SlideShare uma empresa Scribd logo

Radius

Paras Bhati
Paras Bhati
TecnologiaEducação
1 de 26
Baixar para ler offline
http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5 Certificates: Openssl 0.98b Radius Sever: Freeradius version 1.1.7 (built from fc6 src.rpms) (Note: This document also assumes that you have a dhcp server already configured & running on the same subnet.) Protocols configured for:  WPA1/2 enterprise  EAP/PEAP/TTLS Following processes are involved: 1- Install OS 2- Install openssl 3- Generate digital certificates 4- Install / Configure freeradius 5- Configure Access points 6- Configure end wifi clients Step 1 1- Install the OS in the minimal mode (refer to some howto). Step 2 2- Install openssl (if not already installed) yum install openssl Step 3 ( *********** OpenSSL Certificate Generation ***********) There are numerous ways of generating ssl based certificates. You can create your certificates at another computer or on this server. Following is a manual way of creating certificates which I adopted. But you are suggested to use some script to create them(skip this step if you . Freeradius 1.1.7 & 2.x version comes with nice certificate generating scripts, use them if you are new to certificates. (In 2.X the scripts are usually in /etc/radd/certs/, in 1.X it is in the scripts/directory of un-tgz'ed freeradius). Note: Following process also creates client certificates which you would not be needing with EAP/PEAP. 3.1 Create a new self-signed certificate authority (if not already created) in /etc/ssl: mkdir private mkdir newcerts
touch index.txt echo '01' > serial Edit /etc/pki/tls/openssl.cnf & change dir = ../../CA # Where everything is kept to dir = /etc/ssl openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 Passphrase: "letmein" was the passwd I chose. Following is the output: =========================================================================== [root@ciitwifi ssl]# openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 Generating a 1024 bit RSA private key ..++++++ ..++++++ writing new private key to 'private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:pk State or Province Name (full name) [Berkshire]:pakhtoonkhwa
Locality Name (eg, city) [abbottabad]:abbottabad Organization Name (eg, company) [ciit]:ciit Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:ciitwifi Email Address []:rnd@peace.not@ciit.net.pk =========================================================================== 3.2 Create server certificate request in /etc/ssl: (note the passwd "lettheserverin") openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730 Output: =========================================================================== [root@ciitwifi ssl]# openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730 Generating a 1024 bit RSA private key .......++++++ ..................................++++++ writing new private key to 'server_key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:pk State or Province Name (full name) [Berkshire]:pakhtoonkhwa Locality Name (eg, city) [abbottabad]:abbottabad Organization Name (eg, company) [ciit]:ciit Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ciitwifi Email Address []:rnd@peace.not Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:lettheserverin An optional company name []: [root@ciitwifi ssl]# =========================================================================== 3.3 Sign server certificate using the certificate authority created earlier (with XP extensions): Create an xpextensions file at /etc/ssl location with the following content. [root@centos5 ssl]# cat xpextensions [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem (Note: passphrase was letmein in step 3.) =========================================================================== [root@ciitwifi ssl]# openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/ssl/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity
Not Before: Jun 10 03:22:22 2008 GMT Not After : Jun 10 03:22:22 2009 GMT Subject: countryName = pk stateOrProvinceName = pakhtoonkhwa localityName = abbottabad organizationName = ciit commonName = ciitwifi emailAddress = rnd@peace.not X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Jun 10 03:22:22 2009 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@ciitwifi ssl]# =========================================================================== 3.4 Create a server file with both the server key and the server certificate: cat server_key.pem server_cert.pem > server_keycert.pem 3.5 Create a client certificate request in /etc/ssl: openssl req -new -keyout client_key.pem -out client_req.pem -days 730 "ciitwificlient" is the PEM passphrase I used. Output: ===========================================================================
