Jan 14
Wifi Authentication/Accounting With FreeRadius On CentOS 5
This tutorial explains how you can set up a FreeRadius server with Wifi authentication and accounting on CentOS 5. This howto should work for a newbie. Production deployment is also possible with minor tweaking. But as usual I do not guarantee anything & take no responsibilities if something goes wrong.
(Note: For the faint-hearted you can use this turn-key solution. https://www.computing post.com/how-to-set-up-an-aaa-server-with-ciitix-wifi )
This configuration has been tested on following:
OS: CentOS 5.x (patched)
Certificates: Openssl 0.98b
Radius Sever: Freeradius version 1.1.7 (built from fc6 src.rpms)
(Note: This document also assumes that you have a dhcp server already configured & running on the same subnet.)
Protocols configured for:
- WPA1/2 enterprise
- EAP/PEAP/TTLS
Following processes are involved:
1- Install OS
2- Install openssl
3- Generate digital certificates
4- Install / Configure freeradius
5- Configure Access points
6- Configure end wifi clients
Step 1
1- Install the OS in the minimal mode (refer to some howto).
Step 2
2- Install openssl (if not already installed)
yum install opensslStep 3 ( *********** OpenSSL Certificate Generation ***********)
There are numerous ways of generating ssl based certificates. You can create your certificates at another computer or on this server.
Following is a manual way of creating certificates which I adopted. But you are suggested to use some script to create them(skip this step if you . Freeradius 1.1.7 & 2.x version comes with nice certificate generating scripts, use them if you are new to certificates. (In 2.X the scripts are usually in /etc/radd/certs/, in 1.X it is in the scripts/ directory of un-tgz’ed freeradius).
Note: Following process also creates client certificates which you would not be needing with EAP/PEAP.
3.1 Create a new self-signed certificate authority (if not already created) in /etc/ssl:
mkdir privatemkdir newcertstouch index.txtecho '01' > serial
Edit /etc/pki/tls/openssl.cnf & change
dir = ../../CA # Where everything is keptto
dir = /etc/sslopenssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650
Passphrase: “letmein” was the passwd I chose.
Following is the output:
===========================================================================[root@ciitwifi ssl]# openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650
Generating a 1024 bit RSA private key..++++++..++++++
writing new private key to ‘private/cakey.pem’
Enter PEM pass phrase:Verifying - Enter PEM pass phrase:-----
You are about to be asked to enter information that will be incorporated
into your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
-----Country Name (2 letter code) [GB]:pk
State or Province Name (full name) [Berkshire]:pakhtoonkhwa
Locality Name (eg, city) [abbottabad]:abbottabad
Organization Name (eg, company) [ciit]:ciit
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:ciitwifi
Email Address []:rnd@peace.not@ciit.net.pk
===========================================================================3.2 Create server certificate request in /etc/ssl: (note the passwd “lettheserverin”)
openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730
Output:
===========================================================================[root@ciitwifi ssl]# openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730
Generating a 1024 bit RSA private key.......++++++..................................++++++
writing new private key to ‘server_key.pem’
-----You are about to be asked to enter information that will be incorporated
into your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
-----Country Name (2 letter code) [GB]:pk
State or Province Name (full name) [Berkshire]:pakhtoonkhwa
Locality Name (eg, city) [abbottabad]:abbottabad
Organization Name (eg, company) [ciit]:ciit
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:ciitwifi
Email Address []:rnd@peace.notPlease enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:lettheserverinAn optional company name []:
[root@ciitwifi ssl]#
===========================================================================3.3 Sign server certificate using the certificate authority created earlier (with XP extensions):
Create an xpextensions file at /etc/ssl location with the following content.
[root@centos5 ssl]# cat xpextensions
[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem
(Note: passphrase was letmein in step 3.)
===========================================================================[root@ciitwifi ssl]# openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature okCertificate Details:Serial Number: 1 (0x1)ValidityNot Before: Jun 10 03:22:22 2008 GMTNot After : Jun 10 03:22:22 2009 GMTSubject:countryName = pkstateOrProvinceName = pakhtoonkhwalocalityName = abbottabadorganizationName = ciitcommonName = ciitwifiemailAddress = rnd@peace.notX509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server AuthenticationCertificate is to be certified until Jun 10 03:22:22 2009 GMT (365 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entriesData Base Updated
[root@ciitwifi ssl]#
===========================================================================3.4 Create a server file with both the server key and the server certificate:
cat server_key.pem server_cert.pem > server_keycert.pem
3.5 Create a client certificate request in /etc/ssl:
openssl req -new -keyout client_key.pem -out client_req.pem -days 730
“ciitwificlient” is the PEM passphrase I used.
