1. http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5
Certificates: Openssl 0.98b
Radius Sever: Freeradius version 1.1.7 (built from fc6 src.rpms)
(Note: This document also assumes that you have a dhcp server already configured & running on the same
subnet.)
Protocols configured for:
WPA1/2 enterprise
EAP/PEAP/TTLS
Following processes are involved:
1- Install OS
2- Install openssl
3- Generate digital certificates
4- Install / Configure freeradius
5- Configure Access points
6- Configure end wifi clients
Step 1
1- Install the OS in the minimal mode (refer to some howto).
Step 2
2- Install openssl (if not already installed)
yum install openssl
Step 3 ( *********** OpenSSL Certificate Generation ***********)
There are numerous ways of generating ssl based certificates. You can create your certificates at another computer
or on this server.
Following is a manual way of creating certificates which I adopted. But you are suggested to use some script to
create them(skip this step if you . Freeradius 1.1.7 & 2.x version comes with nice certificate generating scripts, use
them if you are new to certificates. (In 2.X the scripts are usually in /etc/radd/certs/, in 1.X it is in
the scripts/directory of un-tgz'ed freeradius).
Note: Following process also creates client certificates which you would not be needing with EAP/PEAP.
3.1 Create a new self-signed certificate authority (if not already created) in /etc/ssl:
mkdir private
mkdir newcerts
2. touch index.txt
echo '01' > serial
Edit /etc/pki/tls/openssl.cnf & change
dir = ../../CA # Where everything is
kept
to
dir = /etc/ssl
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650
Passphrase: "letmein" was the passwd I chose.
Following is the output:
===========================================================================
[root@ciitwifi ssl]# openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out
cacert.pem -days 3650
Generating a 1024 bit RSA private key
..++++++
..++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:pk
State or Province Name (full name) [Berkshire]:pakhtoonkhwa
3. Locality Name (eg, city) [abbottabad]:abbottabad
Organization Name (eg, company) [ciit]:ciit
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ciitwifi
Email Address []:rnd@peace.not@ciit.net.pk
===========================================================================
3.2 Create server certificate request in /etc/ssl: (note the passwd "lettheserverin")
openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730
Output:
===========================================================================
[root@ciitwifi ssl]# openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730
Generating a 1024 bit RSA private key
.......++++++
..................................++++++
writing new private key to 'server_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:pk
State or Province Name (full name) [Berkshire]:pakhtoonkhwa
Locality Name (eg, city) [abbottabad]:abbottabad
Organization Name (eg, company) [ciit]:ciit
Organizational Unit Name (eg, section) []:
4. Common Name (eg, your name or your server's hostname) []:ciitwifi
Email Address []:rnd@peace.not
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:lettheserverin
An optional company name []:
[root@ciitwifi ssl]#
===========================================================================
3.3 Sign server certificate using the certificate authority created earlier (with XP extensions):
Create an xpextensions file at /etc/ssl location with the following content.
[root@centos5 ssl]# cat xpextensions
[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile
/etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem
(Note: passphrase was letmein in step 3.)
===========================================================================
[root@ciitwifi ssl]# openssl ca -policy policy_anything -out server_cert.pem -extensions
xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
5. Not Before: Jun 10 03:22:22 2008 GMT
Not After : Jun 10 03:22:22 2009 GMT
Subject:
countryName = pk
stateOrProvinceName = pakhtoonkhwa
localityName = abbottabad
organizationName = ciit
commonName = ciitwifi
emailAddress = rnd@peace.not
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Jun 10 03:22:22 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ciitwifi ssl]#
===========================================================================
3.4 Create a server file with both the server key and the server certificate:
cat server_key.pem server_cert.pem > server_keycert.pem
3.5 Create a client certificate request in /etc/ssl:
openssl req -new -keyout client_key.pem -out client_req.pem -days 730
"ciitwificlient" is the PEM passphrase I used.