[root@ciitwifi ssl]# openssl req -new -keyout client_key.pem -out client_req.pem -days 730 Generating a 1024 bit RSA private key .........++++++ ..............++++++ writing new private key to 'client_key.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:pk State or Province Name (full name) [Berkshire]:pakhtoonkhwa Locality Name (eg, city) [abbottabad]:abbottabad Organization Name (eg, company) [ciit]:ciit Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:ciitwifi Email Address []:rnd@peace.not Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:whateverdotwhat An optional company name []: [root@ciitwifi ssl]# =========================================================================== 3.6 Sign client certificate using the certificate authority created earlier (with XP extensions):
openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem "letmein" is the passphrase I used. =========================================================================== [root@ciitwifi ssl]# openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/ssl/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Jun 10 03:49:46 2008 GMT Not After : Jun 10 03:49:46 2009 GMT Subject: countryName = pk stateOrProvinceName = pakhtoonkhwa localityName = abbottabad organizationName = ciit commonName = ciitwifi emailAddress = rnd@peace.not X509v3 extensions: X509v3 Extended Key Usage: TLS Web Client Authentication Certificate is to be certified until Jun 10 03:49:46 2009 GMT (365 days) Sign the certificate? [y/n]:yes 1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries Data Base Updated [root@ciitwifi ssl]# =========================================================================== 3.7 Export the client certificate in the appropriate format (P12) for an XP client: openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts "ciitwificlient" is the passphrase. "Idontknow" is the export password. This is the password that the you will be giving the windows XP clients, who will be using this while installing the client_cert. Output: =========================================================================== [root@ciitwifi ssl]# openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts Enter pass phrase for client_key.pem: Enter Export Password: Verifying - Enter Export Password: [root@ciitwifi ssl]# =========================================================================== 3.8 Export the root certificate of the server in the appropriate format (DER) for an XP client: openssl x509 -setalias "ciitwifi@ciit" -outform DER -in cacert.pem -out cacert.der Step 4 (*********** Freeradius Setup ***********) 4.1 Fetch freeradius rpm rpm -Uvh freeradius....
If it asks for dependencies do the following: yum install net-snmp-utils perl-DBI libtool-ltdl -y Note: The freeradius available with CentOS 5.1 repos is freeradius-1.1.3... which comes with openssl support, which is not supported by freeradius.org, but support is only availabe for 1.1.7.x version. Latest version 2.0.5 has newer features but does not have rpm binaries for CentOS 5.x although .src.rpms of 2.0.3 of Fedora 9 do exist. FR 2.x differs from 1.x version under the hood (paths/files of various protocols). 4.2 Remove the FreeRadius default certificate files etc: rm -Rf /etc/raddb/demoCA This is actually /etc/raddb/certs/demoCA; I back up (mv'ed) the /etc/raddb/certsfolder to /etc/raddb/bkup_certs. 4.3 Create the appropriate directories in /etc/raddb in which to keep the certificate information: I back up (mv'ed) the /etc/raddb/certs folder to /etc/raddb/bkup_certs & created another one named /etc/raddb/certs. mkdir /etc/raddb/certs 4.4 Move the server certificate and the root certificate to the FreeRadius folder: cp /etc/ssl/cacert.pem /etc/raddb/certs/ -v cp /etc/ssl/server_keycert.pem /etc/raddb/certs/ -v 4.5 Create the Diffie-Hellman parameters file for TLS: openssl dhparam -check -text -5 512 -out dh Output: [root@ciitwifi ssl]# pwd /etc/ssl [root@ciitwifi ssl]# openssl dhparam -check -text -5 512 -out dh Generating DH parameters, 512 bit long safe prime, generator 5
This is going to take a long time .+.........................................................................+ ................+......+.............................+...........+.........+............. ..........+.............................................................................. ......+........................................+...........................+............. .................+........................+.............................................. ...+...........................+..........................+..........+.+.......+......... ....................................+...+...........................................+.... ...............................+.....................+.........+......................... .......+.......+.........+.....+......................+............................+..... .........+.........+............................................................++*++*++* ++*++*++* DH parameters appear to be ok. [root@ciitwifi ssl]# =========================================================================== Copy this "dh" file to /etc/raddb/certs folder: cp /etc/ssl/dh /etc/raddb/certs -v 4.6 Create the random bitstream file for TLS, & change ownership of the certificate & stuff for the freeradius to be able to read them. dd if=/dev/urandom of=random count=2 Output (in the /etc/raddb/certs folder i.e.): =========================================================================== [root@ciitwifi certs]# dd if=/dev/urandom of=random count=2 2+0 records in 2+0 records out 1024 bytes (1.0 kB) copied, 0.000545195 seconds, 1.9 MB/s chown -R radiusd /etc/raddb/certs 4.7 Modify /etc/raddb/eap.conf (full listing): (Note: "lettheserverin" is the private keypassword of the certificate.) (Yes, it can be tuned further. i.e dropping/adding support for some other protocols . That's up to you.) eap {
default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = lettheserverin private_key_file = ${raddbdir}/certs/server_keycert.pem certificate_file = ${raddbdir}/certs/server_keycert.pem CA_file = ${raddbdir}/certs/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random } ttls { default_eap_type = mschapv2 use_tunneled_reply = yes } peap { default_eap_type = mschapv2 } mschapv2 { } } 4.8 Add a radius client for the wireless access point in /etc/raddb/clients.conf: For the dlink AP3200: client 192.168.0.53 { secret = <dlink secret phrase> shortname = AP3200 nastype = other }
4.9 Modify /etc/raddb/radiusd.conf: I didn't modify the radiusd.conf but make sure followings are uncommented. (Yes, it can be tuned further. i.e dropping/adding support for some other protocols. Unloading useless modules, increasing performance etc. That's up to you.) log_auth = yes authorize { preprocess chap mschap suffix pap eap files } authenticate{ Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } # unix eap } 4.10 Modify /etc/raddb/users & start the server. Create a user at the top of the file: faheem Cleartext-Password := "khan" Now start the radius server:
/etc/init.d/radiusd start Step 5 ****************** Configuring the Access Point ********************* Now set the the AP setting to use "WPA enterprise auto" or WPA 2 enterprise” & point to the radius servers ip address/port. The secret field would be same as mentioned in /etc/raddb/clients.conf . (i.e. in our case “dlinksecret” phrase) Step 6 ******************** Configure end wifi clients ******************** Install certificates Certification authority CA.der (according to above certificate method it should be cacert.der). Server certificate with keys sever.p12 (according to above certificate method, it should be server_keycert.p12). Note: The following screenshots are from Windows 2003 server. But it shouldn't be very different for Windows XP. Go to “start”, select “run”& type “mmc”.
Follow the same procedure for importing server.p12 certificate into “trusted Root” section. That is it for EAP/PEAP (TTLS), but for TLS you also need to import/install the client certificate. (You would also need to modify your eap.conf file for TLS.)
Configuring the wifi interface View the “My network neighborhood”, choose your Access point, in this case “AP3200” (not really its named mydlink here).
 Press “ok”, “ok,and “ok”. Your done configuring the wifi.  Immediately “disable”the wifi interface. Righ click & choose “disable”.  After a second or two , re-enable the wifi interface. You should be prompted for username/password/Logindomain.  Simply supply the username/password & press”ok”.  You should connect in less than a second. Congratulations you have configured a WPA1/2 enterprise wifi network. Possible problems/Solutions:  Freeradius not compiled with openssl support. (Google.)  Certificates not installed correctly. (Use demo certificates/use some automating script.)  End client XP is not supporting protocol. (Install possibly the latest service pack.)  Client/AP not communicating. (Turn off the firewall or open the ports.)  AP not communicating. (Reset/restart or update the firmware.)  Client not getting authenticated. (Check logs/ run the freeradius server in debug mode e.g radiusd -X -z.)
Radius

