http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5    Certificates: Openssl 0.98b    Radi...
touch index.txtecho 01 > serialEdit /etc/pki/tls/openssl.cnf & changedir                        = ../../CA                ...
Locality Name (eg, city) [abbottabad]:abbottabadOrganization Name (eg, company) [ciit]:ciitOrganizational Unit Name (eg, s...
Common Name (eg, your name or your servers hostname) []:ciitwifiEmail Address []:rnd@peace.notPlease enter the following e...
Not Before: Jun 10 03:22:22 2008 GMTNot After : Jun 10 03:22:22 2009 GMTSubject:countryName = pkstateOrProvinceName = pakh...
[root@ciitwifi ssl]# openssl req -new -keyout client_key.pem -out client_req.pem -days 730Generating a 1024 bit RSA privat...
openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile/etc/ssl/xpextensions -infiles /e...
Write out database with 1 new entriesData Base Updated[root@ciitwifi ssl]#================================================...
If it asks for dependencies do the following:yum install net-snmp-utils perl-DBI libtool-ltdl -yNote: The freeradius avail...
This is going to take a long time.+.........................................................................+................
default_eap_type = ttlstimer_expire = 60ignore_unknown_eap_types = nocisco_accounting_username_bug = nomd5 {}leap {}gtc {a...
4.9 Modify /etc/raddb/radiusd.conf:I didnt modify the radiusd.conf but make sure followings are uncommented. (Yes, it can ...
/etc/init.d/radiusd startStep 5 ****************** Configuring the Access Point *********************Now set the the AP se...
Follow the same procedure for importing server.p12 certificate into “trusted Root” section.That is it for EAP/PEAP (TTLS),...
Configuring the wifi interfaceView the “My network neighborhood”, choose your Access point, in this case “AP3200” (not rea...
   Press “ok”, “ok,and “ok”. Your done configuring the wifi.   Immediately “disable”the wifi interface. Righ click & cho...
Radius
Radius
Radius
Radius
Radius
Radius
Radius
Radius
Radius
Radius
Upcoming SlideShare
Loading in …5
×

Radius

715 views

Published on

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
715
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Radius

  1. 1. http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5 Certificates: Openssl 0.98b Radius Sever: Freeradius version 1.1.7 (built from fc6 src.rpms) (Note: This document also assumes that you have a dhcp server already configured & running on the same subnet.) Protocols configured for: WPA1/2 enterprise EAP/PEAP/TTLS Following processes are involved: 1- Install OS 2- Install openssl 3- Generate digital certificates 4- Install / Configure freeradius 5- Configure Access points 6- Configure end wifi clients Step 1 1- Install the OS in the minimal mode (refer to some howto). Step 2 2- Install openssl (if not already installed) yum install openssl Step 3 ( *********** OpenSSL Certificate Generation ***********) There are numerous ways of generating ssl based certificates. You can create your certificates at another computer or on this server. Following is a manual way of creating certificates which I adopted. But you are suggested to use some script to create them(skip this step if you . Freeradius 1.1.7 & 2.x version comes with nice certificate generating scripts, use them if you are new to certificates. (In 2.X the scripts are usually in /etc/radd/certs/, in 1.X it is in the scripts/directory of un-tgzed freeradius). Note: Following process also creates client certificates which you would not be needing with EAP/PEAP. 3.1 Create a new self-signed certificate authority (if not already created) in /etc/ssl: mkdir private mkdir newcerts
  2. 2. touch index.txtecho 01 > serialEdit /etc/pki/tls/openssl.cnf & changedir = ../../CA # Where everything iskepttodir = /etc/sslopenssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650Passphrase: "letmein" was the passwd I chose.Following is the output:===========================================================================[root@ciitwifi ssl]# openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -outcacert.pem -days 3650Generating a 1024 bit RSA private key..++++++..++++++writing new private key to private/cakey.pemEnter PEM pass phrase:Verifying - Enter PEM pass phrase:-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-----Country Name (2 letter code) [GB]:pkState or Province Name (full name) [Berkshire]:pakhtoonkhwa