Output:
===========================================================================
6. [root@ciitwifi ssl]# openssl req -new -keyout client_key.pem -out client_req.pem -days 730
Generating a 1024 bit RSA private key
.........++++++
..............++++++
writing new private key to 'client_key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:pk
State or Province Name (full name) [Berkshire]:pakhtoonkhwa
Locality Name (eg, city) [abbottabad]:abbottabad
Organization Name (eg, company) [ciit]:ciit
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ciitwifi
Email Address []:rnd@peace.not
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:whateverdotwhat
An optional company name []:
[root@ciitwifi ssl]#
===========================================================================
3.6 Sign client certificate using the certificate authority created earlier (with XP extensions):
7. openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile
/etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem
"letmein" is the passphrase I used.
===========================================================================
[root@ciitwifi ssl]# openssl ca -policy policy_anything -out client_cert.pem -extensions
xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Jun 10 03:49:46 2008 GMT
Not After : Jun 10 03:49:46 2009 GMT
Subject:
countryName = pk
stateOrProvinceName = pakhtoonkhwa
localityName = abbottabad
organizationName = ciit
commonName = ciitwifi
emailAddress = rnd@peace.not
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
Certificate is to be certified until Jun 10 03:49:46 2009 GMT (365 days)
Sign the certificate? [y/n]:yes
1 out of 1 certificate requests certified, commit? [y/n]y
8. Write out database with 1 new entries
Data Base Updated
[root@ciitwifi ssl]#
===========================================================================
3.7 Export the client certificate in the appropriate format (P12) for an XP client:
openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts
"ciitwificlient" is the passphrase.
"Idontknow" is the export password. This is the password that the you will be giving the windows XP clients, who
will be using this while installing the client_cert.
Output:
===========================================================================
[root@ciitwifi ssl]# openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out
client_cert.p12 -clcerts
Enter pass phrase for client_key.pem:
Enter Export Password:
Verifying - Enter Export Password:
[root@ciitwifi ssl]#
===========================================================================
3.8 Export the root certificate of the server in the appropriate format (DER) for an XP client:
openssl x509 -setalias "ciitwifi@ciit" -outform DER -in cacert.pem -out cacert.der
Step 4 (*********** Freeradius Setup ***********)
4.1 Fetch freeradius rpm
rpm -Uvh freeradius....
9. If it asks for dependencies do the following:
yum install net-snmp-utils perl-DBI libtool-ltdl -y
Note: The freeradius available with CentOS 5.1 repos is freeradius-1.1.3... which comes with openssl support,
which is not supported by freeradius.org, but support is only availabe for 1.1.7.x version. Latest version 2.0.5 has
newer features but does not have rpm binaries for CentOS 5.x although .src.rpms of 2.0.3 of Fedora 9 do exist. FR
2.x differs from 1.x version under the hood (paths/files of various protocols).
4.2 Remove the FreeRadius default certificate files etc:
rm -Rf /etc/raddb/demoCA
This is actually /etc/raddb/certs/demoCA; I back up (mv'ed) the /etc/raddb/certsfolder
to /etc/raddb/bkup_certs.
4.3 Create the appropriate directories in /etc/raddb in which to keep the certificate information:
I back up (mv'ed) the /etc/raddb/certs folder to /etc/raddb/bkup_certs & created another one
named /etc/raddb/certs.
mkdir /etc/raddb/certs
4.4 Move the server certificate and the root certificate to the FreeRadius folder:
cp /etc/ssl/cacert.pem /etc/raddb/certs/ -v
cp /etc/ssl/server_keycert.pem /etc/raddb/certs/ -v
4.5 Create the Diffie-Hellman parameters file for TLS:
openssl dhparam -check -text -5 512 -out dh
Output:
[root@ciitwifi ssl]# pwd
/etc/ssl
[root@ciitwifi ssl]# openssl dhparam -check -text -5 512 -out dh
Generating DH parameters, 512 bit long safe prime, generator 5
10. This is going to take a long time
.+.........................................................................+
................+......+.............................+...........+.........+.............
..........+..............................................................................
......+........................................+...........................+.............
.................+........................+..............................................
...+...........................+..........................+..........+.+.......+.........
....................................+...+...........................................+....
...............................+.....................+.........+.........................
.......+.......+.........+.....+......................+............................+.....
