Paranoid Penguin - Securing Your WLAN with WPA and FreeRADIUS, Part II

The new generation of security for wireless networks doesn't simply fix WEP's flaws—it enables you to use your RADIUS server to authenticate wireless users.
Creating Certificates

For EAP-TLS, you need at least two certificates besides your CA certificate, a server certificate for your FreeRADIUS server and one client certificate for each wireless client on your network. Creating certificates is a three-step process:

  1. Generate a signing request, that is, an unsigned certificate.

  2. Sign the signing request with your CA key.

  3. Copy the signed certificate to the host on which it will be used.

Let's start by creating a server certificate signing request using OpenSSL's req command:

$ openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730 -config ./openssl.cnf

This command creates the files server_req.pem, which contains the actual request—an unsigned certificate—and server_key.pem, its passphrase-less private key. First, though, you are prompted for your organization's Country Code, State and so on, much of which can use the default values you tweaked in openssl.conf. Pay special attention, however, to Common Name. When prompted for this, type the fully qualified domain name of your server, for example, server.wiremonkeys.org.

Next, let's use our CA key to sign the request by using OpenSSL's ca command:


$ openssl ca -config ./openssl.cnf \
-policy policy_anything -out server_cert.pem \
-extensions xpserver_ext -extfile ./xpextensions \
-infiles ./server_req.pem

This command reads the file server_req.pem and, after prompting for your CA key's passphrase, saves a signed version of it plus its corresponding private key to the file server_cert.pem. Notice the -extensions and -extfile options—this is why earlier we created the file xpextensions.

Open your signed certificate with the text editor of your choice and delete everything before the line -----BEGIN CERTIFICATE-----. Concatenate it and your key into a single file, like this:


$ cat server_key.pem server.cert.pem > \
server_keycert.pem

Now we've got a server certificate with a key that we can copy over to our FreeRADIUS server. Its private key isn't password-protected, however, so be sure to delete any extraneous copies after you've got it in place.

Now we need to create a client certificate signing request. The OpenSSL command to do this is similar to that used to create server certificates:


$ openssl req -new -keyout client_key.pem \
-out client_req.pem -days 730 -config ./openssl.cnf

As you can see, we're writing our signing request and key to the files client_req.pem and client_key, respectively. Unlike with the server signing requests, however, we're omitting the -nodes option. Therefore, when you run this command, you are prompted for a passphrase with which the certificate's private key can be encrypted.

Next we sign the client certificate's signing request:


$ openssl ca -config ./openssl.cnf \
-policy policy_anything -out client_cert.pem \
-extensions xpclient_ext -extfile ./xpextensions \
-infiles ./client_req.pem

Again, this is similar to the equivalent command for our server, except this time the -extensions command references a different entry in xpextensions. Also, if your clients run Linux, you should delete the extraneous stuff in the certificate, like you did with server_cert.pem. You then either can leave the certificate and key files separate or concatenate them. From there, copy your client certificate file(s) to your Linux client system.

If your certificate is to be used by a Windows XP client, you have one more step to take. You need to convert the certificate file(s) to a PKCS12-format file, with this command:


openssl pkcs12 -export -in client_cert.pem \
-inkey client_key.pem -out client_cert.p12 -clcerts

You are prompted for client_key.pem's passphrase and then for a new passphrase for the new file; you can use the same password as before if you like. You may be tempted simply to press Enter instead, especially given that the WPA supplicant in Windows XP works only when you store its certificates without passphrases. It's very, very bad practice, however, to move private keys around networks unprotected, so I strongly recommend that you not remove the passphrase until after this file is copied safely over to your Windows XP client.

Lest you be tempted to take this opportunity to bash Microsoft, I must note that both Xsupplicant and wpa_supplicant on Linux require you to either use a blank passphrase or store the passphrase in clear text in a configuration file. This is contrary to good certificate-handling wisdom. I hope we some day see WPA supplicants intelligent enough to prompt the user for its certificate passphrase on startup.

