Wifi Authentication/Accounting With FreeRadius On CentOS 5

Want to support HowtoForge? Become a subscriber!
 
Submitted by awan (Contact Author) (Forums) on Wed, 2008-07-09 15:46. :: CentOS

Wifi Authentication/Accounting With FreeRadius On CentOS 5

(Date: 2-June-2008)

This tutorial explains how you can set up a FreeRadius server with Wifi authentication and accounting on CentOS 5. This howto should work for a newbie. Production deployment is also possible with minor tweaking. But as usual I do not guarantee anything & take no responsibilities if something goes wrong.

(Note: For the faint-hearted you can use this turn-key solution. http://www.howtoforge.com/how-to-set-up-an-aaa-server-with-ciitix-wifi )

 

This configuration has been tested on following:

OS: CentOS 5.x (patched)

Certificates: Openssl 0.98b

Radius Sever: Freeradius version 1.1.7 (built from fc6 src.rpms)

(Note: This document also assumes that you have a dhcp server already configured & running on the same subnet.)

Protocols configured for:

  • WPA1/2 enterprise
  • EAP/PEAP/TTLS

Following processes are involved:

1- Install OS

2- Install openssl

3- Generate digital certificates

4- Install / Configure freeradius

5- Configure Access points

6- Configure end wifi clients

 

Step 1

1- Install the OS in the minimal mode (refer to some howto).

 

Step 2

2- Install openssl (if not already installed)

yum install openssl

 

Step 3 ( *********** OpenSSL Certificate Generation ***********)

There are numerous ways of generating ssl based certificates. You can create your certificates at another computer or on this server.

Following is a manual way of creating certificates which I adopted. But you are suggested to use some script to create them(skip this step if you . Freeradius 1.1.7 & 2.x version comes with nice certificate generating scripts, use them if you are new to certificates. (In 2.X the scripts are usually in /etc/radd/certs/, in 1.X it is in the scripts/ directory of un-tgz'ed freeradius).

Note: Following process also creates client certificates which you would not be needing with EAP/PEAP.

 

3.1 Create a new self-signed certificate authority (if not already created) in /etc/ssl:

mkdir private

mkdir newcerts

touch index.txt

echo '01' > serial

Edit /etc/pki/tls/openssl.cnf & change

dir            = ../../CA              # Where everything is kept 

to

dir              = /etc/ssl

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650

Passphrase: "letmein" was the passwd I chose.

Following is the output:

===========================================================================

[root@ciitwifi ssl]# openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650

Generating a 1024 bit RSA private key

..++++++

..++++++

writing new private key to 'private/cakey.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:pk

State or Province Name (full name) [Berkshire]:pakhtoonkhwa

Locality Name (eg, city) [abbottabad]:abbottabad

Organization Name (eg, company) [ciit]:ciit

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:ciitwifi

Email Address []:rnd@peace.not@ciit.net.pk

===========================================================================

 

3.2 Create server certificate request in /etc/ssl: (note the passwd "lettheserverin")

openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730

Output:

===========================================================================

[root@ciitwifi ssl]# openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730

Generating a 1024 bit RSA private key

.......++++++

..................................++++++

writing new private key to 'server_key.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:pk

State or Province Name (full name) [Berkshire]:pakhtoonkhwa

Locality Name (eg, city) [abbottabad]:abbottabad

Organization Name (eg, company) [ciit]:ciit

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:ciitwifi

Email Address []:rnd@peace.not

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:lettheserverin

An optional company name []:

[root@ciitwifi ssl]#

===========================================================================

 

3.3 Sign server certificate using the certificate authority created earlier (with XP extensions):

Create an xpextensions file at /etc/ssl location with the following content.

[root@centos5 ssl]# cat xpextensions
[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
 


openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem

(Note: passphrase was letmein in step 3.)

===========================================================================

[root@ciitwifi ssl]# openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/ssl/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Jun 10 03:22:22 2008 GMT

Not After : Jun 10 03:22:22 2009 GMT

Subject:

countryName = pk

stateOrProvinceName = pakhtoonkhwa

localityName = abbottabad

organizationName = ciit

commonName = ciitwifi

emailAddress = rnd@peace.not

X509v3 extensions:

X509v3 Extended Key Usage:

TLS Web Server Authentication

Certificate is to be certified until Jun 10 03:22:22 2009 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@ciitwifi ssl]#

===========================================================================

 

3.4 Create a server file with both the server key and the server certificate:

cat server_key.pem server_cert.pem > server_keycert.pem

 

3.5 Create a client certificate request in /etc/ssl:

openssl req -new -keyout client_key.pem -out client_req.pem -days 730

"ciitwificlient" is the PEM passphrase I used.