.........+.........+............................................................++*++*++*
++*++*++*
DH parameters appear to be ok.
[root@ciitwifi ssl]#
===========================================================================
Copy this "dh" file to /etc/raddb/certs folder:
cp /etc/ssl/dh /etc/raddb/certs -v
4.6 Create the random bitstream file for TLS, & change ownership of the certificate & stuff for the freeradius to be able to
read them.
dd if=/dev/urandom of=random count=2
Output (in the /etc/raddb/certs folder i.e.):
===========================================================================
[root@ciitwifi certs]# dd if=/dev/urandom of=random count=2
2+0 records in
2+0 records out
1024 bytes (1.0 kB) copied, 0.000545195 seconds, 1.9 MB/s
chown -R radiusd /etc/raddb/certs
4.7 Modify /etc/raddb/eap.conf (full listing):
(Note: "lettheserverin" is the private keypassword of the certificate.)
(Yes, it can be tuned further. i.e dropping/adding support for some other protocols . That's up to you.)
eap {
11. default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_password = lettheserverin
private_key_file = ${raddbdir}/certs/server_keycert.pem
certificate_file = ${raddbdir}/certs/server_keycert.pem
CA_file = ${raddbdir}/certs/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
}
ttls {
default_eap_type = mschapv2
use_tunneled_reply = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
4.8 Add a radius client for the wireless access point in /etc/raddb/clients.conf:
For the dlink AP3200:
client 192.168.0.53 {
secret = <dlink secret phrase>
shortname = AP3200
nastype = other
}
12. 4.9 Modify /etc/raddb/radiusd.conf:
I didn't modify the radiusd.conf but make sure followings are uncommented. (Yes, it can be tuned further. i.e
dropping/adding support for some other protocols. Unloading useless modules, increasing performance etc. That's
up to you.)
log_auth = yes
authorize {
preprocess
chap
mschap
suffix
pap
eap
files
}
authenticate{
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
# unix
eap
}
4.10 Modify /etc/raddb/users & start the server.
Create a user at the top of the file:
faheem Cleartext-Password := "khan"
Now start the radius server:
13. /etc/init.d/radiusd start
Step 5 ****************** Configuring the Access Point *********************
Now set the the AP setting to use "WPA enterprise auto" or WPA 2 enterprise” & point to the radius servers ip
address/port. The secret field would be same as mentioned in /etc/raddb/clients.conf . (i.e. in our case
“dlinksecret” phrase)
Step 6 ******************** Configure end wifi clients ********************
Install certificates
Certification authority CA.der (according to above certificate method it should be cacert.der).
Server certificate with keys sever.p12 (according to above certificate method, it should be server_keycert.p12).
Note: The following screenshots are from Windows 2003 server. But it shouldn't be very different for Windows XP.
Go to “start”, select “run”& type “mmc”.
14.
15.
16.
17.
18. Follow the same procedure for importing server.p12 certificate into “trusted Root” section.
That is it for EAP/PEAP (TTLS), but for TLS you also need to import/install the client certificate. (You would also
need to modify your eap.conf file for TLS.)
19. Configuring the wifi interface
View the “My network neighborhood”, choose your Access point, in this case “AP3200” (not really its
named mydlink here).
20.
21.
22.
23.
24.
25. Press “ok”, “ok,and “ok”. Your done configuring the wifi.
Immediately “disable”the wifi interface. Righ click & choose “disable”.
After a second or two , re-enable the wifi interface. You should be prompted for username/password/Logindomain.
Simply supply the username/password & press”ok”.
You should connect in less than a second.
Congratulations you have configured a WPA1/2 enterprise wifi network.
Possible problems/Solutions:
Freeradius not compiled with openssl support. (Google.)
Certificates not installed correctly. (Use demo certificates/use some automating script.)
End client XP is not supporting protocol. (Install possibly the latest service pack.)
Client/AP not communicating. (Turn off the firewall or open the ports.)
AP not communicating. (Reset/restart or update the firmware.)
Client not getting authenticated. (Check logs/ run the freeradius server in debug mode e.g radiusd -X -z.)