The resulting file, in this example client_cert.p12, contains both your signed certificate and its private key. Copy it to your Windows XP client system.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

error

muks's picture

I followed the steps and tried installing freeradius 2.0.5 and 2.1.3

Both the times i got this error:

radiusd: error while loading shared libraries: libfreeradius-radius-2.1.3.so: cannot open shared object file: No such file or directory

Any idea what's the prob?? I didn't get any other error in the entire installation.

Thanks.

Thanks Mick

Elias's picture

I have used this article to set up my FreeRadius 2.x. It is an excellent paper.

Thanks Mick again.

configuration of suse linux radius server.

Anonymous's picture

Though the explanation is very comprehensive but i am very new to linux. I have suse linux 10.0 and I want it to configure as Radius server and to generate certificates for windows based clients. For that I need step by step procedures.so can i get any help??

Use StartCom Certification Authority...

Anonymous's picture

Why not use the StartCom Certification Authority, which provides free certification? Their free certificates seem to support the needed extensions, and they also provide domain controller - smart card certificates, which could be used with freeRadius. Depending on the access paramters (guess, that's what it's all about in the next article), this certificates are unique per domain name and an administrator of a domain can control the issuance of the client certificates. The certificates of that solution don't have to be installed into a smart card, but can be used with other clients. Perhaps the StartCom certs might make the process somewhat easier, in addition to have it issued by a known CA.

certificate common names

Doug Wright's picture

Something that stumped me for quite some time that is not mentioned in
the article is that your root certificate common name has to be different from your server certificate common name.

Example:

root cert common name: RootCA
server cert common name: server.host.org
client cert common name: client.host.org

After making that change and changes mentioned in other comments everything just worked.

xpextensions not working

sudarshan_kk's picture

I am trying to generate certificate as mentioned but getting following error.

#openssl ca -out master_cert.pem -extensions xpextensions -infiles ./masterreq.pem
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Error Loading extension section xpextensions
6566:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group=CA_default name=email_in_dn

# cat /usr/share/ssl/xpextensions
[ xpclient_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

#ls /usr/share/ssl/
CA cert.pem certs lib misc openssl.cnf private xpextensions

Instalando Freeradius en redes wlan

bellatrix33us's picture

Antes que nada, dejeme expresar que la critica siempre estara presente, pero considero que el articulo esta muy bien redactado.
ESTOY CONFIGURANDO el servidor y hasta el momento mi experiencia es igual a cualquier trabajo de configuracion con linux. Existe una "learning curve" que debe ser trabajada para lograr el aprendisaje de la tarea en linux.
Para aquellos que quieren las cosas faciles , les dolera en la cartera.
Saludos

problems with the private key

herman's picture

I have installed freeradius by the article and get the next message

tls: private_key_file = "/usr/local/etc/raddb/certs/server_keycert.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/server_keycert.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/cacert.pem"
tls: private_key_password = "hoe_moet_ik_dit_onthouden"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
4956:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:389:
rlm_eap_tls: Error reading private key file
rlm_eap: Failed to initialize type tls
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[1902] Unknown module "eap".
radiusd.conf[1849] Failed to parse authenticate section.

what have I to change

greeting

Herman

Hey Dude,

gbonny's picture

Hey Dude,

I have the same problem here, did you figure it out what the problem was?

What I noticed was that the defaults for check_crl and check_cert_cn differ from the defaults. Defaults they are respectively "no" and "%{Username}".

Greeting
gbonny

TXT_DB error 2

Nico Gattario's picture

Im having this problem trying to create a certificate for the client:
After issuing the command :
openssl ca -config ./openssl.cnf ...... ./client_req.pem
I get the signature ok
Siganture Ok
but when they ask me to sign the signature I press y and i get the following error:
failed to update the database
TXT_DB error number 2

no error happend to me when I tried to do the same for the server at the beginnig Im using fedora core 3 with openssl 0.9.7a-40

Thank u so much for your help.

