Paranoid Penguin - Securing Your WLAN with WPA and FreeRADIUS, Part II
Before we configure FreeRADIUS, we need to create some certificates. And before we create any certificates, we must create our CA. My book Linux Server Security contains a section in Chapter 5 titled “How to Become a Small-Time CA”, which goes into more depth than I can go into right now, but here's a crash course nonetheless.
First, what is a CA and where should it reside? A CA is a system that acts as the root of a public key infrastructure. It's the central authority that vouches, by way of digital signatures, for the authenticity of all certificates issued in your organization. It also periodically issues certificate revocation lists (CRLs), lists of certificates the CA no longer vouches for, for example, certificates issued to people who've left the organization, servers that are no longer on-line and so on.
None of this requires your CA to act as an actual server; in fact, it's better if it doesn't. For a CA to be trustworthy, it must be protected carefully from misuse. My own CAs, therefore, tend to reside on systems I only periodically connect to the network, such as VMware virtual machines.
You already may have a CA that you've used to create certificates for Web servers, stunnel or other applications that use TLS. If so, you can use it for WPA too. If not, here's how to create a CA. First, make sure your designated CA system has OpenSSL installed. OpenSSL is a standard package on all popular Linux distributions, not to mention FreeBSD, OpenBSD and the like. One quick way to make sure you have OpenSSL is to issue the command which openssl—this returns the path to your OpenSSL command, if it's installed.
Next, change your working directory to wherever your system keeps OpenSSL's configuration and certificate files. On SuSE, this is /etc/ssl, but this location varies by distribution. Doing a search for the file openssl.cnf should bring you to the correct place.
Now, open the file openssl.cnf with your text editor of choice. We need to tweak some default settings so as to make certificate creation speedier later on. Listing 1 shows the lines in openssl.cnf I like to change.
Listing 1. Changes to openssl.cnf for Optimal Certificate Creation
# First we change the CA root path in the CA_default # section to reflect the CA we're about to create [ CA_default ] dir = ./micksCA # Where everything is kept # The following lines are further down in openssl.cnf: countryName_default = US stateOrProvinceName_default = Minnesota 0.organizationName_default = Industrial Wiremonkeys of the World
Next, we should edit the CA creation script to change our CA's root directory to something other than demoCA, that is, to match the dir variable we just changed in openssl.cnf. I use the script CA.sh, which on SuSE systems is located in /usr/share/ssl/misc but may reside elsewhere on your system. The line you need to change is CATOP=./micksCA.
If you changed your working directory to edit this file, change back to your SSL configuration directory, for example, /etc/ssl. From there, run the CA.sh script with the -newca option, for example, /usr/share/ssl/misc/CA.sh -newca. You then are prompted to create a new root certificate and to type a passphrase for its private key. Choose a difficult-to-guess passphrase, and write it down in a safe place—if you forget it, you'll be unable to use your CA.
After the script is done, your SSL configuration directory should contain a new directory, micksCA in our example. At the root level of this directory is your new CA's public certificate; by default this file is named cacert.pem. As I demonstrate later, you need to copy this file to your FreeRADIUS server and to each wireless client.
There's one more thing you need to do before creating certificates if you've got Windows XP wireless clients. Windows XP expects certain attributes in server and client certificates, so you need to create a file called xpextensions that contains the lines shown in Listing 2.
Listing 2. Contents of xpextensions
[ xpclient_ext] extendedKeyUsage = 126.96.36.199.188.8.131.52.2 [ xpserver_ext ] extendedKeyUsage = 184.108.40.206.220.127.116.11.1
The xpextensions file is referenced in some of the OpenSSL commands I'm about to show you. It should reside in the same directory as openssl.cnf.
How EAP-TLS Works
In EAP-TLS, a wireless client and your RADIUS server mutually authenticate each other. They present each other with their respective certificates and cryptographically verify that those certificates were signed by your organization's certificate authority. In some ways, this is an elegant and simple way to handle authentication. After you install the CA's public certificate on the FreeRADIUS server, you don't need to configure any other client information explicitly, such as user names, passwords and so on.
That doesn't mean EAP-TLS is less work than user name-password schemes, however. You still need to use OpenSSL to create certificates for all your users and copy those certificates over to them. You also need to ensure that everyone has a copy of the root CA certificate installed in the proper place.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Profiles and RC Files
- Astronomy for KDE
- Understanding Ceph and Its Place in the Market
- Maru OS Brings Debian to Your Phone
- Snappy Moves to New Platforms
- Git 2.9 Released
- What's Our Next Fight?
- OpenSwitch Finds a New Home
- The Giant Zero, Part 0.x
With all the industry talk about the benefits of Linux on Power and all the performance advantages offered by its open architecture, you may be considering a move in that direction. If you are thinking about analytics, big data and cloud computing, you would be right to evaluate Power. The idea of using commodity x86 hardware and replacing it every three years is an outdated cost model. It doesn’t consider the total cost of ownership, and it doesn’t consider the advantage of real processing power, high-availability and multithreading like a demon.
This ebook takes a look at some of the practical applications of the Linux on Power platform and ways you might bring all the performance power of this open architecture to bear for your organization. There are no smoke and mirrors here—just hard, cold, empirical evidence provided by independent sources. I also consider some innovative ways Linux on Power will be used in the future.Get the Guide