  3. 3. Locality Name (eg, city) [abbottabad]:abbottabadOrganization Name (eg, company) [ciit]:ciitOrganizational Unit Name (eg, section) []:Common Name (eg, your name or your servers hostname) []:ciitwifiEmail Address []:rnd@peace.not@ciit.net.pk===========================================================================3.2 Create server certificate request in /etc/ssl: (note the passwd "lettheserverin")openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730Output:===========================================================================[root@ciitwifi ssl]# openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730Generating a 1024 bit RSA private key.......++++++..................................++++++writing new private key to server_key.pem-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-----Country Name (2 letter code) [GB]:pkState or Province Name (full name) [Berkshire]:pakhtoonkhwaLocality Name (eg, city) [abbottabad]:abbottabadOrganization Name (eg, company) [ciit]:ciitOrganizational Unit Name (eg, section) []:
  4. 4. Common Name (eg, your name or your servers hostname) []:ciitwifiEmail Address []:rnd@peace.notPlease enter the following extra attributesto be sent with your certificate requestA challenge password []:lettheserverinAn optional company name []:[root@ciitwifi ssl]#===========================================================================3.3 Sign server certificate using the certificate authority created earlier (with XP extensions):Create an xpextensions file at /etc/ssl location with the following content.[root@centos5 ssl]# cat xpextensions[ xpclient_ext]extendedKeyUsage = 1.3.6.1.5.5.7.3.2[ xpserver_ext ]extendedKeyUsage = 1.3.6.1.5.5.7.3.1openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile/etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem(Note: passphrase was letmein in step 3.)===========================================================================[root@ciitwifi ssl]# openssl ca -policy policy_anything -out server_cert.pem -extensionsxpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pemUsing configuration from /etc/pki/tls/openssl.cnfEnter pass phrase for /etc/ssl/private/cakey.pem:Check that the request matches the signatureSignature okCertificate Details:Serial Number: 1 (0x1)Validity
  5. 5. Not Before: Jun 10 03:22:22 2008 GMTNot After : Jun 10 03:22:22 2009 GMTSubject:countryName = pkstateOrProvinceName = pakhtoonkhwalocalityName = abbottabadorganizationName = ciitcommonName = ciitwifiemailAddress = rnd@peace.notX509v3 extensions:X509v3 Extended Key Usage:TLS Web Server AuthenticationCertificate is to be certified until Jun 10 03:22:22 2009 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[root@ciitwifi ssl]#===========================================================================3.4 Create a server file with both the server key and the server certificate:cat server_key.pem server_cert.pem > server_keycert.pem3.5 Create a client certificate request in /etc/ssl:openssl req -new -keyout client_key.pem -out client_req.pem -days 730"ciitwificlient" is the PEM passphrase I used.Output:===========================================================================
  6. 6. [root@ciitwifi ssl]# openssl req -new -keyout client_key.pem -out client_req.pem -days 730Generating a 1024 bit RSA private key.........++++++..............++++++writing new private key to client_key.pemEnter PEM pass phrase:Verifying - Enter PEM pass phrase:-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-----Country Name (2 letter code) [GB]:pkState or Province Name (full name) [Berkshire]:pakhtoonkhwaLocality Name (eg, city) [abbottabad]:abbottabadOrganization Name (eg, company) [ciit]:ciitOrganizational Unit Name (eg, section) []:Common Name (eg, your name or your servers hostname) []:ciitwifiEmail Address []:rnd@peace.notPlease enter the following extra attributesto be sent with your certificate requestA challenge password []:whateverdotwhatAn optional company name []:[root@ciitwifi ssl]#===========================================================================3.6 Sign client certificate using the certificate authority created earlier (with XP extensions):
