FreeRADIUS and Linux for Your WLAN

By Carla Schroder | Feb 5, 2008 | Print this Page
http://www.enterprisenetworkingplanet.com/netsp/article.php/10953_3557251_2/FreeRADIUS-and-Linux-for-Your-WLAN.htm

Last week we had an bird's-eye of the current state of wireless security protocols, and a quick peek at using a RADIUS server for authentication, authorization, and accounting. Today we shall configure FreeRADIUS to secure wireless authentication and transmission. A RADIUS server running on Linux can authenticate clients on any platform.

We are going to implement EAP-TLS encryption, because it is widely supported and secure. Be sure you have FreeRADIUS and OpenSSL installed. Then create your SSL certificates, copy them to the server and clients, set up client access on the RADIUS server, and poof! all done.

Ok, so I wouldn't call it easy. But it's not too bad. The neat thing about this is the server and clients authenticate to each other with the SSL certificates, so you don't need to hassle with logins and passwords.

Generating Server Certificates
First we will create a CA, or certificate authority. The CA authenticates your public user and server certificates, and also revokes them -- which you'll need to do as staffers come and go. (See Resources for a list of excellent books on the subject. Don't leave home without them.)

First, edit openssl.cnf, which should be in /etc/ssl/openssl.cnf, but given the herd-of-cats nature of Linux I make no promises, and edit it to include your own information. The file is big, but all you need is to find these lines and customize them:

[ CA_default ]
dir   =   ./masterCA    # Where everything is kept
countryName_default             = US
stateOrProvinceName_default     = Oregon
0.organizationName_default      = Carla's Yummy Cookie Co.
stateOrProvinceName		= Oregon
stateOrProvinceName_default	= OR
localityName			= Portland
organizationalUnitName		= Doughboys
organizationalUnitName_default	= Doughboys
commonName			= Carla AceAdmin
emailAddress			= carla@yummycookies.com
Now find the certificate-creating script, hopefully /usr/lib/ssl/misc/CA.sh. At any rate find CA.sh. Edit this line to tell CA.sh where to put your new certificates, giving it any name you like:

CATOP=./masterCA

Then change to the directory where you want to store your certificates. /etc/ssl is the usual choice, and run CA.sh. You'll be asked to create a passphrase- make it gnarly, and write it down and lock it away.

# /usr/lib/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
......................++++++
..............................................................................++++++
writing new private key to './masterCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
US [US]:
Oregon [OR]:
Portland []:
Carlas Cookies [Carlas Cookies]:
Doughboys [Doughboys]:
Carla AceAdmin []:
carla@yummycookies.com []:

This creates the /etc/ssl/masterCA/ directory, and populates it with all manner of files and directories, including your new server CA, private/cakey.pem.

We'll use the /usr/bin/openssl command to do the rest of the work. /usr/bin/openssl has a lot of useful command-line options, and is better-suited for a job like this where we want to customize the certificate names. CA.sh is nice for simple needs, so consider this your formal introduction.

Next, create the signing request, naming the :

# openssl req -new -nodes -keyout masterkey.pem -out masterreq.pem

Now we'll sign the request:

# openssl ca -out master_cert.pem -infiles ./masterreq.pem

This creates master_cert.pem, our shiny new server certificate which will be copied to the FreeRADIUS server.

Creating Client Certificates
Remember, you'll need your cacert.pem passphrase:

# openssl req -new -nodes -keyout clientkey.pem -out clientreq.pem
# openssl ca -out client_cert.pem -infiles ./clientreq.pem

Easy peasey.

Continued on page 2: Configuring FreeRADIUS

Continued From Page 1

Configuring FreeRADIUS
Now it's time to copy keys to your FreeRADIUS server. On Debian, put them in /etc/freeradius/certs/masterkeys/, or some such, as long as they are in their own directory. On other Linuxes, /etc/raddb/certs/masterkeys/. Copy over cacert.pem and master_cert.pem. Make sure permissions and ownership are correct:

# chmod 0444 cacert.pem
# chown root:freerad cacert.pem
# chmod 0400 master_cert.pem
# chown freerad:freerad master_cert.pem

You may not have a "freerad" user and group; if your Linux distribution does not create a unique FreeRADIUS user and group, use root:nobody.

FreeRADIUS is a big ole bugger. For our splendid wireless authentication scheme, we need trouble ourselves with but two files in /etc/freeradius/, or /etc/raddb/ as the case may be: clients.conf, and eap.conf.

In clients.conf we can use a shared secret for our whole network:


client 12.34.56.78/24 {
	secret		= verysekkritwordhere
	shortname	= wireless_access_point1
}

"Shortname" is the name that will appear in your logfiles.

In eap.conf make sure the filepaths to your certificates are correct:


#tls {

    private_key_file = ${raddbdir}/certs/masterkeys/master_cert.pem
    certificate_file = ${raddbdir}/certs/masterkeys/master_cert.pem
    #  Trusted Root CA list
    CA_file = ${raddbdir}/certs/masterkeys/cacert.pem

Configuring NAS
Configuring your NAS (Network Access Servers, for example your wireless access point) to use your FreeRADIUS server depends on which particular device you are using. You should need just the FreeRADIUS server IP and the shared secret.

Configuring the clients depends on what they are; Linux clients need the wpasupplicant package (wpa-supplicant on RPM systems). Import cacert.pem and the client key, and you should be good to go.

Windows XP and 2003 Clients
Windows XP and 2003 clients require some extra steps. For these you need to create PKCS12 format certificates. Go back to almost the beginning, right after you created cacert.pem. Create a file called xpextensions containing these lines:

[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

Store this file in the same directory as openssl.conf. Then modify the server and client certificate-signing commands like this:

# openssl ca -out master_cert.pem -extensions xpserver -infiles ./masterreq.pem
# openssl ca -out client_cert.pem -extensions xpserver -infiles ./clientreq.pem

And create the PKCS12 certificate:

# openssl pkcs12 -nodes -export -in client_cert.pem -inkey clientkey.pem -out client_cert.p12 -clcerts

And that should have you up and running with some actual meaningful wireless security. Be sure to visit the man pages to find out what the different options mean.

Resources

  • man 1 ca.pl
  • man 1 req
  • man 1 openssl
  • man 1 pkcs12
  • FreeRADIUS
  • OpenSSL
  • Linux Security Cookbook, by Daniel J. Barrett, Robert G. Byrnes, Richard Silverman
  • Network Security with OpenSSL, By Pravir Chandra, Matt Messier, John Viega