NICOLAS GATTARIO

I believe this happens when

Anonymous's picture

I believe this happens when an entry for the specific name already exists in the index.txt file.

what i did is i modified serial, serial.old, by decrementing the HEX integers contained within by 1. Then I modified index.txt, and index.txt.old by removing the last lines contained in each of the files. No problems after that.

TXT_DB error 2

Anonymous's picture

Has anyone fixed the TXT_DB error 2?
It does have to do with the domain cause I put a different one and it signed the certificate.
I did check the database file and i get the 2 certificates, one of the with the correct domain and the other with the wrong domain......does anyone know that if I edit the wrong domain and fix it will it work?

Simple solution

Anonymous's picture

Banged my head a few times then realized as a few others have.. when you generate the client certificate and it gets to the COMMON NAME, don't use the same host name you used on the server, just type in the host name for your client.

Now off to figure out why I get an unknown CA error when it tries to enable TLS

take care!

I ran into that too...

R. Wolf's picture

The issue there is, since I banged my head up against that one too is openssl didn't like me having two certs, one server and one client with the same domain name. I believe that was the issue. It's the part, and it's been a while since I've had to create them...it's the part that asks for your information, organization, state, city, etc. I believe my issue was typing in the domain information in. It didn't want to update two certs by the same domain or local or whatever that little section asked.

Check it out, play with that section because right there is where the issue was. When it's asking you the questions. Also look at the textfile database it creates. Once you open it up, you'll see what I'm talking about. What you've got to change is in there and from memory and that's poor :) it had something to do with the local or domain. It didn't like it when I used the same one.

I hope this helped and since I'm not frustrated right now all the extra flare isn't in me to bash anything!

R. Wolf

confused

custard's picture

Hi,
Thanks for your nice clear article. I'm hiting a big problem and so I'm wondering if you could help out a bit. This is slightly more complicated since this is on a debian box.

Essentlialy, signing anything seems to fail (even as root!) as shown in the error below.

The file is manifestly there, and accessible. Is there any good reason why it should be behaving like this?

It occurs that sometimes the 'r' at the end of the file name is an 'h', in case that helps

thanks for any suggestions.
ramon

# /usr/lib/ssl/misc/CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Error opening CA private key ./ramonetalCA/private/cakey.pem
23910:error:02001002:system library:fopen:No such file or
directory:bss_file.c:278:fopen('./ramonetalCA/private/cakey.pem','r')
23910:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:280:
unable to load CA private key
cat: newcert.pem: No such file or directory
Signed certificate is in newcert.pem

# ls -ld ramontetalCA
drwxr-xr-x 6 root root 4096 Sep 24 01:07 ramontetalCA
# ls -l ramontetalCA
total 24
-rw-r--r-- 1 root root 1306 Sep 24 01:07 cacert.pem
drwxr-xr-x 2 root root 4096 Sep 24 01:06 certs
drwxr-xr-x 2 root root 4096 Sep 24 01:06 crl
-rw-r--r-- 1 root root 0 Sep 24 01:06 index.txt
drwxr-xr-x 2 root root 4096 Sep 24 01:06 newcerts
drwxr-xr-x 2 root root 4096 Sep 24 01:07 private
-rw-r--r-- 1 root root 3 Sep 24 01:06 serial
# ls -l ramontetalCA/private
total 4
-rw-r--r-- 1 root root 963 Sep 24 01:07 cakey.pem

So called "CLEAR" article...

R. Wolf's picture

Many many many assumptions with this article. I'm a novice!!! Do the "Pro's" need "tutorials"? I think you assume too much, like we know what the hell we're doing!!! This other dude has the same error I have, fortunately I'm the shit and figured it out although I'm just now getting past it 20 minutes later!!! Ohhhhhhh the frustration with Linux. This is why Windows is sooooo superior. It configures itself but because my manager asked me to help him out, I'll use the crappy Linux OS for now :)

Now, to fix your problem. If you don't have a sweet support ticket you can put in with the Sofware vendor like some lame ass support management...they have a privelage, they don't need to know how to troubleshoot.

I unfortunately as you...don't have the sweet support ticket to get someone else to do my work for me so we've got to figure it out ourselves.