  7. 7. openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile/etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem"letmein" is the passphrase I used.===========================================================================[root@ciitwifi ssl]# openssl ca -policy policy_anything -out client_cert.pem -extensionsxpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pemUsing configuration from /etc/pki/tls/openssl.cnfEnter pass phrase for /etc/ssl/private/cakey.pem:Check that the request matches the signatureSignature okCertificate Details:Serial Number: 2 (0x2)ValidityNot Before: Jun 10 03:49:46 2008 GMTNot After : Jun 10 03:49:46 2009 GMTSubject:countryName = pkstateOrProvinceName = pakhtoonkhwalocalityName = abbottabadorganizationName = ciitcommonName = ciitwifiemailAddress = rnd@peace.notX509v3 extensions:X509v3 Extended Key Usage:TLS Web Client AuthenticationCertificate is to be certified until Jun 10 03:49:46 2009 GMT (365 days)Sign the certificate? [y/n]:yes1 out of 1 certificate requests certified, commit? [y/n]y
  8. 8. Write out database with 1 new entriesData Base Updated[root@ciitwifi ssl]#===========================================================================3.7 Export the client certificate in the appropriate format (P12) for an XP client:openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts"ciitwificlient" is the passphrase."Idontknow" is the export password. This is the password that the you will be giving the windows XP clients, whowill be using this while installing the client_cert.Output:===========================================================================[root@ciitwifi ssl]# openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -outclient_cert.p12 -clcertsEnter pass phrase for client_key.pem:Enter Export Password:Verifying - Enter Export Password:[root@ciitwifi ssl]#===========================================================================3.8 Export the root certificate of the server in the appropriate format (DER) for an XP client:openssl x509 -setalias "ciitwifi@ciit" -outform DER -in cacert.pem -out cacert.derStep 4 (*********** Freeradius Setup ***********)4.1 Fetch freeradius rpmrpm -Uvh freeradius....
  9. 9. If it asks for dependencies do the following:yum install net-snmp-utils perl-DBI libtool-ltdl -yNote: The freeradius available with CentOS 5.1 repos is freeradius-1.1.3... which comes with openssl support,which is not supported by freeradius.org, but support is only availabe for 1.1.7.x version. Latest version 2.0.5 hasnewer features but does not have rpm binaries for CentOS 5.x although .src.rpms of 2.0.3 of Fedora 9 do exist. FR2.x differs from 1.x version under the hood (paths/files of various protocols).4.2 Remove the FreeRadius default certificate files etc:rm -Rf /etc/raddb/demoCAThis is actually /etc/raddb/certs/demoCA; I back up (mved) the /etc/raddb/certsfolderto /etc/raddb/bkup_certs.4.3 Create the appropriate directories in /etc/raddb in which to keep the certificate information:I back up (mved) the /etc/raddb/certs folder to /etc/raddb/bkup_certs & created another onenamed /etc/raddb/certs.mkdir /etc/raddb/certs4.4 Move the server certificate and the root certificate to the FreeRadius folder:cp /etc/ssl/cacert.pem /etc/raddb/certs/ -vcp /etc/ssl/server_keycert.pem /etc/raddb/certs/ -v4.5 Create the Diffie-Hellman parameters file for TLS:openssl dhparam -check -text -5 512 -out dhOutput:[root@ciitwifi ssl]# pwd/etc/ssl[root@ciitwifi ssl]# openssl dhparam -check -text -5 512 -out dhGenerating DH parameters, 512 bit long safe prime, generator 5
  10. 10. This is going to take a long time.+.........................................................................+................+......+.............................+...........+.........+.......................+....................................................................................+........................................+...........................+..............................+........................+.................................................+...........................+..........................+..........+.+.......+.............................................+...+...........................................+...................................+.....................+.........+................................+.......+.........+.....+......................+............................+..............+.........+............................................................