Recomendados

oracle cloud with 2 nodes processing
oracle cloud with 2 nodes processingoracle cloud with 2 nodes processing
oracle cloud with 2 nodes processingmahdi ahmadi
 
Securing Windows Remote Desktop With Copssh
Securing Windows Remote Desktop With CopsshSecuring Windows Remote Desktop With Copssh
Securing Windows Remote Desktop With CopsshCrismer La Pignola
 
Percona Live 4/15/15: Transparent sharding database virtualization engine (DVE)
Percona Live 4/15/15: Transparent sharding database virtualization engine (DVE)Percona Live 4/15/15: Transparent sharding database virtualization engine (DVE)
Percona Live 4/15/15: Transparent sharding database virtualization engine (DVE)Tesora
 
Network Manual
Network ManualNetwork Manual
Network ManualJason Myers
 
dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slideskj teoh
 
SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...Denis Gundarev
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesZuzannaKornecka
 
PHP tips by a MYSQL DBA
PHP tips by a MYSQL DBAPHP tips by a MYSQL DBA
PHP tips by a MYSQL DBAAmit Kumar Singh
 

Recomendados

oracle cloud with 2 nodes processing
oracle cloud with 2 nodes processingoracle cloud with 2 nodes processing
oracle cloud with 2 nodes processingmahdi ahmadi
 
Securing Windows Remote Desktop With Copssh
Securing Windows Remote Desktop With CopsshSecuring Windows Remote Desktop With Copssh
Securing Windows Remote Desktop With CopsshCrismer La Pignola
 
Percona Live 4/15/15: Transparent sharding database virtualization engine (DVE)
Percona Live 4/15/15: Transparent sharding database virtualization engine (DVE)Percona Live 4/15/15: Transparent sharding database virtualization engine (DVE)
Percona Live 4/15/15: Transparent sharding database virtualization engine (DVE)Tesora
 
Network Manual
Network ManualNetwork Manual
Network ManualJason Myers
 
dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slideskj teoh
 
SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...Denis Gundarev
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesZuzannaKornecka
 
PHP tips by a MYSQL DBA
PHP tips by a MYSQL DBAPHP tips by a MYSQL DBA
PHP tips by a MYSQL DBAAmit Kumar Singh
 
MySQL SQL Tutorial
MySQL SQL TutorialMySQL SQL Tutorial
MySQL SQL TutorialChien Chung Shen
 
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程Jimmy Chang
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflowAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
BlockChain implementation by python
BlockChain implementation by pythonBlockChain implementation by python
BlockChain implementation by pythonwonyong hwang
 
From A to Z | WireShark Tutorial
From A to Z | WireShark TutorialFrom A to Z | WireShark Tutorial
From A to Z | WireShark TutorialTurkHackTeam EDU
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisDmitry Vostokov
 
Whitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxWhitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxRoger Eisentrager
 
How To Check and Delete a File via PowerShell
How To Check and Delete a File via PowerShellHow To Check and Delete a File via PowerShell
How To Check and Delete a File via PowerShellVCP Muthukrishna
 
UKOUG, Oracle Transaction Locks
UKOUG, Oracle Transaction LocksUKOUG, Oracle Transaction Locks
UKOUG, Oracle Transaction LocksKyle Hailey
 
Socket Programming
Socket ProgrammingSocket Programming
Socket ProgrammingSivadon Chaisiri
 
Wait Events 10g
Wait Events 10gWait Events 10g
Wait Events 10gsagai
 
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3Adel Karimi
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programmingAnte Gulam
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
了解Oracle rac brain split resolution
了解Oracle rac brain split resolution了解Oracle rac brain split resolution
了解Oracle rac brain split resolutionmaclean liu
 
Postgresql 12 streaming replication hol
Postgresql 12 streaming replication holPostgresql 12 streaming replication hol
Postgresql 12 streaming replication holVijay Kumar N
 
PowerShell-2
PowerShell-2PowerShell-2
PowerShell-2Saravanan G
 
Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsSunil Paudel
 
A close encounter_with_real_world_and_odd_perf_issues
A close encounter_with_real_world_and_odd_perf_issuesA close encounter_with_real_world_and_odd_perf_issues
A close encounter_with_real_world_and_odd_perf_issuesRiyaj Shamsudeen
 
Getting started with RDO Havana
Getting started with RDO HavanaGetting started with RDO Havana
Getting started with RDO HavanaDan Radez
 
How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7VCP Muthukrishna
 
Rhel5
Rhel5Rhel5
Rhel5Yash Gulati
 

Mais conteúdo relacionado

Mais procurados

[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程Jimmy Chang
 
BlockChain implementation by python
BlockChain implementation by pythonBlockChain implementation by python
BlockChain implementation by pythonwonyong hwang
 
From A to Z | WireShark Tutorial
From A to Z | WireShark TutorialFrom A to Z | WireShark Tutorial
From A to Z | WireShark TutorialTurkHackTeam EDU
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisDmitry Vostokov
 
Whitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxWhitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxRoger Eisentrager
 
How To Check and Delete a File via PowerShell
How To Check and Delete a File via PowerShellHow To Check and Delete a File via PowerShell
How To Check and Delete a File via PowerShellVCP Muthukrishna
 
UKOUG, Oracle Transaction Locks
UKOUG, Oracle Transaction LocksUKOUG, Oracle Transaction Locks
UKOUG, Oracle Transaction LocksKyle Hailey
 
