Paranoid Penguin - Securing Your WLAN with WPA and FreeRADIUS, Part II
Before we configure FreeRADIUS, we need to create some certificates. And before we create any certificates, we must create our CA. My book Linux Server Security contains a section in Chapter 5 titled “How to Become a Small-Time CA”, which goes into more depth than I can go into right now, but here's a crash course nonetheless.
First, what is a CA and where should it reside? A CA is a system that acts as the root of a public key infrastructure. It's the central authority that vouches, by way of digital signatures, for the authenticity of all certificates issued in your organization. It also periodically issues certificate revocation lists (CRLs), lists of certificates the CA no longer vouches for, for example, certificates issued to people who've left the organization, servers that are no longer on-line and so on.
None of this requires your CA to act as an actual server; in fact, it's better if it doesn't. For a CA to be trustworthy, it must be protected carefully from misuse. My own CAs, therefore, tend to reside on systems I only periodically connect to the network, such as VMware virtual machines.
You already may have a CA that you've used to create certificates for Web servers, stunnel or other applications that use TLS. If so, you can use it for WPA too. If not, here's how to create a CA. First, make sure your designated CA system has OpenSSL installed. OpenSSL is a standard package on all popular Linux distributions, not to mention FreeBSD, OpenBSD and the like. One quick way to make sure you have OpenSSL is to issue the command which openssl—this returns the path to your OpenSSL command, if it's installed.
Next, change your working directory to wherever your system keeps OpenSSL's configuration and certificate files. On SuSE, this is /etc/ssl, but this location varies by distribution. Doing a search for the file openssl.cnf should bring you to the correct place.
Now, open the file openssl.cnf with your text editor of choice. We need to tweak some default settings so as to make certificate creation speedier later on. Listing 1 shows the lines in openssl.cnf I like to change.
Listing 1. Changes to openssl.cnf for Optimal Certificate Creation
# First we change the CA root path in the CA_default # section to reflect the CA we're about to create [ CA_default ] dir = ./micksCA # Where everything is kept # The following lines are further down in openssl.cnf: countryName_default = US stateOrProvinceName_default = Minnesota 0.organizationName_default = Industrial Wiremonkeys of the World
Next, we should edit the CA creation script to change our CA's root directory to something other than demoCA, that is, to match the dir variable we just changed in openssl.cnf. I use the script CA.sh, which on SuSE systems is located in /usr/share/ssl/misc but may reside elsewhere on your system. The line you need to change is CATOP=./micksCA.
If you changed your working directory to edit this file, change back to your SSL configuration directory, for example, /etc/ssl. From there, run the CA.sh script with the -newca option, for example, /usr/share/ssl/misc/CA.sh -newca. You then are prompted to create a new root certificate and to type a passphrase for its private key. Choose a difficult-to-guess passphrase, and write it down in a safe place—if you forget it, you'll be unable to use your CA.
After the script is done, your SSL configuration directory should contain a new directory, micksCA in our example. At the root level of this directory is your new CA's public certificate; by default this file is named cacert.pem. As I demonstrate later, you need to copy this file to your FreeRADIUS server and to each wireless client.
There's one more thing you need to do before creating certificates if you've got Windows XP wireless clients. Windows XP expects certain attributes in server and client certificates, so you need to create a file called xpextensions that contains the lines shown in Listing 2.
Listing 2. Contents of xpextensions
[ xpclient_ext] extendedKeyUsage = 184.108.40.206.220.127.116.11.2 [ xpserver_ext ] extendedKeyUsage = 18.104.22.168.22.214.171.124.1
The xpextensions file is referenced in some of the OpenSSL commands I'm about to show you. It should reside in the same directory as openssl.cnf.
How EAP-TLS Works
In EAP-TLS, a wireless client and your RADIUS server mutually authenticate each other. They present each other with their respective certificates and cryptographically verify that those certificates were signed by your organization's certificate authority. In some ways, this is an elegant and simple way to handle authentication. After you install the CA's public certificate on the FreeRADIUS server, you don't need to configure any other client information explicitly, such as user names, passwords and so on.
That doesn't mean EAP-TLS is less work than user name-password schemes, however. You still need to use OpenSSL to create certificates for all your users and copy those certificates over to them. You also need to ensure that everyone has a copy of the root CA certificate installed in the proper place.
|Free Today: September Issue of Linux Journal (Retail value: $5.99)||Sep 27, 2016|
|nginx||Sep 27, 2016|
|Epiq Solutions' Sidekiq M.2||Sep 26, 2016|
|Nativ Disc||Sep 23, 2016|
|Android Browser Security--What You Haven't Been Told||Sep 22, 2016|
|The Many Paths to a Solution||Sep 21, 2016|
- Android Browser Security--What You Haven't Been Told
- Readers' Choice Awards 2013
- Epiq Solutions' Sidekiq M.2
- Nativ Disc
- The Many Paths to a Solution
- Synopsys' Coverity
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Returning Values from Bash Functions
- Securing the Programmer
Pick up any e-commerce web or mobile app today, and you’ll be holding a mashup of interconnected applications and services from a variety of different providers. For instance, when you connect to Amazon’s e-commerce app, cookies, tags and pixels that are monitored by solutions like Exact Target, BazaarVoice, Bing, Shopzilla, Liveramp and Google Tag Manager track every action you take. You’re presented with special offers and coupons based on your viewing and buying patterns. If you find something you want for your birthday, a third party manages your wish list, which you can share through multiple social- media outlets or email to a friend. When you select something to buy, you find yourself presented with similar items as kind suggestions. And when you finally check out, you’re offered the ability to pay with promo codes, gifts cards, PayPal or a variety of credit cards.Get the Guide