++*++*++*++*++*++*DH parameters appear to be ok.[root@ciitwifi ssl]#===========================================================================Copy this "dh" file to /etc/raddb/certs folder:cp /etc/ssl/dh /etc/raddb/certs -v4.6 Create the random bitstream file for TLS, & change ownership of the certificate & stuff for the freeradius to be able toread them.dd if=/dev/urandom of=random count=2Output (in the /etc/raddb/certs folder i.e.):===========================================================================[root@ciitwifi certs]# dd if=/dev/urandom of=random count=22+0 records in2+0 records out1024 bytes (1.0 kB) copied, 0.000545195 seconds, 1.9 MB/schown -R radiusd /etc/raddb/certs4.7 Modify /etc/raddb/eap.conf (full listing):(Note: "lettheserverin" is the private keypassword of the certificate.)(Yes, it can be tuned further. i.e dropping/adding support for some other protocols . Thats up to you.)eap {
  11. 11. default_eap_type = ttlstimer_expire = 60ignore_unknown_eap_types = nocisco_accounting_username_bug = nomd5 {}leap {}gtc {auth_type = PAP}tls {private_key_password = lettheserverinprivate_key_file = ${raddbdir}/certs/server_keycert.pemcertificate_file = ${raddbdir}/certs/server_keycert.pemCA_file = ${raddbdir}/certs/cacert.pemdh_file = ${raddbdir}/certs/dhrandom_file = ${raddbdir}/certs/random}ttls {default_eap_type = mschapv2use_tunneled_reply = yes}peap {default_eap_type = mschapv2}mschapv2 {}}4.8 Add a radius client for the wireless access point in /etc/raddb/clients.conf:For the dlink AP3200:client 192.168.0.53 {secret = <dlink secret phrase>shortname = AP3200nastype = other}
  12. 12. 4.9 Modify /etc/raddb/radiusd.conf:I didnt modify the radiusd.conf but make sure followings are uncommented. (Yes, it can be tuned further. i.edropping/adding support for some other protocols. Unloading useless modules, increasing performance etc. Thatsup to you.)log_auth = yesauthorize {preprocesschapmschapsuffixpapeapfiles}authenticate{Auth-Type PAP {pap}Auth-Type CHAP {chap}Auth-Type MS-CHAP {mschap}# unixeap}4.10 Modify /etc/raddb/users & start the server.Create a user at the top of the file:faheem Cleartext-Password := "khan"Now start the radius server:
  13. 13. /etc/init.d/radiusd startStep 5 ****************** Configuring the Access Point *********************Now set the the AP setting to use "WPA enterprise auto" or WPA 2 enterprise” & point to the radius servers ipaddress/port. The secret field would be same as mentioned in /etc/raddb/clients.conf . (i.e. in our case“dlinksecret” phrase)Step 6 ******************** Configure end wifi clients ********************Install certificatesCertification authority CA.der (according to above certificate method it should be cacert.der).Server certificate with keys sever.p12 (according to above certificate method, it should be server_keycert.p12).Note: The following screenshots are from Windows 2003 server. But it shouldnt be very different for Windows XP.Go to “start”, select “run”& type “mmc”.
  14. 14. Follow the same procedure for importing server.p12 certificate into “trusted Root” section.That is it for EAP/PEAP (TTLS), but for TLS you also need to import/install the client certificate. (You would alsoneed to modify your eap.conf file for TLS.)
  15. 15. Configuring the wifi interfaceView the “My network neighborhood”, choose your Access point, in this case “AP3200” (not really itsnamed mydlink here).
  16. 16.  Press “ok”, “ok,and “ok”. Your done configuring the wifi. Immediately “disable”the wifi interface. Righ click & choose “disable”. After a second or two , re-enable the wifi interface. You should be prompted for username/password/Logindomain. Simply supply the username/password & press”ok”. You should connect in less than a second. Congratulations you have configured a WPA1/2 enterprise wifi network. Possible problems/Solutions: Freeradius not compiled with openssl support. (Google.) Certificates not installed correctly. (Use demo certificates/use some automating script.) End client XP is not supporting protocol. (Install possibly the latest service pack.) Client/AP not communicating. (Turn off the firewall or open the ports.) AP not communicating. (Reset/restart or update the firmware.) Client not getting authenticated. (Check logs/ run the freeradius server in debug mode e.g radiusd -X -z.)

×