Wait Events 10g
Wait Events 10gWait Events 10g
Wait Events 10gsagai
 
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3Adel Karimi
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programmingAnte Gulam
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
了解Oracle rac brain split resolution
了解Oracle rac brain split resolution了解Oracle rac brain split resolution
了解Oracle rac brain split resolutionmaclean liu
 
Postgresql 12 streaming replication hol
Postgresql 12 streaming replication holPostgresql 12 streaming replication hol
Postgresql 12 streaming replication holVijay Kumar N
 
Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsSunil Paudel
 
A close encounter_with_real_world_and_odd_perf_issues
A close encounter_with_real_world_and_odd_perf_issuesA close encounter_with_real_world_and_odd_perf_issues
A close encounter_with_real_world_and_odd_perf_issuesRiyaj Shamsudeen
 
Getting started with RDO Havana
Getting started with RDO HavanaGetting started with RDO Havana
Getting started with RDO HavanaDan Radez
 

Mais procurados (20)

MySQL SQL Tutorial
MySQL SQL TutorialMySQL SQL Tutorial
MySQL SQL Tutorial
 
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
 
BlockChain implementation by python
BlockChain implementation by pythonBlockChain implementation by python
BlockChain implementation by python
 
From A to Z | WireShark Tutorial
From A to Z | WireShark TutorialFrom A to Z | WireShark Tutorial
From A to Z | WireShark Tutorial
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory Analysis
 
Whitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxWhitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on Linux
 
How To Check and Delete a File via PowerShell
How To Check and Delete a File via PowerShellHow To Check and Delete a File via PowerShell
How To Check and Delete a File via PowerShell
 
UKOUG, Oracle Transaction Locks
UKOUG, Oracle Transaction LocksUKOUG, Oracle Transaction Locks
UKOUG, Oracle Transaction Locks
 
Socket Programming
Socket ProgrammingSocket Programming
Socket Programming
 
Wait Events 10g
Wait Events 10gWait Events 10g
Wait Events 10g
 
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
 
Server hardening
Server hardeningServer hardening
Server hardening
 
了解Oracle rac brain split resolution
了解Oracle rac brain split resolution了解Oracle rac brain split resolution
了解Oracle rac brain split resolution
 
Postgresql 12 streaming replication hol
Postgresql 12 streaming replication holPostgresql 12 streaming replication hol
Postgresql 12 streaming replication hol
 
PowerShell-2
PowerShell-2PowerShell-2
PowerShell-2
 
Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by Steps
 
A close encounter_with_real_world_and_odd_perf_issues
A close encounter_with_real_world_and_odd_perf_issuesA close encounter_with_real_world_and_odd_perf_issues
A close encounter_with_real_world_and_odd_perf_issues
 
Getting started with RDO Havana
Getting started with RDO HavanaGetting started with RDO Havana
Getting started with RDO Havana
 

Semelhante a Radius

How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7VCP Muthukrishna
 
Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Max Kleiner
 
Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloudNUTC, imac
 
How to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos oHow to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos oProxiesforrent
 
Open-VPN Server
Open-VPN ServerOpen-VPN Server
Open-VPN ServerManish Kc
 
Openstack 101
Openstack 101Openstack 101
Openstack 101POSSCON
 
TrinityCore server install guide
TrinityCore server install guideTrinityCore server install guide
TrinityCore server install guideSeungmin Shin
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowWilliam Lee
 
Presentation iv implementasi 802x eap tls peap mscha pv2
Presentation iv implementasi 802x eap tls peap mscha pv2Presentation iv implementasi 802x eap tls peap mscha pv2
Presentation iv implementasi 802x eap tls peap mscha pv2Hell19
 
SSL Certificates and Operations
SSL Certificates and OperationsSSL Certificates and Operations
SSL Certificates and OperationsNisheed KM
 
Adobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL GuideAdobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL GuideRapidSSLOnline.com
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Conrad Cruz
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringConrad Cruz
 
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiazznate
 
fog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloudfog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the CloudWesley Beary
 
Hardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiazznate
 
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).DataStax Academy
 

Semelhante a Radius (20)

How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7
 
Rhel5
Rhel5Rhel5
Rhel5
 
Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptography
 
Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloud
 
How to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos oHow to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos o
 