Output:
===========================================================================[root@ciitwifi ssl]# openssl req -new -keyout client_key.pem -out client_req.pem -days 730
Generating a 1024 bit RSA private key.........++++++..............++++++
writing new private key to ‘client_key.pem’
Enter PEM pass phrase:Verifying - Enter PEM pass phrase:-----
You are about to be asked to enter information that will be incorporated
into your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
-----Country Name (2 letter code) [GB]:pk
State or Province Name (full name) [Berkshire]:pakhtoonkhwa
Locality Name (eg, city) [abbottabad]:abbottabad
Organization Name (eg, company) [ciit]:ciit
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:ciitwifi
Email Address []:rnd@peace.notPlease enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:whateverdotwhatAn optional company name []:
[root@ciitwifi ssl]#
===========================================================================3.6 Sign client certificate using the certificate authority created earlier (with XP extensions):
openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem
“letmein” is the passphrase I used.
===========================================================================[root@ciitwifi ssl]# openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature okCertificate Details:Serial Number: 2 (0x2)ValidityNot Before: Jun 10 03:49:46 2008 GMTNot After : Jun 10 03:49:46 2009 GMTSubject:countryName = pkstateOrProvinceName = pakhtoonkhwalocalityName = abbottabadorganizationName = ciitcommonName = ciitwifiemailAddress = rnd@peace.notX509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client AuthenticationCertificate is to be certified until Jun 10 03:49:46 2009 GMT (365 days)
Sign the certificate? [y/n]:yes1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entriesData Base Updated
[root@ciitwifi ssl]#
===========================================================================3.7 Export the client certificate in the appropriate format (P12) for an XP client:
openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts
“ciitwificlient” is the passphrase.
“Idontknow” is the export password. This is the password that the you will be giving the windows XP clients, who will be using this while installing the client_cert.
Output:
===========================================================================[root@ciitwifi ssl]# openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts
Enter pass phrase for client_key.pem:Enter Export Password:Verifying - Enter Export Password:
[root@ciitwifi ssl]#
===========================================================================3.8 Export the root certificate of the server in the appropriate format (DER) for an XP client:
openssl x509 -setalias “ciitwifi@ciit” -outform DER -in cacert.pem -out cacert.der
3.9 The files ‘client_cert.p12’ and ‘cacert.der’ can now be safely moved to a folder for import onto the XP clients.
4.1 Fetch freeradius rpm
rpm -Uvh freeradius….
If it asks for dependencies do the following:
yum install net-snmp-utils perl-DBI libtool-ltdl -yNote: The freeradius available with CentOS 5.1 repos is freeradius-1.1.3… which comes with openssl support, which is not supported by freeradius.org, but support is only availabe for 1.1.7.x version. Latest version 2.0.5 has newer features but does not have rpm binaries for CentOS 5.x although .src.rpms of 2.0.3 of Fedora 9 do exist. FR 2.x differs from 1.x version under the hood (paths/files of various protocols).
4.2 Remove the FreeRadius default certificate files etc:
rm -Rf /etc/raddb/demoCA
This is actually /etc/raddb/certs/demoCA; I back up (mv’ed) the /etc/raddb/certsfolder to /etc/raddb/bkup_certs.
4.3 Create the appropriate directories in /etc/raddb in which to keep the certificate information:
I back up (mv’ed) the /etc/raddb/certs folder to /etc/raddb/bkup_certs & created another one named /etc/raddb/certs.
mkdir /etc/raddb/certs
4.4 Move the server certificate and the root certificate to the FreeRadius folder:
cp /etc/ssl/cacert.pem /etc/raddb/certs/ -v
cp /etc/ssl/server_keycert.pem /etc/raddb/certs/ -v
4.5 Create the Diffie-Hellman parameters file for TLS:
openssl dhparam -check -text -5 512 -out dh
Output:
[root@ciitwifi ssl]# pwd/etc/ssl[root@ciitwifi ssl]# openssl dhparam -check -text -5 512 -out dhGenerating DH parameters, 512 bit long safe prime, generator 5This is going to take a long time
.+……………………………………………………………….+
…………….+……+………………………..+………..+………+………….
