly created, the CN and username is the same, the duration for the cert is 390 days, they are the only things I have come across which didn’t seem obvious.

Any ideas ?

Maybe try changing default eap type to TLS

Actually I had tried TLS too, didn’t work though I am using WPA3.

I have no experience with WPA3 yet. I am using wpa2-eap peap for many years. I had several problems with Freeradius running on pfSense. Not because of eap-tls but other problems with NT passwords saved in a MySQL database.

Since I am using a separate Freeradius server in a dedicated virtual system on my Proxmox server everything works very well. So i stopped using the pfSense Freeradius package.

A friend of mine had the same problems with the pfSense freeradius package as i had and switched also to a dedicated Freeradius system and solved his problems. I would setup a dedicated Freeradius system and try if that works better.

Is there anyone who can confirm if FreeRADIUS (on pfSense 2.5.2) with certificates works when used for wifi authentication ?