Open-VPN Server
Open-VPN ServerOpen-VPN Server
Open-VPN Server
 
Openstack 101
Openstack 101Openstack 101
Openstack 101
 
TrinityCore server install guide
TrinityCore server install guideTrinityCore server install guide
TrinityCore server install guide
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call Flow
 
Presentation iv implementasi 802x eap tls peap mscha pv2
Presentation iv implementasi 802x eap tls peap mscha pv2Presentation iv implementasi 802x eap tls peap mscha pv2
Presentation iv implementasi 802x eap tls peap mscha pv2
 
SSL Certificates and Operations
SSL Certificates and OperationsSSL Certificates and Operations
SSL Certificates and Operations
 
Adobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL GuideAdobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL Guide
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
 
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
 
fog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloudfog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloud
 
Hardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoia
 
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
 

Último

Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 

Último (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 

Radius

  • 1. http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5 Certificates: Openssl 0.98b Radius Sever: Freeradius version 1.1.7 (built from fc6 src.rpms) (Note: This document also assumes that you have a dhcp server already configured & running on the same subnet.) Protocols configured for:  WPA1/2 enterprise  EAP/PEAP/TTLS Following processes are involved: 1- Install OS 2- Install openssl 3- Generate digital certificates 4- Install / Configure freeradius 5- Configure Access points 6- Configure end wifi clients Step 1 1- Install the OS in the minimal mode (refer to some howto). Step 2 2- Install openssl (if not already installed) yum install openssl Step 3 ( *********** OpenSSL Certificate Generation ***********) There are numerous ways of generating ssl based certificates. You can create your certificates at another computer or on this server. Following is a manual way of creating certificates which I adopted. But you are suggested to use some script to create them(skip this step if you . Freeradius 1.1.7 & 2.x version comes with nice certificate generating scripts, use them if you are new to certificates. (In 2.X the scripts are usually in /etc/radd/certs/, in 1.X it is in the scripts/directory of un-tgz'ed freeradius). Note: Following process also creates client certificates which you would not be needing with EAP/PEAP. 3.1 Create a new self-signed certificate authority (if not already created) in /etc/ssl: mkdir private mkdir newcerts
  • 2. touch index.txt echo '01' > serial Edit /etc/pki/tls/openssl.cnf & change dir = ../../CA # Where everything is kept to dir = /etc/ssl openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 Passphrase: "letmein" was the passwd I chose. Following is the output: =========================================================================== [root@ciitwifi ssl]# openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 Generating a 1024 bit RSA private key ..++++++ ..++++++ writing new private key to 'private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:pk State or Province Name (full name) [Berkshire]:pakhtoonkhwa
  • 3. Locality Name (eg, city) [abbottabad]:abbottabad Organization Name (eg, company) [ciit]:ciit Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:ciitwifi Email Address []:rnd@peace.not@ciit.net.pk =========================================================================== 3.2 Create server certificate request in /etc/ssl: (note the passwd "lettheserverin") openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730 Output: =========================================================================== [root@ciitwifi ssl]# openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730 Generating a 1024 bit RSA private key .......++++++ ..................................++++++ writing new private key to 'server_key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:pk State or Province Name (full name) [Berkshire]:pakhtoonkhwa Locality Name (eg, city) [abbottabad]:abbottabad Organization Name (eg, company) [ciit]:ciit Organizational Unit Name (eg, section) []:
  • 4. Common Name (eg, your name or your server's hostname) []:ciitwifi Email Address []:rnd@peace.not Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:lettheserverin An optional company name []: [root@ciitwifi ssl]# =========================================================================== 3.3 Sign server certificate using the certificate authority created earlier (with XP extensions): Create an xpextensions file at /etc/ssl location with the following content. [root@centos5 ssl]# cat xpextensions [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem (Note: passphrase was letmein in step 3.) =========================================================================== [root@ciitwifi ssl]# openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/ssl/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity
