Wifi Authentication/Accounting With FreeRadius On CentOS 5 - Page 2
On this page
- Step 4 (*********** Freeradius Setup ***********)
- 4.1 Fetch freeradius rpm
- 4.2 Remove the FreeRadius default certificate files etc:
- 4.3 Create the appropriate directories in /etc/raddb in which to keep the certificate information:
- 4.4 Move the server certificate and the root certificate to the FreeRadius folder:
- 4.5 Create the Diffie-Hellman parameters file for TLS:
- 4.6 Create the random bitstream file for TLS, & change ownership of the certificate & stuff for the freeradius to be able to read them.
- 4.7 Modify /etc/raddb/eap.conf (full listing):
- 4.8 Add a radius client for the wireless access point in /etc/raddb/clients.conf:
- 4.9 Modify /etc/raddb/radiusd.conf:
- 4.10 Modify /etc/raddb/users & start the server.
- Step 5 ****************** Configuring the Access Point *********************
Step 4 (*********** Freeradius Setup ***********)
4.1 Fetch freeradius rpm
rpm -Uvh freeradius....
If it asks for dependencies do the following:
yum install net-snmp-utils perl-DBI libtool-ltdl -y
Note: The freeradius available with CentOS 5.1 repos is freeradius-1.1.3... which comes with openssl support, which is not supported by freeradius.org, but support is only availabe for 1.1.7.x version. Latest version 2.0.5 has newer features but does not have rpm binaries for CentOS 5.x although .src.rpms of 2.0.3 of Fedora 9 do exist. FR 2.x differs from 1.x version under the hood (paths/files of various protocols).
4.2 Remove the FreeRadius default certificate files etc:
rm -Rf /etc/raddb/demoCA
This is actually /etc/raddb/certs/demoCA; I back up (mv'ed) the /etc/raddb/certsfolder to /etc/raddb/bkup_certs.
4.3 Create the appropriate directories in /etc/raddb in which to keep the certificate information:
I back up (mv'ed) the /etc/raddb/certs folder to /etc/raddb/bkup_certs & created another one named /etc/raddb/certs.
mkdir /etc/raddb/certs
4.4 Move the server certificate and the root certificate to the FreeRadius folder:
cp /etc/ssl/cacert.pem /etc/raddb/certs/ -v
cp /etc/ssl/server_keycert.pem /etc/raddb/certs/ -v
4.5 Create the Diffie-Hellman parameters file for TLS:
openssl dhparam -check -text -5 512 -out dh
Output:
[root@ciitwifi ssl]# pwd
/etc/ssl
[root@ciitwifi ssl]# openssl dhparam -check -text -5 512 -out dh
Generating DH parameters, 512 bit long safe prime, generator 5
This is going to take a long time
.+.........................................................................+
................+......+.............................+...........+.........+.............
..........+..............................................................................
......+........................................+...........................+.............
.................+........................+..............................................
...+...........................+..........................+..........+.+.......+.........
....................................+...+...........................................+....
...............................+.....................+.........+.........................
.......+.......+.........+.....+......................+............................+.....
.........+.........+............................................................++*++*++*
++*++*++*
DH parameters appear to be ok.
[root@ciitwifi ssl]#
===========================================================================
Copy this "dh" file to /etc/raddb/certs folder:
cp /etc/ssl/dh /etc/raddb/certs -v
4.6 Create the random bitstream file for TLS, & change ownership of the certificate & stuff for the freeradius to be able to read them.
dd if=/dev/urandom of=random count=2
Output (in the /etc/raddb/certs folder i.e.):
===========================================================================
[root@ciitwifi certs]# dd if=/dev/urandom of=random count=2
2+0 records in
2+0 records out
1024 bytes (1.0 kB) copied, 0.000545195 seconds, 1.9 MB/s
chown -R radiusd /etc/raddb/certs
4.7 Modify /etc/raddb/eap.conf (full listing):
(Note: "lettheserverin" is the private keypassword of the certificate.)
(Yes, it can be tuned further. i.e dropping/adding support for some other protocols . That's up to you.)
eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = lettheserverin private_key_file = ${raddbdir}/certs/server_keycert.pem certificate_file = ${raddbdir}/certs/server_keycert.pem CA_file = ${raddbdir}/certs/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random } ttls { default_eap_type = mschapv2 use_tunneled_reply = yes } peap { default_eap_type = mschapv2 } mschapv2 { } }
4.8 Add a radius client for the wireless access point in /etc/raddb/clients.conf:
For the dlink AP3200:
client 192.168.0.53 { secret = <dlink secret phrase> shortname = AP3200 nastype = other }
4.9 Modify /etc/raddb/radiusd.conf:
I didn't modify the radiusd.conf but make sure followings are uncommented. (Yes, it can be tuned further. i.e dropping/adding support for some other protocols. Unloading useless modules, increasing performance etc. That's up to you.)
log_auth = yes authorize { preprocess chap mschap suffix pap eap files } authenticate{ Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } # unix eap }
4.10 Modify /etc/raddb/users & start the server.
Create a user at the top of the file:
faheem Cleartext-Password := "khan"
Now start the radius server:
/etc/init.d/radiusd start
Step 5 ****************** Configuring the Access Point *********************
Now set the the AP setting to use "WPA enterprise auto" or WPA 2 enterprise” & point to the radius servers ip address/port. The secret field would be same as mentioned in /etc/raddb/clients.conf . (i.e. in our case “dlinksecret” phrase)