/
2009-09-13-wpa2-freeradius-eap-tls.md
289 lines (176 loc) · 7.82 KB
/
2009-09-13-wpa2-freeradius-eap-tls.md
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
---
date: 2009-09-13
title: "WPA2 + FreeRADIUS + EAP-TLS"
---
categories:
- Debian/Ubuntu
- Howto
- Networks
- RADIUS
- Security
- Wifi
_WPA/WPA2 Enterprise on your wired or wireless network. Tested under Debian Lenny (server side) and Mac OS X 10.6, Windows XP and Android 2.2, Ubuntu 10.10 (client side)_
**BUILDING AND INSTALLING FREERADIUS WITH TLS SUPPORT**
This step is not needed anymore, starting from Debian Squeeze Freeradius comes with TLS support.
Please, do not build stuff on your production server. Build on a dedicated build machine and then install the resulting packages on the production server.
If you are running Debian Lenny on i386, you can skip the build steps and grab the packages at this address :
[http://blog.wains.be/pub/freeradius-tls/](http://blog.wains.be/pub/freeradius-tls/)
Let's proceed...
**Install the necessary packages :**
`apt-get install dpkg-dev fakeroot`
**Download the source :**
`cd /root
mkdir freeradius-tls
cd freeradius-tls
apt-get source freeradius`
**Make the changes :**
Edit /root/freeradius-tls/debian/rules :
and change
`--with`
by
`--without `
for eap_tls, eap_ttls, eap_peap and openssl
Just as :
`--with-rlm_eap_tls
--with-rlm_eap_ttls
--with-rlm_eap_peap
--without-rlm_eap_tnc
--without-rlm_otp
--with-rlm_sql_postgresql_lib_dir=`pg_config --libdir`
--with-rlm_sql_postgresql_include_dir=`pg_config --includedir`
--with-openssl
--without-rlm_eap_ikev2
--without-rlm_sql_oracle
--without-rlm_sql_unixodbc `
Then, comment the following :
`for pkg in ${pkgs} ; do
if dh_shlibdeps -p $$pkg -- -O 2>/dev/null | grep -q libssl; then
echo "$$pkg links to openssl" ;
exit 1 ;
fi ;
done`
Edit /root/freeradius-tls/debian/control :
On the line beginning by "Build-Depends"
Add the folowing :
`", libssl-dev" `
at the end of the line (without the quotes)
Install dev libraries :
`apt-get install libssl-dev debhelper libgdbm-dev libiodbc2-dev libkrb5-dev libldap2-dev libltdl3-dev libmysqlclient15-dev libpam0g-dev libpcap-dev libperl-dev libpq-dev libsasl2-dev libsnmp-dev python-dev`
Build freeradius :
`dpkg-buildpackage -rfakeroot`
Building will end by a warning message, this is not important.
Put the packages on hold to avoid upgrading with a non-TLS version of FreeRADIUS :
`echo "freeradius hold" | dpkg --set-selections
echo "libfreeradius2 hold" | dpkg --set-selections
echo "freeradius-common hold" | dpkg --set-selections`
Install the packages we've just built :
`dpkg --install freeradius_2.0.4+dfsg-6_i386.deb freeradius-common_2.0.4+dfsg-6_all.deb libfreeradius2_2.0.4+dfsg-6_i386.deb`
**CERTIFICATES **
**Creating the CA**
`apt-get install openssl`
Edit /etc/ssl/openssl.cnf
`[ CA_default ]
dir = ./PKI`
Edit /usr/lib/ssl/misc/CA.sh
`CATOP=./PKI`
Then type :
`cd /etc/ssl
/usr/lib/ssl/misc/CA.sh -newca`
Set a challenge password and a passphrase. This is needed.
The CA created will be copied to the server and clients later on.