  • 5. Not Before: Jun 10 03:22:22 2008 GMT Not After : Jun 10 03:22:22 2009 GMT Subject: countryName = pk stateOrProvinceName = pakhtoonkhwa localityName = abbottabad organizationName = ciit commonName = ciitwifi emailAddress = rnd@peace.not X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Jun 10 03:22:22 2009 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@ciitwifi ssl]# =========================================================================== 3.4 Create a server file with both the server key and the server certificate: cat server_key.pem server_cert.pem > server_keycert.pem 3.5 Create a client certificate request in /etc/ssl: openssl req -new -keyout client_key.pem -out client_req.pem -days 730 "ciitwificlient" is the PEM passphrase I used. Output: ===========================================================================
  • 6. [root@ciitwifi ssl]# openssl req -new -keyout client_key.pem -out client_req.pem -days 730 Generating a 1024 bit RSA private key .........++++++ ..............++++++ writing new private key to 'client_key.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:pk State or Province Name (full name) [Berkshire]:pakhtoonkhwa Locality Name (eg, city) [abbottabad]:abbottabad Organization Name (eg, company) [ciit]:ciit Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:ciitwifi Email Address []:rnd@peace.not Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:whateverdotwhat An optional company name []: [root@ciitwifi ssl]# =========================================================================== 3.6 Sign client certificate using the certificate authority created earlier (with XP extensions):
  • 7. openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem "letmein" is the passphrase I used. =========================================================================== [root@ciitwifi ssl]# openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/ssl/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Jun 10 03:49:46 2008 GMT Not After : Jun 10 03:49:46 2009 GMT Subject: countryName = pk stateOrProvinceName = pakhtoonkhwa localityName = abbottabad organizationName = ciit commonName = ciitwifi emailAddress = rnd@peace.not X509v3 extensions: X509v3 Extended Key Usage: TLS Web Client Authentication Certificate is to be certified until Jun 10 03:49:46 2009 GMT (365 days) Sign the certificate? [y/n]:yes 1 out of 1 certificate requests certified, commit? [y/n]y
  • 8. Write out database with 1 new entries Data Base Updated [root@ciitwifi ssl]# =========================================================================== 3.7 Export the client certificate in the appropriate format (P12) for an XP client: openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts "ciitwificlient" is the passphrase. "Idontknow" is the export password. This is the password that the you will be giving the windows XP clients, who will be using this while installing the client_cert. Output: =========================================================================== [root@ciitwifi ssl]# openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts Enter pass phrase for client_key.pem: Enter Export Password: Verifying - Enter Export Password: [root@ciitwifi ssl]# =========================================================================== 3.8 Export the root certificate of the server in the appropriate format (DER) for an XP client: openssl x509 -setalias "ciitwifi@ciit" -outform DER -in cacert.pem -out cacert.der Step 4 (*********** Freeradius Setup ***********) 4.1 Fetch freeradius rpm rpm -Uvh freeradius....
  • 9. If it asks for dependencies do the following: yum install net-snmp-utils perl-DBI libtool-ltdl -y Note: The freeradius available with CentOS 5.1 repos is freeradius-1.1.3... which comes with openssl support, which is not supported by freeradius.org, but support is only availabe for 1.1.7.x version. Latest version 2.0.5 has newer features but does not have rpm binaries for CentOS 5.x although .src.rpms of 2.0.3 of Fedora 9 do exist. FR 2.x differs from 1.x version under the hood (paths/files of various protocols). 4.2 Remove the FreeRadius default certificate files etc: rm -Rf /etc/raddb/demoCA This is actually /etc/raddb/certs/demoCA; I back up (mv'ed) the /etc/raddb/certsfolder to /etc/raddb/bkup_certs. 4.3 Create the appropriate directories in /etc/raddb in which to keep the certificate information: I back up (mv'ed) the /etc/raddb/certs folder to /etc/raddb/bkup_certs & created another one named /etc/raddb/certs. mkdir /etc/raddb/certs 4.4 Move the server certificate and the root certificate to the FreeRadius folder: cp /etc/ssl/cacert.pem /etc/raddb/certs/ -v cp /etc/ssl/server_keycert.pem /etc/raddb/certs/ -v 4.5 Create the Diffie-Hellman parameters file for TLS: openssl dhparam -check -text -5 512 -out dh Output: [root@ciitwifi ssl]# pwd /etc/ssl [root@ciitwifi ssl]# openssl dhparam -check -text -5 512 -out dh Generating DH parameters, 512 bit long safe prime, generator 5