What you need to do dude...look at the error.

My error, although similar probably has a different directory path.

Notice my crappy error.

"Error opening CA private key ./scitCA/private/cakey.pem"

You need to edit your openssl.cnf and manually type in the directory above that one, my case was ./misc/scitCA"

That should be typed into...

[ CA_default ]
dir = ./scitCA

I had to change it to get it to work. Changed to ./misc/scitCA!!! I'll change it back as soon as I move on to the next step in the guide.

I totally think this guide is not for novice's, it's for Linux Fags!!!

Love R.Wolf - Microsoft Certified Bitch!!!
http://www.pimpmybook.com - Get the word out!!!

Opinions

Anonymous's picture

Mr Wolf,

Why must you slam others? Personally I wonder why you would call someone a fag because they chose to use Linux. If you do however, why would you insult yourself by making comments on how Microsofts products are so much easier to use? Isn't this publicly announcing to everyone "Hey I'm not smart enough to be a Linux certified "Bitch"?"

Personally I think all of the extra crap you put in the response was completely unnecessary. If you want to help someone do so, don't slam people in doing so.

Anonymous

MCSE, CSE, CCNA, CCIE, RHCE Bitch!!

Style dude style...

R. Wolf's picture

"Mr. Anonymous",

That's just my style dude...

What I said was mostly out of frustratin because Linux documentation is horrible!

You shouldn't have taken it to personal, I see you probably took it personal since you have certification envy and feel the need to let people know how "smart" you are by listing all your certs. I'm surprised you didn't upload scanned copies of all your cert cards.

Moreover, what I see is you not taking your own advice, are you helping others or slamming others? At least I offer some help with a slam.

You just offer a slam and some showy certs. Weak sauce dude, weak sauce. I would expect that with a cert you'd be able to give a crum or maybe a tiny piece of your genius to help us poor helpless people out.

You are right about one thing, all the extra I put in my responses helps nobody, I was venting frustration and for that I was wrong but now it's on :)

Linux has it's merits but you have to configure the merits to no end and bang your head into the wall a million times more the MSFT. Good luck to any and all who try to use this article for freeradius intallation even if you're using the same distro!!! I tried the same distro in the article and I still had issues. I guess I'm a looser because there's no "next" button.

The article will take you there but it won't get you home, it is somewhat helpful but has it's faults. You can't just be any Geek off the street if you know what I mean (Old School Warren G quote!!!).

R. Wolf
Certifications: Looser, Linux Idiot, Microsoft Bitch, Retarded Poster

I hope those certs really impress the masses!!!

for linux workstation

S.M Tie's picture

hi

thanks for this article, i've got it to work with windows using the PK12 keys. I've also got the linux's xsupplicant and Mac's to work with this solution.

Then a few months later, my linux xsupplicant wont work anymore. I dont know why this is so, however, using another method of generating the PEM keys, the radius server will work again.

Has anyone got it to work using Xsupplicant with PK12 keys ? how can i get this to work with a linux workstation ?? please help ?

Sam

Thank you!

Eric Mayo's picture

Nice article. It certainly helped me and I own the O'Reilly OpenSSL book! Your coverage of the xpextensions was AWESOME and it was the missing bits I didn't find in the book....

Keep up the great work!

We just deployed a 10 acre WIFI farm using EAP-TLS & client side certs.

One thing I would like to offer is that in WindowsXP, you can check the option to not look to the public CAs -- you can choose options to ignore or specify your own CA.

~Eric Mayo

Putting it Together: Interested in a high-level article?

Anonymous's picture

Great article. Not wanting to reinvent the wheel, I put this together with a real world install of FreeRADIUS on an Ubuntu server into an article I wrote on my site. I cite both this article series as well as excellent how-to for tweaking FreeRADIUS from the Ubuntu Forums site.

http://www.breezy.ca/?q=node/220

Great Article for OpenSSL on Windows

Anonymous's picture

I am using OpenSSL on Windows and this article was great in helping fix a problem I was having signing the certificate.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix