Local user authentication with FreeRADIUS

January 25, 2010 - No comment

This one is a bit less complex than http://www.wains.be/index.php/2009/09/13/wpa2-freeradius-eap-tls/

This is actually the most basic RADIUS configuration ever, useful for quick tests. I can only recommend checking the post mentioned above if you want to do something serious.

# apt-get install freeradius

# vim /etc/freeradius/users

login     Cleartext-Password := "password"
login2     Cleartext-Password := "password2"
#vim /etc/freeradius/clients.conf

client localhost {
	ipaddr = 127.0.0.1
        secret = radiuspassword
}

client router {
	ipaddr = 10.0.0.1
        secret = radiuspassword
}

# /etc/init.d/freeradius restart

Check if RADIUS is working :

# radtest login password localhost 1812 radiuspassword
Sending Access-Request of id 222 to 127.0.0.1 port 1812
User-Name = "login"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=222, length=20

# radtest login2 password2 localhost 1812 radiuspassword
Sending Access-Request of id 1 to 127.0.0.1 port 1812
User-Name = "login2"
User-Password = "password2"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=1, length=20

We expect Access-Accept from the server, not Access-Reject…

Configure your wireless access point :

Usually found under Security tab (or RADIUS, 802.1X, etc.)
Configure your device at 10.0.0.1 to authenticate against the Radius server with password radiuspassword.
Try to connect to your wireless access point using login and password.

WPA2 + FreeRADIUS + EAP-TLS

September 13, 2009 - 10 comments

Tested under Debian Lenny

BUILDING AND INSTALLING FREERADIUS WITH TLS SUPPORT

Install the necessary packages :

apt-get install dpkg-dev fakeroot

Download the source :

cd /root
mkdir freeradius-tls
cd freeradius-tls
apt-get source freeradius

Make the changes :

Edit /root/freeradius-tls/debian/rules :

and change
--with
by
--without
for eap_tls, eap_ttls, eap_peap and openssl

Just as :
--with-rlm_eap_tls \
--with-rlm_eap_ttls \
--with-rlm_eap_peap \
--without-rlm_eap_tnc \
--without-rlm_otp \
--with-rlm_sql_postgresql_lib_dir=`pg_config --libdir`\
--with-rlm_sql_postgresql_include_dir=`pg_config --includedir` \
--with-openssl \
--without-rlm_eap_ikev2 \
--without-rlm_sql_oracle \
--without-rlm_sql_unixodbc \

Then, comment the following :
for pkg in ${pkgs} ; do \
if dh_shlibdeps -p $$pkg -- -O 2>/dev/null | grep -q libssl; then \
echo "$$pkg links to openssl" ;\
exit 1 ;\
fi ;\
done

Edit /root/freeradius-tls/debian/control :
On the line beginning by “Build-Depends”
Add the folowing :
", libssl-dev"
at the end of the line (without the quotes)

Install dev libraries :
apt-get install libssl-dev debhelper libgdbm-dev libiodbc2-dev libkrb5-dev libldap2-dev libltdl3-dev libmysqlclient15-dev libpam0g-dev libpcap-dev libperl-dev libpq-dev libsasl2-dev libsnmp-dev python-dev

Build freeradius :
dpkg-buildpackage -rfakeroot

Building will end by a warning message, this is not important.

Put the packages on hold to avoid upgrading with a non-TLS version of FreeRADIUS :

echo “freeradius hold” | dpkg --set-selections
echo "libfreeradius2 hold" | dpkg --set-selections
echo "freeradius-common hold" | dpkg --set-selections

Install the packages we’ve just built :
dpkg --install freeradius-common_2.0.4+dfsg-6_all.deb libfreeradius2_2.0.4+dfsg-6_i386.deb

CERTIFICATES

Creating the CA

apt-get install openssl

Edit /etc/ssl/openssl.cnf

[ CA_default ]
dir = ./PKI

Edit /usr/lib/ssl/misc/CA.sh

CATOP=./PKI

Then type :

cd /etc/ssl
/usr/lib/ssl/misc/CA.sh -newca

Set a challenge password and a passphrase. This is needed.
The CA created will be copied to the server and clients later on.

