Paranoid Penguin - Securing Your WLAN with WPA and FreeRADIUS, Part II

The new generation of security for wireless networks doesn't simply fix WEP's flaws—it enables you to use your RADIUS server to authenticate wireless users.

We've installed FreeRADIUS, created a certificate authority, generated server and client certificates and transferred them to their respective hosts. But we're not done yet. We still need to configure FreeRADIUS, our access point and our wireless clients. We'll do all that next time. Until then, be safe!

Resources for this article: /article/8134.

Mick Bauer, CISSP, is Linux Journal's security editor and an IS security consultant in Minneapolis, Minnesota. O'Reilly & Associates recently released the second edition of his book Linux Server Security (January 2005). Mick also composes industrial polka music but has the good taste seldom to perform it.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.


muks's picture

I followed the steps and tried installing freeradius 2.0.5 and 2.1.3

Both the times i got this error:

radiusd: error while loading shared libraries: cannot open shared object file: No such file or directory

Any idea what's the prob?? I didn't get any other error in the entire installation.


Thanks Mick

Elias's picture

I have used this article to set up my FreeRadius 2.x. It is an excellent paper.

Thanks Mick again.

configuration of suse linux radius server.

Anonymous's picture

Though the explanation is very comprehensive but i am very new to linux. I have suse linux 10.0 and I want it to configure as Radius server and to generate certificates for windows based clients. For that I need step by step can i get any help??

Use StartCom Certification Authority...

Anonymous's picture

Why not use the StartCom Certification Authority, which provides free certification? Their free certificates seem to support the needed extensions, and they also provide domain controller - smart card certificates, which could be used with freeRadius. Depending on the access paramters (guess, that's what it's all about in the next article), this certificates are unique per domain name and an administrator of a domain can control the issuance of the client certificates. The certificates of that solution don't have to be installed into a smart card, but can be used with other clients. Perhaps the StartCom certs might make the process somewhat easier, in addition to have it issued by a known CA.

certificate common names

Doug Wright's picture

Something that stumped me for quite some time that is not mentioned in
the article is that your root certificate common name has to be different from your server certificate common name.


root cert common name: RootCA
server cert common name:
client cert common name:

After making that change and changes mentioned in other comments everything just worked.

xpextensions not working

sudarshan_kk's picture

I am trying to generate certificate as mentioned but getting following error.

#openssl ca -out master_cert.pem -extensions xpextensions -infiles ./masterreq.pem
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Error Loading extension section xpextensions
6566:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group=CA_default name=email_in_dn

# cat /usr/share/ssl/xpextensions
[ xpclient_ext ]
extendedKeyUsage =
[ xpserver_ext ]
extendedKeyUsage =

#ls /usr/share/ssl/
CA cert.pem certs lib misc openssl.cnf private xpextensions

Instalando Freeradius en redes wlan

bellatrix33us's picture

Antes que nada, dejeme expresar que la critica siempre estara presente, pero considero que el articulo esta muy bien redactado.
ESTOY CONFIGURANDO el servidor y hasta el momento mi experiencia es igual a cualquier trabajo de configuracion con linux. Existe una "learning curve" que debe ser trabajada para lograr el aprendisaje de la tarea en linux.
Para aquellos que quieren las cosas faciles , les dolera en la cartera.

problems with the private key

herman's picture

I have installed freeradius by the article and get the next message

tls: private_key_file = "/usr/local/etc/raddb/certs/server_keycert.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/server_keycert.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/cacert.pem"
tls: private_key_password = "hoe_moet_ik_dit_onthouden"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
4956:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:389:
rlm_eap_tls: Error reading private key file
rlm_eap: Failed to initialize type tls
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[1902] Unknown module "eap".
radiusd.conf[1849] Failed to parse authenticate section.

what have I to change



Hey Dude,

gbonny's picture

Hey Dude,

I have the same problem here, did you figure it out what the problem was?

What I noticed was that the defaults for check_crl and check_cert_cn differ from the defaults. Defaults they are respectively "no" and "%{Username}".


