FreeRADIUS and Linux for Your WLAN - Page 2
Configuring FreeRADIUS
Now it's time to copy keys to your FreeRADIUS server. On Debian, put them in /etc/freeradius/certs/masterkeys/, or some such, as long as they are in their own directory. On other Linuxes, /etc/raddb/certs/masterkeys/. Copy over cacert.pem and master_cert.pem. Make sure permissions and ownership are correct:
# chmod 0444 cacert.pem
# chown root:freerad cacert.pem
# chmod 0400 master_cert.pem
# chown freerad:freerad master_cert.pem
You may not have a "freerad" user and group; if your Linux distribution does not create a unique FreeRADIUS user and group, use root:nobody.
FreeRADIUS is a big ole bugger. For our splendid wireless authentication scheme, we need trouble ourselves with but two files in /etc/freeradius/, or /etc/raddb/ as the case may be: clients.conf, and eap.conf.
In clients.conf we can use a shared secret for our whole network:
client 12.34.56.78/24 {
secret = verysekkritwordhere
shortname = wireless_access_point1
}
"Shortname" is the name that will appear in your logfiles.
In eap.conf make sure the filepaths to your certificates are correct:
#tls {
private_key_file = ${raddbdir}/certs/masterkeys/master_cert.pem
certificate_file = ${raddbdir}/certs/masterkeys/master_cert.pem
# Trusted Root CA list
CA_file = ${raddbdir}/certs/masterkeys/cacert.pem
Configuring NAS
Configuring your NAS (Network Access Servers, for example your wireless access point) to use your FreeRADIUS server depends on which particular device you are using. You should need just the FreeRADIUS server IP and the shared secret.
Configuring the clients depends on what they are; Linux clients need the wpasupplicant package (wpa-supplicant on RPM systems). Import cacert.pem and the client key, and you should be good to go.
Windows XP and 2003 Clients
Windows XP and 2003 clients require some extra steps. For these you need to create PKCS12 format certificates. Go back to almost the beginning, right after you created cacert.pem. Create a file called xpextensions containing these lines:
[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
Store this file in the same directory as openssl.conf. Then modify the server and client certificate-signing commands like this:
# openssl ca -out master_cert.pem -extensions xpserver -infiles ./masterreq.pem
# openssl ca -out client_cert.pem -extensions xpserver -infiles ./clientreq.pem
And create the PKCS12 certificate:
# openssl pkcs12 -nodes -export -in client_cert.pem -inkey clientkey.pem -out client_cert.p12 -clcerts
And that should have you up and running with some actual meaningful wireless security. Be sure to visit the man pages to find out what the different options mean.
Resources
- man 1 ca.pl
- man 1 req
- man 1 openssl
- man 1 pkcs12
- FreeRADIUS
- OpenSSL
- Linux Security Cookbook, by Daniel J. Barrett, Robert G. Byrnes, Richard Silverman
- Network Security with OpenSSL, By Pravir Chandra, Matt Messier, John Viega