……….+……………………………………………………………………
……+………………………………….+………………………+………….
……………..+……………………+……………………………………….
…+………………………+……………………..+……….+.+…….+………
………………………………+…+…………………………………….+….
………………………….+…………………+………+…………………….
…….+…….+………+…..+………………….+……………………….+…..
………+………+……………………………………………………++*++*++*
++*++*++*
DH parameters appear to be ok.[root@ciitwifi ssl]#===========================================================================
Copy this “dh” file to /etc/raddb/certs folder:
cp /etc/ssl/dh /etc/raddb/certs -v
4.6 Create the random bitstream file for TLS, & change ownership of the certificate & stuff for the freeradius to be able to read them.
dd if=/dev/urandom of=random count=2
Output (in the /etc/raddb/certs folder i.e.):
===========================================================================[root@ciitwifi certs]# dd if=/dev/urandom of=random count=2
2+0 records in2+0 records out
1024 bytes (1.0 kB) copied, 0.000545195 seconds, 1.9 MB/s
chown -R radiusd /etc/raddb/certs
4.7 Modify /etc/raddb/eap.conf (full listing):
(Note: “lettheserverin” is the private keypassword of the certificate.)
(Yes, it can be tuned further. i.e dropping/adding support for some other protocols . That’s up to you.)
eap
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5
leap
gtc
auth_type = PAP
tls
private_key_password = lettheserverin
private_key_file = $raddbdir/certs/server_keycert.pem
certificate_file = $raddbdir/certs/server_keycert.pem
CA_file = $raddbdir/certs/cacert.pem
dh_file = $raddbdir/certs/dh
random_file = $raddbdir/certs/random
ttls
default_eap_type = mschapv2
use_tunneled_reply = yes
peap
default_eap_type = mschapv2
mschapv24.8 Add a radius client for the wireless access point in /etc/raddb/clients.conf:
For the dlink AP3200:
client 192.168.0.53
secret =
shortname = AP3200
nastype = other4.9 Modify /etc/raddb/radiusd.conf:
I didn’t modify the radiusd.conf but make sure followings are uncommented. (Yes, it can be tuned further. i.e dropping/adding support for some other protocols. Unloading useless modules, increasing performance etc. That’s up to you.)
log_auth = yes
authorize
preprocess
chap
mschap
suffix
pap
eap
files
authenticate
Auth-Type PAP
pap
Auth-Type CHAP
chap
Auth-Type MS-CHAP
mschap
# unix
eap4.10 Modify /etc/raddb/users & start the server.
Create a user at the top of the file:
faheem Cleartext-Password := "khan"Now start the radius server:
/etc/init.d/radiusd start
Step 5 ****************** Configuring the Access Point *********************
Now set the the AP setting to use “WPA enterprise auto” or WPA 2 enterprise” & point to the radius servers ip address/port. The secret field would be same as mentioned in /etc/raddb/clients.conf . (i.e. in our case “dlinksecret” phrase)
Step 6 ******************** Configure end wifi clients ********************
Install certificates
Certification authority CA.der (according to above certificate method it should be cacert.der).
Server certificate with keys sever.p12 (according to above certificate method, it should be server_keycert.p12).
Note: The following screenshots are from Windows 2003 server. But it shouldn’t be very different for Windows XP.
Go to “start”, select “run”& type “mmc”.
Follow the same procedure for importing server.p12 certificate into “trusted Root” section.
That is it for EAP/PEAP (TTLS), but for TLS you also need to import/install the client certificate. (You would also need to modify your eap.conf file for TLS.)
Configuring the wifi interface
View the “My network neighborhood”, choose your Access point, in this case “AP3200” (not really its named mydlink here).
- Press “ok”, “ok,and “ok”. Your done configuring the wifi.
- Immediately “disable”the wifi interface. Righ click & choose “disable”.
- After a second or two , re-enable the wifi interface. You should be prompted for username/password/Logindomain.
- Simply supply the username/password & press”ok”.
- You should connect in less than a second.
Congratulations you have configured a WPA1/2 enterprise wifi network.f
https://www.computingpost.com/wifi-authentication-accounting-with-freeradius-on-centos-5/?feed_id=25920&_unique_id=63c2994c04911