Output:

===========================================================================

[root@ciitwifi ssl]# openssl req -new -keyout client_key.pem -out client_req.pem -days 730

Generating a 1024 bit RSA private key

.........++++++

..............++++++

writing new private key to 'client_key.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:pk

State or Province Name (full name) [Berkshire]:pakhtoonkhwa

Locality Name (eg, city) [abbottabad]:abbottabad

Organization Name (eg, company) [ciit]:ciit

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:ciitwifi

Email Address []:rnd@peace.not

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:whateverdotwhat

An optional company name []:

[root@ciitwifi ssl]#

===========================================================================

 

3.6 Sign client certificate using the certificate authority created earlier (with XP extensions):

openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem

"letmein" is the passphrase I used.

===========================================================================

[root@ciitwifi ssl]# openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/ssl/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 2 (0x2)

Validity

Not Before: Jun 10 03:49:46 2008 GMT

Not After : Jun 10 03:49:46 2009 GMT

Subject:

countryName = pk

stateOrProvinceName = pakhtoonkhwa

localityName = abbottabad

organizationName = ciit

commonName = ciitwifi

emailAddress = rnd@peace.not

X509v3 extensions:

X509v3 Extended Key Usage:

TLS Web Client Authentication

Certificate is to be certified until Jun 10 03:49:46 2009 GMT (365 days)

Sign the certificate? [y/n]:yes



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@ciitwifi ssl]#

===========================================================================


3.7 Export the client certificate in the appropriate format (P12) for an XP client:

openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts

"ciitwificlient" is the passphrase.

"Idontknow" is the export password. This is the password that the you will be giving the windows XP clients, who will be using this while installing the client_cert.

Output:

===========================================================================

[root@ciitwifi ssl]# openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts

Enter pass phrase for client_key.pem:

Enter Export Password:

Verifying - Enter Export Password:

[root@ciitwifi ssl]#

===========================================================================

 

3.8 Export the root certificate of the server in the appropriate format (DER) for an XP client:

openssl x509 -setalias "ciitwifi@ciit" -outform DER -in cacert.pem -out cacert.der

 

3.9 The files 'client_cert.p12' and 'cacert.der' can now be safely moved to a folder for import onto the XP clients.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Thu, 2011-10-27 15:50.

Why showing this error ? 

 

TLS_accept: SSLv3 write certificate request A
    TLS_accept: SSLv3 flush data
    TLS_accept:error in SSLv3 read client certificate A
rlm_eap: SSL error error

Submitted by Eric Geier (not registered) on Mon, 2009-11-16 18:10.
If you don't want to setup your own server, consider an outsourced RADIUS/802.1X service like from NoWiresSecurity: http://www.nowiressecurity.com/
Submitted by awan (registered user) on Tue, 2010-06-22 06:14.

Even better try CIITIX-WiFi, a turn-key secure wifi solution, can set it under 5 minutes, even for a AAA newbie.

Check out this nifty howto

http://howtoforge.com/how-to-set-up-an-aaa-server-with-ciitix-wifi

Cheers

--

Oz

Submitted by T (not registered) on Fri, 2009-07-17 17:28.

Just wanted to point out that for the openssl options:

-extensions xpclient_ext -extfile /etc/ssl/xpextensions

to work, you will need the xpextensions file itself, and cp it to /etc/ssl or change the path to where it is

The file is included with freeradius in the $RADHOME/certs directory and can just be cp'd to /etc/ssl from there or change the option to $RADHOME/certs/xpextensions (ie: -extfile /usr/local/raddb/certs/xpextensions)

Submitted by awan (registered user) on Tue, 2009-07-28 05:48.

Yeah I missed that one out. In case nobody has it in his folder/directories. Here is the content of the file. just create the file with the said name with the following entries

In the tutorial´s context, it ought to be at /etc/ssl

[root@mycentos /etc/ssl]# cat xpextensions
[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
[root@mycentos /etc/ssl]#

--

Ozzy