TXT_DB error 2

Nico Gattario's picture

Im having this problem trying to create a certificate for the client:
After issuing the command :
openssl ca -config ./openssl.cnf ...... ./client_req.pem
I get the signature ok
Siganture Ok
but when they ask me to sign the signature I press y and i get the following error:
failed to update the database
TXT_DB error number 2

no error happend to me when I tried to do the same for the server at the beginnig Im using fedora core 3 with openssl 0.9.7a-40

Thank u so much for your help.


I believe this happens when

Anonymous's picture

I believe this happens when an entry for the specific name already exists in the index.txt file.

what i did is i modified serial, serial.old, by decrementing the HEX integers contained within by 1. Then I modified index.txt, and index.txt.old by removing the last lines contained in each of the files. No problems after that.

TXT_DB error 2

Anonymous's picture

Has anyone fixed the TXT_DB error 2?
It does have to do with the domain cause I put a different one and it signed the certificate.
I did check the database file and i get the 2 certificates, one of the with the correct domain and the other with the wrong domain......does anyone know that if I edit the wrong domain and fix it will it work?

Simple solution

Anonymous's picture

Banged my head a few times then realized as a few others have.. when you generate the client certificate and it gets to the COMMON NAME, don't use the same host name you used on the server, just type in the host name for your client.

Now off to figure out why I get an unknown CA error when it tries to enable TLS

take care!

I ran into that too...

R. Wolf's picture

The issue there is, since I banged my head up against that one too is openssl didn't like me having two certs, one server and one client with the same domain name. I believe that was the issue. It's the part, and it's been a while since I've had to create's the part that asks for your information, organization, state, city, etc. I believe my issue was typing in the domain information in. It didn't want to update two certs by the same domain or local or whatever that little section asked.

Check it out, play with that section because right there is where the issue was. When it's asking you the questions. Also look at the textfile database it creates. Once you open it up, you'll see what I'm talking about. What you've got to change is in there and from memory and that's poor :) it had something to do with the local or domain. It didn't like it when I used the same one.

I hope this helped and since I'm not frustrated right now all the extra flare isn't in me to bash anything!

R. Wolf


custard's picture

Thanks for your nice clear article. I'm hiting a big problem and so I'm wondering if you could help out a bit. This is slightly more complicated since this is on a debian box.

Essentlialy, signing anything seems to fail (even as root!) as shown in the error below.

The file is manifestly there, and accessible. Is there any good reason why it should be behaving like this?

It occurs that sometimes the 'r' at the end of the file name is an 'h', in case that helps

thanks for any suggestions.

# /usr/lib/ssl/misc/ -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Error opening CA private key ./ramonetalCA/private/cakey.pem
23910:error:02001002:system library:fopen:No such file or
23910:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:280:
unable to load CA private key
cat: newcert.pem: No such file or directory
Signed certificate is in newcert.pem

# ls -ld ramontetalCA
drwxr-xr-x 6 root root 4096 Sep 24 01:07 ramontetalCA
# ls -l ramontetalCA
total 24
-rw-r--r-- 1 root root 1306 Sep 24 01:07 cacert.pem
drwxr-xr-x 2 root root 4096 Sep 24 01:06 certs
drwxr-xr-x 2 root root 4096 Sep 24 01:06 crl
-rw-r--r-- 1 root root 0 Sep 24 01:06 index.txt
drwxr-xr-x 2 root root 4096 Sep 24 01:06 newcerts
drwxr-xr-x 2 root root 4096 Sep 24 01:07 private
-rw-r--r-- 1 root root 3 Sep 24 01:06 serial
# ls -l ramontetalCA/private
total 4
-rw-r--r-- 1 root root 963 Sep 24 01:07 cakey.pem

So called "CLEAR" article...

R. Wolf's picture

Many many many assumptions with this article. I'm a novice!!! Do the "Pro's" need "tutorials"? I think you assume too much, like we know what the hell we're doing!!! This other dude has the same error I have, fortunately I'm the shit and figured it out although I'm just now getting past it 20 minutes later!!! Ohhhhhhh the frustration with Linux. This is why Windows is sooooo superior. It configures itself but because my manager asked me to help him out, I'll use the crappy Linux OS for now :)

Now, to fix your problem. If you don't have a sweet support ticket you can put in with the Sofware vendor like some lame ass support management...they have a privelage, they don't need to know how to troubleshoot.