**Optional : if you have Windows XP clients**
Create /etc/openssl/PKI/xpextensions
<code>[xpclient_ext]
extendedKeyUsage=1.3.6.1.5.5.7.3.2
[xpserver_ext]
extendedKeyUsage=1.3.6.1.5.5.7.3.1</code>
**Server certificate signing request :**
`cd /etc/ssl
openssl req -new -nodes -keyout PKI/server_key.pem -out PKI/server_req.pem -days 730 -config openssl.cnf`
Set a challenge password
**Sign the server certificate request :**
`cd /etc/ssl
openssl ca -config openssl.cnf -policy policy_anything -out PKI/server_cert.pem -infiles PKI/server_req.pem`
Then :
`cp PKI/server_cert.pem PKI/server_cert.pem-backup`
Edit server_cert.pem
Remove everything before the line -----BEGIN CERTIFICATE----- (this is needed for winxp clients)
Next :
`cat PKI/server_key.pem PKI/server_cert.pem > PKI/server_keycert.pem`
**Create a client certificate signing request :**
`openssl req -new -keyout PKI/client_key.pem -out PKI/client_req.pem -days 730 -config openssl.cnf`
You MUST specify a Common Name (CN).
**Sign client cert request :**
Windows xp client :
`openssl ca -config openssl.cnf -policy policy_anything -out PKI/client_cert.pem -extensions xpclient_ext -extfile PKI/xpextensions -infiles PKI/client_req.pem`
Mac OS X / Linux / Android client :
`openssl ca -config openssl.cnf -policy policy_anything -out PKI/client_cert.pem -infiles PKI/client_req.pem`
**Export P12 certs :**
Windows and Mac clients :
`openssl pkcs12 -export -in PKI/client_cert.pem -inkey PKI/client_key.pem -out PKI/client_cert.p12 -clcerts`
Android clients :
`openssl pkcs12 -export -in PKI/client_cert.pem -inkey PKI/client_key.pem -certfile PKI/cacert.pem -name "Wifi" -out PKI/client_cert.p12`
You don't need to export P12 certificates for Linux (smart OS, eh ?)
**FREERADIUS CONFIG**
Do :
`mkdir /etc/freeradius/certs/
cp /etc/ssl/PKI/cacert.pem /etc/freeradius/certs/cacert.pem
cp /etc/ssl/PKI/server_keycert.pem /etc/freeradius/certs/server_keycert.pem`
Then :
`cd /etc/freeradius/certs
openssl dhparam -check -text -5 512 -out dh
dd if=/dev/urandom of=random count=2
chown freerad dh
chmod o-w dh`
Next :
`cp /etc/freeradius/eap.conf /etc/freeradius/eap.conf-default`
/etc/freeradius/eap.conf :
<code>eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server_keycert.pem
certificate_file = ${certdir}/server_keycert.pem
CA_file = ${cadir}/cacert.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
fragment_size = 1024
include_length = yes
check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
}
} </code>
**Edit /etc/freeradius/clients.conf**
We will consider the access-point that will authenticate users against the RADIUS server has the IP 192.168.7.45 :
<code>client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nastype = other # localhost isn't usually a NAS...
}
client 192.168.7.45 {
secret = suchasecurepassword
shortname = linksys
}</code>
**Start FreeRADIUS :**
The first time it is recommended to launch with the following command, this gives a lot of output.
`freeradius -X -f`
When everything is fine and clients are happy, start the service the usual way :
`/etc/init.d/freeradius start`
**Set up wifi access point for authentication against our new RADIUS server**
It depends on your hardware here.
You must usually go under the security panel of your device, where you can specify the IP/hostname and port of the RADIUS server, and the password (in our example : suchasecurepassword).
Make sure your firewall lets the Wi-Fi access point talk to FreeRADIUS on port UDP/1812.
**Configure clients**
You'll need the following files for the following platforms :
Mac OS X : P12 certificate (cert + private key), PEM CA certificate
Windows XP : P12 certificate (cert + private key), PEM CA certificate
Android 2.2 : P12 certificate (cert + private key + CA) (see [http://blog.wains.be/post/importing-certificates-on-android-ca-and-client/](http://blog.wains.be/post/importing-certificates-on-android-ca-and-client/))
Linux Ubuntu 10.10 (Network Manager) : PEM certificate, PEM private key, PEM CA certificate
**This post is a stripped down version of the following howto by my colleague Jérôme : **
[http://hanoteau.blogspot.com/2009/03/howto-setup-eap-tls-wpa-network-with.html](http://hanoteau.blogspot.com/2009/03/howto-setup-eap-tls-wpa-network-with.html)