On this page
- Wifi Authentication/Accounting With FreeRadius On CentOS 5
- Step 1
- Step 2
- Step 3 ( *********** OpenSSL Certificate Generation ***********)
- 3.1 Create a new self-signed certificate authority (if not already created) in /etc/ssl:
- 3.2 Create server certificate request in /etc/ssl: (note the passwd "lettheserverin")
- 3.3 Sign server certificate using the certificate authority created earlier (with XP extensions):
- 3.4 Create a server file with both the server key and the server certificate:
- 3.5 Create a client certificate request in /etc/ssl:
- 3.6 Sign client certificate using the certificate authority created earlier (with XP extensions):
- 3.7 Export the client certificate in the appropriate format (P12) for an XP client:
- 3.8 Export the root certificate of the server in the appropriate format (DER) for an XP client:
- 3.9 The files 'client_cert.p12' and 'cacert.der' can now be safely moved to a folder for import onto the XP clients.
Wifi Authentication/Accounting With FreeRadius On CentOS 5
(Date: 2-June-2008)
This tutorial explains how you can set up a FreeRadius server with Wifi authentication and accounting on CentOS 5. This howto should work for a newbie. Production deployment is also possible with minor tweaking. But as usual I do not guarantee anything & take no responsibilities if something goes wrong.
(Note: For the faint-hearted you can use this turn-key solution. https://www.howtoforge.com/how-to-set-up-an-aaa-server-with-ciitix-wifi )
This configuration has been tested on following:
OS: CentOS 5.x (patched)
Certificates: Openssl 0.98b
Radius Sever: Freeradius version 1.1.7 (built from fc6 src.rpms)
(Note: This document also assumes that you have a dhcp server already configured & running on the same subnet.)
Protocols configured for:
- WPA1/2 enterprise
- EAP/PEAP/TTLS
Following processes are involved:
1- Install OS
2- Install openssl
3- Generate digital certificates
4- Install / Configure freeradius
5- Configure Access points
6- Configure end wifi clients
Step 1
1- Install the OS in the minimal mode (refer to some howto).
Step 2
2- Install openssl (if not already installed)
yum install openssl
Step 3 ( *********** OpenSSL Certificate Generation ***********)
There are numerous ways of generating ssl based certificates. You can create your certificates at another computer or on this server.
Following is a manual way of creating certificates which I adopted. But you are suggested to use some script to create them(skip this step if you . Freeradius 1.1.7 & 2.x version comes with nice certificate generating scripts, use them if you are new to certificates. (In 2.X the scripts are usually in /etc/radd/certs/, in 1.X it is in the scripts/ directory of un-tgz'ed freeradius).
Note: Following process also creates client certificates which you would not be needing with EAP/PEAP.
3.1 Create a new self-signed certificate authority (if not already created) in /etc/ssl:
mkdir private
mkdir newcerts
touch index.txt
echo '01' > serial
Edit /etc/pki/tls/openssl.cnf & change
dir = ../../CA # Where everything is kept
to
dir = /etc/ssl
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650
Passphrase: "letmein" was the passwd I chose.
Following is the output:
===========================================================================
[[email protected] ssl]# openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650
Generating a 1024 bit RSA private key
..++++++
..++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:pk
State or Province Name (full name) [Berkshire]:pakhtoonkhwa
Locality Name (eg, city) [abbottabad]:abbottabad
Organization Name (eg, company) [ciit]:ciit
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ciitwifi
Email Address []:[email protected]@ciit.net.pk
===========================================================================
3.2 Create server certificate request in /etc/ssl: (note the passwd "lettheserverin")
openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730
Output:
===========================================================================
[[email protected] ssl]# openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730
Generating a 1024 bit RSA private key
.......++++++
..................................++++++
writing new private key to 'server_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:pk
State or Province Name (full name) [Berkshire]:pakhtoonkhwa
Locality Name (eg, city) [abbottabad]:abbottabad
Organization Name (eg, company) [ciit]:ciit
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ciitwifi
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:lettheserverin
An optional company name []:
[[email protected] ssl]#
===========================================================================
3.3 Sign server certificate using the certificate authority created earlier (with XP extensions):
Create an xpextensions file at /etc/ssl location with the following content.
[[email protected] ssl]# cat xpextensions
[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem
(Note: passphrase was letmein in step 3.)
===========================================================================
[[email protected] ssl]# openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 10 03:22:22 2008 GMT
Not After : Jun 10 03:22:22 2009 GMT
Subject:
countryName = pk
stateOrProvinceName = pakhtoonkhwa
localityName = abbottabad
organizationName = ciit
commonName = ciitwifi
emailAddress = [email protected]
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Jun 10 03:22:22 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[[email protected] ssl]#
===========================================================================
3.4 Create a server file with both the server key and the server certificate:
cat server_key.pem server_cert.pem > server_keycert.pem
3.5 Create a client certificate request in /etc/ssl:
openssl req -new -keyout client_key.pem -out client_req.pem -days 730
"ciitwificlient" is the PEM passphrase I used.
Output:
===========================================================================
[[email protected] ssl]# openssl req -new -keyout client_key.pem -out client_req.pem -days 730
Generating a 1024 bit RSA private key
.........++++++
..............++++++
writing new private key to 'client_key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:pk
State or Province Name (full name) [Berkshire]:pakhtoonkhwa
Locality Name (eg, city) [abbottabad]:abbottabad
Organization Name (eg, company) [ciit]:ciit
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ciitwifi
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:whateverdotwhat
An optional company name []:
[[email protected] ssl]#
===========================================================================
3.6 Sign client certificate using the certificate authority created earlier (with XP extensions):
openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem
"letmein" is the passphrase I used.
===========================================================================
[[email protected] ssl]# openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Jun 10 03:49:46 2008 GMT
Not After : Jun 10 03:49:46 2009 GMT
Subject:
countryName = pk
stateOrProvinceName = pakhtoonkhwa
localityName = abbottabad
organizationName = ciit
commonName = ciitwifi
emailAddress = [email protected]
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
Certificate is to be certified until Jun 10 03:49:46 2009 GMT (365 days)
Sign the certificate? [y/n]:yes
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[[email protected] ssl]#
===========================================================================
3.7 Export the client certificate in the appropriate format (P12) for an XP client:
openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts
"ciitwificlient" is the passphrase.
"Idontknow" is the export password. This is the password that the you will be giving the windows XP clients, who will be using this while installing the client_cert.
Output:
===========================================================================
[[email protected] ssl]# openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts
Enter pass phrase for client_key.pem:
Enter Export Password:
Verifying - Enter Export Password:
[[email protected] ssl]#
===========================================================================
3.8 Export the root certificate of the server in the appropriate format (DER) for an XP client:
openssl x509 -setalias "[email protected]" -outform DER -in cacert.pem -out cacert.der