I unfortunately as you...don't have the sweet support ticket to get someone else to do my work for me so we've got to figure it out ourselves.

What you need to do dude...look at the error.

My error, although similar probably has a different directory path.

Notice my crappy error.

"Error opening CA private key ./scitCA/private/cakey.pem"

You need to edit your openssl.cnf and manually type in the directory above that one, my case was ./misc/scitCA"

That should be typed into...

[ CA_default ]
dir = ./scitCA

I had to change it to get it to work. Changed to ./misc/scitCA!!! I'll change it back as soon as I move on to the next step in the guide.

I totally think this guide is not for novice's, it's for Linux Fags!!!

Love R.Wolf - Microsoft Certified Bitch!!! - Get the word out!!!


Anonymous's picture

Mr Wolf,

Why must you slam others? Personally I wonder why you would call someone a fag because they chose to use Linux. If you do however, why would you insult yourself by making comments on how Microsofts products are so much easier to use? Isn't this publicly announcing to everyone "Hey I'm not smart enough to be a Linux certified "Bitch"?"

Personally I think all of the extra crap you put in the response was completely unnecessary. If you want to help someone do so, don't slam people in doing so.



Style dude style...

R. Wolf's picture

"Mr. Anonymous",

That's just my style dude...

What I said was mostly out of frustratin because Linux documentation is horrible!

You shouldn't have taken it to personal, I see you probably took it personal since you have certification envy and feel the need to let people know how "smart" you are by listing all your certs. I'm surprised you didn't upload scanned copies of all your cert cards.

Moreover, what I see is you not taking your own advice, are you helping others or slamming others? At least I offer some help with a slam.

You just offer a slam and some showy certs. Weak sauce dude, weak sauce. I would expect that with a cert you'd be able to give a crum or maybe a tiny piece of your genius to help us poor helpless people out.

You are right about one thing, all the extra I put in my responses helps nobody, I was venting frustration and for that I was wrong but now it's on :)

Linux has it's merits but you have to configure the merits to no end and bang your head into the wall a million times more the MSFT. Good luck to any and all who try to use this article for freeradius intallation even if you're using the same distro!!! I tried the same distro in the article and I still had issues. I guess I'm a looser because there's no "next" button.

The article will take you there but it won't get you home, it is somewhat helpful but has it's faults. You can't just be any Geek off the street if you know what I mean (Old School Warren G quote!!!).

R. Wolf
Certifications: Looser, Linux Idiot, Microsoft Bitch, Retarded Poster

I hope those certs really impress the masses!!!

for linux workstation

S.M Tie's picture


thanks for this article, i've got it to work with windows using the PK12 keys. I've also got the linux's xsupplicant and Mac's to work with this solution.

Then a few months later, my linux xsupplicant wont work anymore. I dont know why this is so, however, using another method of generating the PEM keys, the radius server will work again.

Has anyone got it to work using Xsupplicant with PK12 keys ? how can i get this to work with a linux workstation ?? please help ?


Thank you!

Eric Mayo's picture

Nice article. It certainly helped me and I own the O'Reilly OpenSSL book! Your coverage of the xpextensions was AWESOME and it was the missing bits I didn't find in the book....

Keep up the great work!

We just deployed a 10 acre WIFI farm using EAP-TLS & client side certs.

One thing I would like to offer is that in WindowsXP, you can check the option to not look to the public CAs -- you can choose options to ignore or specify your own CA.

~Eric Mayo

Putting it Together: Interested in a high-level article?

Anonymous's picture

Great article. Not wanting to reinvent the wheel, I put this together with a real world install of FreeRADIUS on an Ubuntu server into an article I wrote on my site. I cite both this article series as well as excellent how-to for tweaking FreeRADIUS from the Ubuntu Forums site.

Great Article for OpenSSL on Windows

Anonymous's picture

I am using OpenSSL on Windows and this article was great in helping fix a problem I was having signing the certificate.