Posted in Debian/Ubuntu Howto Networking RADIUS Security Wifi

WPA2 + FreeRADIUS + EAP-TLS

September 13, 2009 - 8 comments

Tested under Debian Lenny

BUILDING AND INSTALLING FREERADIUS WITH TLS SUPPORT

Install the necessary packages :

apt-get install dpkg-dev fakeroot

Download the source :

cd /root
mkdir freeradius-tls
cd freeradius-tls
apt-get source freeradius

Make the changes :

Edit /root/freeradius-tls/debian/rules :

and change
--with
by
--without
for eap_tls, eap_ttls, eap_peap and openssl

Just as :
--with-rlm_eap_tls \
--with-rlm_eap_ttls \
--with-rlm_eap_peap \
--without-rlm_eap_tnc \
--without-rlm_otp \
--with-rlm_sql_postgresql_lib_dir=`pg_config --libdir`\
--with-rlm_sql_postgresql_include_dir=`pg_config --includedir` \
--with-openssl \
--without-rlm_eap_ikev2 \
--without-rlm_sql_oracle \
--without-rlm_sql_unixodbc \

Then, comment the following :
for pkg in ${pkgs} ; do \
if dh_shlibdeps -p $$pkg -- -O 2>/dev/null | grep -q libssl; then \
echo "$$pkg links to openssl" ;\
exit 1 ;\
fi ;\
done

Edit /root/freeradius-tls/debian/control :
On the line beginning by “Build-Depends”
Add the folowing :
", libssl-dev"
at the end of the line (without the quotes)

Install dev libraries :
apt-get install libssl-dev debhelper libgdbm-dev libiodbc2-dev libkrb5-dev libldap2-dev libltdl3-dev libmysqlclient15-dev libpam0g-dev libpcap-dev libperl-dev libpq-dev libsasl2-dev libsnmp-dev python-dev

Build freeradius :
dpkg-buildpackage -rfakeroot

Building will end by a warning message, this is not important.

Put the packages on hold to avoid upgrading with a non-TLS version of FreeRADIUS :

echo “freeradius hold” | dpkg --set-selections
echo "libfreeradius2 hold" | dpkg --set-selections
echo "freeradius-common hold" | dpkg --set-selections

Install the packages we’ve just built :
dpkg --install freeradius-common_2.0.4+dfsg-6_all.deb libfreeradius2_2.0.4+dfsg-6_i386.deb

CERTIFICATES

Creating the CA

apt-get install openssl

Edit /etc/ssl/openssl.cnf

[ CA_default ]
dir = ./PKI

Edit /usr/lib/ssl/misc/CA.sh

CATOP=./PKI

Then type :

cd /etc/ssl
/usr/lib/ssl/misc/CA.sh -newca

Set a challenge password and a passphrase. This is needed.
The CA created will be copied to the server and clients later on.

Optional : if you have Windows XP clients

Create /etc/openssl/PKI/xpextensions

[xpclient_ext]
extendedKeyUsage=1.3.6.1.5.5.7.3.2

[xpserver_ext]
extendedKeyUsage=1.3.6.1.5.5.7.3.1

Server certificate signing request :

cd /etc/ssl
openssl req -new -nodes -keyout PKI/server_key.pem -out PKI/server_req.pem -days 730 -config openssl.cnf

Set a challenge password

Sign the server certificate request (if winxp clients) :
cd /etc/ssl
openssl ca -config openssl.cnf -policy policy_anything -out PKI/server_cert.pem -extensions xpserver_ext -extfile PKI/xpextensions -infiles PKI/server_req.pem

Mac clients :
openssl ca -config openssl.cnf -policy policy_anything -out PKI/server_cert.pem -infiles PKI/server_req.pem

Then :
cp server_cert.pem server_cert.pem-backup

Edit server_cert.pem
Remove everything before the line —–BEGIN CERTIFICATE—– (this is needed for winxp clients)

Next :
cat server_key.pem server_cert.pem > server_keycert.pem

Create a client certificate signing request :
cd /etc/ssl
openssl req -new -keyout PKI/client_key.pem -out PKI/client_req.pem -days 730 -config openssl.cnf

Sign client cert request :
cd /etc/ssl
Windows xp client :
openssl ca -config openssl.cnf -policy policy_anything -out PKI/client_cert.pem -extensions xpclient_ext -extfile PKI/xpextensions -infiles PKI/client_req.pem
Mac OS X client :
openssl ca -config openssl.cnf -policy policy_anything -out PKI/client_cert.pem -infiles PKI/client_req.pem

Export P12 certs (Windows and Mac clients ) :

openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts

FREERADIUS CONFIG

FreeRadius

Do :
cp /etc/ssl/PKI/cacert.pem /etc/freeradius/certs/cacert.pem
cp /etc/ssl/PKI/server_keycert.pem /etc/freeradius/certs/server_keycert.pem

Then :
cd /etc/freeradius/certs
openssl dhparam -check -text -5 512 -out dh
dd if=/dev/urandom of=random count=2
chown freerad dh
chmod o-w dh