  • 10. This is going to take a long time .+.........................................................................+ ................+......+.............................+...........+.........+............. ..........+.............................................................................. ......+........................................+...........................+............. .................+........................+.............................................. ...+...........................+..........................+..........+.+.......+......... ....................................+...+...........................................+.... ...............................+.....................+.........+......................... .......+.......+.........+.....+......................+............................+..... .........+.........+............................................................++*++*++* ++*++*++* DH parameters appear to be ok. [root@ciitwifi ssl]# =========================================================================== Copy this "dh" file to /etc/raddb/certs folder: cp /etc/ssl/dh /etc/raddb/certs -v 4.6 Create the random bitstream file for TLS, & change ownership of the certificate & stuff for the freeradius to be able to read them. dd if=/dev/urandom of=random count=2 Output (in the /etc/raddb/certs folder i.e.): =========================================================================== [root@ciitwifi certs]# dd if=/dev/urandom of=random count=2 2+0 records in 2+0 records out 1024 bytes (1.0 kB) copied, 0.000545195 seconds, 1.9 MB/s chown -R radiusd /etc/raddb/certs 4.7 Modify /etc/raddb/eap.conf (full listing): (Note: "lettheserverin" is the private keypassword of the certificate.) (Yes, it can be tuned further. i.e dropping/adding support for some other protocols . That's up to you.) eap {
  • 11. default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = lettheserverin private_key_file = ${raddbdir}/certs/server_keycert.pem certificate_file = ${raddbdir}/certs/server_keycert.pem CA_file = ${raddbdir}/certs/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random } ttls { default_eap_type = mschapv2 use_tunneled_reply = yes } peap { default_eap_type = mschapv2 } mschapv2 { } } 4.8 Add a radius client for the wireless access point in /etc/raddb/clients.conf: For the dlink AP3200: client 192.168.0.53 { secret = <dlink secret phrase> shortname = AP3200 nastype = other }
  • 12. 4.9 Modify /etc/raddb/radiusd.conf: I didn't modify the radiusd.conf but make sure followings are uncommented. (Yes, it can be tuned further. i.e dropping/adding support for some other protocols. Unloading useless modules, increasing performance etc. That's up to you.) log_auth = yes authorize { preprocess chap mschap suffix pap eap files } authenticate{ Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } # unix eap } 4.10 Modify /etc/raddb/users & start the server. Create a user at the top of the file: faheem Cleartext-Password := "khan" Now start the radius server:
  • 13. /etc/init.d/radiusd start Step 5 ****************** Configuring the Access Point ********************* Now set the the AP setting to use "WPA enterprise auto" or WPA 2 enterprise” & point to the radius servers ip address/port. The secret field would be same as mentioned in /etc/raddb/clients.conf . (i.e. in our case “dlinksecret” phrase) Step 6 ******************** Configure end wifi clients ******************** Install certificates Certification authority CA.der (according to above certificate method it should be cacert.der). Server certificate with keys sever.p12 (according to above certificate method, it should be server_keycert.p12). Note: The following screenshots are from Windows 2003 server. But it shouldn't be very different for Windows XP. Go to “start”, select “run”& type “mmc”.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18. Follow the same procedure for importing server.p12 certificate into “trusted Root” section. That is it for EAP/PEAP (TTLS), but for TLS you also need to import/install the client certificate. (You would also need to modify your eap.conf file for TLS.)
  • 19. Configuring the wifi interface View the “My network neighborhood”, choose your Access point, in this case “AP3200” (not really its named mydlink here).
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25. Press “ok”, “ok,and “ok”. Your done configuring the wifi.  Immediately “disable”the wifi interface. Righ click & choose “disable”.  After a second or two , re-enable the wifi interface. You should be prompted for username/password/Logindomain.  Simply supply the username/password & press”ok”.  You should connect in less than a second. Congratulations you have configured a WPA1/2 enterprise wifi network. Possible problems/Solutions:  Freeradius not compiled with openssl support. (Google.)  Certificates not installed correctly. (Use demo certificates/use some automating script.)  End client XP is not supporting protocol. (Install possibly the latest service pack.)  Client/AP not communicating. (Turn off the firewall or open the ports.)  AP not communicating. (Reset/restart or update the firmware.)  Client not getting authenticated. (Check logs/ run the freeradius server in debug mode e.g radiusd -X -z.)