About Device Wifi & Certificate Based Authentication

What is it?

Certificate Based Authentication (abbreviated to CBA and previously known as device wifi), is a secure method used to verify the identity of users or devices when connecting to wifi networks.

How does it work?

Instead of entering a username and password to authenticate to a GovWifi network, a unique certificate is added to the user’s device (e.g. a laptop or phone) which allows the device to automatically login to any GovWifi network close by.

Here’s simplified breakdown of the steps:

1. A network administrator generates a chain of certificates. Copies of these certificates are uploaded to our RADIUS servers and the user’s managed device.
2. When a managed device attempts to connect to the wifi network, it presents its certificate to the RADIUS authentication server.
3. RADIUS verifies the presented certificate against those it has stored.
4. If all verifications are successful, access to the network is granted

The actual process is much more complex, but it may be helpful to think of certificate chains as jigsaw pieces. RADIUS and the user’s device each have a unique jigsaw piece and when all the pieces fit together correctly they complete the jigsaw and the user gains access.

Advantages

• Cryptographic authentication: When well managed, CBA is more secure than traditional password-based methods.
• Eliminates the need for shared passwords: Against our recommendations some organisations share passwords and usernames between devices. Using CBA eliminates the need for this.
• Automatic Login: Users can log in automatically without needing to enter passwords, facilitating a smoother user experience.

Disadvantages

• Requires an organisation’s network administrators to have expert knowledge of PKI(Public Key Infrastructure) and CBA in order to generate and manage their certificates.
• Requires additional work/knowledge from network administrators to set up and maintain the infrastructure behind CBA.

Infrastructure

Organisations that offer GovWifi can upload root and intermediate certificates via the GovWifi Admin portal. These are validated and copied to our RADIUS server from an AWS S3 bucket when the servers reboot each night, below is a diagram and detailed explanation of the process, complete with links to code.

GovWifi CBA Architecture Diagram

An organisation uploads their root and intermediate certificates to our system via the GovWifi Admin portal. The certificates are always in PEM format.

1. We validate the root certificate by checking the following:

   • If it is an X.509 certificate
   • The expiry date
   • Whether intermediate certificate has a parent (the organisation must upload a root certificate first, and the intermediate certificate is checked against this).
   • If the root certificate is unique The code for certificate validation is found in the GovWifi Admin repo

2. The organisation’s root and intermediate certificates are stored in the Admin database, in the certificates table.

3. The certificate files are exported from the database, zipped then pushed/uploaded to an S3 bucket at 10pm every night. The export_certificates rake task is responsible for this.

   • Terraform for rake task that uploads the certificates to S3 as a zip file.
   • Govwifi Admin Code

4. When the radius servers restart after midnight, the organisation’s certificates are copied to the ECS containers and stored in /etc/raddb/certs/trusted_certificates on the RADIUS server. This is done by a shell script that downloads the zip file containing the certificates from S3, unzips it and copies the certificates to the RADIUS containers. The unzipping process adds an extra layer of error checking to this process as it ensures that all certificates are uploaded in their entirety. If the zip file contains errors, or is missing a certificate then new RADIUS containers will not be recreated, and the containers from the previous night will keep running, preventing an outage.

CBA and the GovWifi smoketests

In order for the smoketests to work properly they require two dummy TLS certificates to be generated. If you set up a new GovWifi environment (for example another staging or development environment, or if you need to create a new production environment in the case of a BCP/DR scenario) then you will need follow the certificate generation instructions.

How can organisations set it up?

Requirements

Organisations MUST have met the following requirements before they will be able to use GovWifi’s Certificate Based Authentication(CBA):

• Organisations need to have set up Public Key Infrastructure(PKI) successfully on their systems and deployed it to managed devices.They should be comfortable with PKI and how to configure it. GovWifi can offer no support on this.
• Organisations must have a plan in place for keeping their TLS certificates up to date and secure.

In the next section there is an example architecture diagram showing how an organisation could integrate PKI (Public Key Infrastructure) with their system.

A note on GovWifi CBA technical support

GovWifi are unable to offer in depth support regarding the set up of Public Key Infrastructure or the generation or deployment of certificates to managed devices. This is because our client set ups vary greatly and this should be done by an inhouse expert.

GovWifi’s only role is to enable the CBA option for the organisation on our Admin portal once we have ensured the requirements and risks of using Certificate Based Authentication (CBA) have been understood.

What does the GovWifi team need to do when an organisation wants to use CBA?

First make sure they understand the requirements.

Enabling CBA for new organisations

In order to enable the CBA feature for network administrators, follow the steps below:

1. Make sure you are logged in to the GovWifi Admin site as a Superuser. You should see the title “GovWifi Super User Administrators” at the top of the page.
2. Select “All Organisations” from the list on the left.
3. Select the organisation that you want to enable CBA for from the list that appears.
4. On the organisation landing page, scroll down until you see the “Enable CBA” button and click it.
5. The organisation’s network administrator will then be able to login and add their certificates. If they click on the “Certificates” menu item they will taken to a page where they can upload their root and intermediate certificates. Their new certificates will not be uploaded to the GovWifi RADIUS servers until they are restarted after midnight.

Additional resources that the team can use to guide admins through the setup process

Some of these are work in progress(WIP) documents and may not be complete.

• GovWifi CBA onboarding - Guidance for Admins - Setting up Mac Devices
• WIP: CBA explainer and how to adopt (for network admins)
• Troubleshooting CBA on Windows machines

Example set up of PKI (Public Key Infrastructure)

Below is a diagram of an example set up of PKI infrastructure, integrated with Windows Active Directory. It can be used to give organisations a high level idea of the kind of infrastructure they will need to set up in order to implement PKI. This is only meant as a rough guide, organisations will need to sit down with their own internal technical experts to work out their own individual plan.

Explanation of diagram

• A standalone server stores the Root CA (depicted on the far left in the “workgroup box”). This server should be highly secure, and can even be kept offline or powered down when it’s not in use. It’s only job is to generate and store the organisation’s self signed root certificate.
• The Active directory machine/server can be thought of as a controller, or provisioning machine that is used to install software on end user devices (represented in the diagram by the laptops). It is also used to ensure that the software on the machine is kept up to date. When a new laptop first comes online, this provisioning machine:
  • Copies root certificate onto the devices
  • Sets up the wifi configuration and SSID on the machine (in this case GovWifi).

The PKI Machine/ Public Key Infrastructure Issuing CA is used to install unique device certificates on each of the end user machines. The devices are then able to connect to a wifi network using TLS.

In depth instructions on setting up wifi authentication via TLS on Windows can be found in the GovWifi Private Key Infrastructure (PKI) setup and maintenance document. You will need to be a member of the GovWifi core team to access this document.

PKI Management Software For Organisations Looking To Setup CBA

Some organisations use software such as Jamf, Microsoft InTune or Entrust to manage their systems for them. Microsoft Intune can be used alongside Microsoft Cloud PKI to manage certificates on devices.

Please note GovWifi doesn’t offer support for third party software.

More Information

More information can be found in the CBA folder of our Google Drive. Please note, you will need to be a member of the GovWifi core team to view these documents as some contain private information.

This includes design decisions and documentations, as well information about the Beta and Alpha phases of this feature.

CBA Presentation

Produced whilst CBA was in development certain features may have changed:

Presentation GovWifi EAP-TLS auth and PKI

Files related to the CBA discovery project

• Videos, documents and others
• Infrastructure Diagrams

This page was last reviewed on 24 January 2025. It needs to be reviewed again on 24 January 2026 by the page owner #govwifi .