Next :
cp /etc/freeradius/eap.conf /etc/freeradius/eap.conf-default

/etc/freeradius/eap.conf :

eap {
        default_eap_type = tls
        timer_expire     = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no         

        tls {
                certdir = ${confdir}/certs
                cadir = ${confdir}/certs
                private_key_password = whatever
                private_key_file = ${certdir}/server_keycert.pem
                certificate_file = ${certdir}/server_keycert.pem
                CA_file = ${cadir}/cacert.pem
                dh_file = ${certdir}/dh
                random_file = ${certdir}/random
                fragment_size = 1024
                include_length = yes
                check_cert_cn = %{User-Name}
                cipher_list = "DEFAULT"
        }
}

Edit /etc/freeradius/clients.conf

We will consider the access-point that will authenticate users against the RADIUS server has the IP 192.168.7.45 :

client localhost {
        ipaddr = 127.0.0.1
        secret          = testing123
        require_message_authenticator = no
        nastype     = other     # localhost isn't usually a NAS...
}

client 192.168.7.45 {
        secret = suchasecurepassword
        shortname = linksys
}

Start FreeRADIUS :
freeradius -X -f

Set up wifi access point for authentication against our new RADIUS server

It depends on your hardware here.
You must usually go under the security panel of your device, where you can specify the IP/hostname and port of the RADIUS server, and the password (in our example : suchasecurepassword)

Configure clients

This will be the subject of a separate post as I will try to publish the method for all majors OSes (Linux, Mac and Windows) but don’t have much time for now.
Stay tuned !

This post is a stripped down version of the following howto by my colleague Jérôme :
http://hanoteau.blogspot.com/2009/03/howto-setup-eap-tls-wpa-network-with.html

Comments

senfomat

October 8, 2009 - 15:21

Thank you for that simple, but great cookbook!

I spotted two small errors in the tutorial. The path where to create the xpentensionsfile is slightly wrong for the described debian-installation: your path: /etc/openssl/xpextensions, but you reference it later to /etc/ssl/PKI/xpextensions. The second is somewhat related. In the section “Sign the server certificate request (if winxp clients)” the argument after -extensions is wrong, as it is not a path, but a reference into the extensionsfile, so the “PKI/” is too much.

But really really thank you for that tutorial. We finally got our EAP-TLS-Setup up and running with that.

Sébastien Wains

October 12, 2009 - 14:39

Thanks a lot for the feedback. Path fixed..
Glad it helped you out.

Xavi

October 28, 2009 - 12:02

Hi Sebastian, have you tried the WPA2 EAP-TLS wireless with the nokia E- Series? I’m having trouble with that (I only can connect it with WPA2-PSK) and I would like some help. Thanks

Sébastien Wains

October 28, 2009 - 23:45

@ Xavi : unfortunately not

Aäron Jansen

February 3, 2010 - 19:21

Hi Sébastien Wains, Thanks for the cookbook! There’s still some small mistakes though:

- @Install the packages we’ve just built :
dpkg –install freeradius-common_2.0.4+dfsg-6_all.deb libfreeradius2_2.0.4+dfsg-6_i386.deb libfreeradius2_2.0.4+dfsg-6_i386.deb >> the last 2 debs are the same.
- @Signing the server certificate request: PKI/xpserver_ext >> should be without ‘/PKI’.

Ciao, Aäron

Sébastien Wains

February 3, 2010 - 20:34

Fixed ! Thanks Aäron !

Gerry

February 8, 2010 - 18:45

Hi! This is the best cookbok/guide to making Freeradius work with NTLM that I have found. After a few tweaks I finally managed to make it work. Only thing is users seem to need a certificate installed in the computer in order to get authenticated. This might be because of the nature of PEAP, but is there any way to make it so that users without a certificate but with valid domain credentials get authenticated. I’m using a DD-WRT access point, setup with WPA and TKIP on the wifi side, and XP clients. Thanks in Advance!

Gerry

February 8, 2010 - 19:38

Sorry Sebastien, about my last post, nevermind please, haha. Turns out the main problem I had is Winbind_Privilege on /var/run/samba, Radius says permissions are not right, so when I set them to 775 it actually works, so I think I’ll add Freerad user to the Winbind_Privldg group so as not to leave the permissions so open. Again, thanks for this great post, it was very helpful! Cheers!

Trackback URI Comments RSS

Leave Comment

Please consider visiting the partners below if you enjoyed this article :

If this post saved you time and money, please consider checking my Amazon wishlist.

Before submitting, some rules :
- Is your comment related to the article ?
- You're having a problem ? Have you checked Google, other howtos, docs, manpages ?
- You're still having the problem ? Have you raised log verbosity, checked traces, ran tcpdump ?
- Have you checked your configuratoin for typo ?
Unless your comment is providing additional info or respect the rules above, DON'T comment.
If you don't understand what you are doing, I urge you to read the documentation, I'm not your free Level 1 helpdesk guy.