Optional : if you have Windows XP clients

Create /etc/openssl/PKI/xpextensions

[xpclient_ext]
extendedKeyUsage=1.3.6.1.5.5.7.3.2

[xpserver_ext]
extendedKeyUsage=1.3.6.1.5.5.7.3.1

Server certificate signing request :

cd /etc/ssl
openssl req -new -nodes -keyout PKI/server_key.pem -out PKI/server_req.pem -days 730 -config openssl.cnf

Set a challenge password

Sign the server certificate request (if winxp clients) :
cd /etc/ssl
openssl ca -config openssl.cnf -policy policy_anything -out PKI/server_cert.pem -extensions xpserver_ext -extfile PKI/xpextensions -infiles PKI/server_req.pem

Mac clients :
openssl ca -config openssl.cnf -policy policy_anything -out PKI/server_cert.pem -infiles PKI/server_req.pem

Then :
cp server_cert.pem server_cert.pem-backup

Edit server_cert.pem
Remove everything before the line —–BEGIN CERTIFICATE—– (this is needed for winxp clients)

Next :
cat server_key.pem server_cert.pem > server_keycert.pem

Create a client certificate signing request :
cd /etc/ssl
openssl req -new -keyout PKI/client_key.pem -out PKI/client_req.pem -days 730 -config openssl.cnf

Sign client cert request :
cd /etc/ssl
Windows xp client :
openssl ca -config openssl.cnf -policy policy_anything -out PKI/client_cert.pem -extensions xpclient_ext -extfile PKI/xpextensions -infiles PKI/client_req.pem
Mac OS X client :
openssl ca -config openssl.cnf -policy policy_anything -out PKI/client_cert.pem -infiles PKI/client_req.pem

Export P12 certs (Windows and Mac clients ) :

openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts

FREERADIUS CONFIG

FreeRadius

Do :
cp /etc/ssl/PKI/cacert.pem /etc/freeradius/certs/cacert.pem
cp /etc/ssl/PKI/server_keycert.pem /etc/freeradius/certs/server_keycert.pem

Then :
cd /etc/freeradius/certs
openssl dhparam -check -text -5 512 -out dh
dd if=/dev/urandom of=random count=2
chown freerad dh
chmod o-w dh

Next :
cp /etc/freeradius/eap.conf /etc/freeradius/eap.conf-default

/etc/freeradius/eap.conf :

eap {
        default_eap_type = tls
        timer_expire     = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no         

        tls {
                certdir = ${confdir}/certs
                cadir = ${confdir}/certs
                private_key_password = whatever
                private_key_file = ${certdir}/server_keycert.pem
                certificate_file = ${certdir}/server_keycert.pem
                CA_file = ${cadir}/cacert.pem
                dh_file = ${certdir}/dh
                random_file = ${certdir}/random
                fragment_size = 1024
                include_length = yes
                check_cert_cn = %{User-Name}
                cipher_list = "DEFAULT"
        }
}

Edit /etc/freeradius/clients.conf

We will consider the access-point that will authenticate users against the RADIUS server has the IP 192.168.7.45 :

client localhost {
        ipaddr = 127.0.0.1
        secret          = testing123
        require_message_authenticator = no
        nastype     = other     # localhost isn't usually a NAS...
}

client 192.168.7.45 {
        secret = suchasecurepassword
        shortname = linksys
}

Start FreeRADIUS :
freeradius -X -f

Set up wifi access point for authentication against our new RADIUS server

It depends on your hardware here.
You must usually go under the security panel of your device, where you can specify the IP/hostname and port of the RADIUS server, and the password (in our example : suchasecurepassword)

Configure clients

This will be the subject of a separate post as I will try to publish the method for all majors OSes (Linux, Mac and Windows) but don’t have much time for now.
Stay tuned !

This post is a stripped down version of the following howto by my colleague Jérôme :
http://hanoteau.blogspot.com/2009/03/howto-setup-eap-tls-wpa-network-with.html