Paranoid Penguin - Securing Your WLAN with WPA and FreeRADIUS, Part II

The new generation of security for wireless networks doesn't simply fix WEP's flaws—it enables you to use your RADIUS server to authenticate wireless users.

Last month, I described the new wireless LAN security protocol, Wi-Fi Protected Access (WPA). I showed how it adds strong and flexible authentication, plus dynamic encryption-key negotiation, to the otherwise-insecure WEP protocol. I also showed how WPA's component protocols, including 802.1x, the various flavors of EAP and RADIUS, interrelate. In this month's column I start to show how to create your own authentication server for WPA and other 802.1x scenarios, using FreeRADIUS and OpenSSL.

Quick Review

WPA, you may recall, is more modular than WEP. Whereas authentication and encryption in WEP both are achieved through a shared secret used by all wireless clients, authentication in WPA normally is achieved by using the 802.1x protocol. The pre-shared key (PSK) mode, which works more like WEP, also is an option. With WPA, unique encryption keys for each client are generated dynamically and refreshed periodically by the access point.

802.1x is a flexible authentication protocol that depends on the Extensible Authentication Protocol (EAP). Many different flavors of EAP, including EAP-TLS and PEAP, are supported in WPA-enabled products. If you choose to skip 802.1x and deploy WPA in the much simpler PSK mode, which gives you dynamic encryption key generation but exposes authentication credentials by transmitting them in clear text, all you need to do is configure your access point and wireless clients with the same pre-shared key.

If, however, you want to use WPA to its full potential by employing the much-stronger authentication mechanisms in 802.1x, you need a RADIUS server. Commercial tools are available for this work, such as Funk Software's Steel Belted RADIUS. But if you prefer a free and open-source RADIUS application, FreeRADIUS supports all major flavors of EAP and is both stable and secure. Here's how you can put it to work.

Our Usage Scenario

Naturally, I don't have enough space to describe all possible uses of FreeRADIUS with 802.1x or even specifically with wireless scenarios. Therefore, let's start with a description of an example usage scenario that subsequent procedures can implement.

The most important choice to make when implementing WPA is which flavor of EAP to use. This is limited not only by what your RADIUS server software supports but also by your client platforms. Your wireless access point, interestingly, is EAP-agnostic—assuming it supports 802.1x and/or WPA in the first place. It simply passes EAP traffic from clients to servers, without requiring explicit support for any particular EAP subtype.

What your client platform supports is a function both of your client operating system and of its wireless hardware. For example, a Microsoft Windows XP system with an Intel Pro/2100 (Centrino) chipset supports EAP-TLS and PEAP, but EAP-TTLS isn't an option. But if you run Linux with wpa_supplicant (see the on-line Resources), you have a much wider range of choices available.

In our example scenario, I cover EAP-TLS. EAP-TLS requires client certificates, which in turn requires you to set up a certificate authority (CA). But there are several good reasons to use EAP-TLS. First, EAP-TLS is supported widely. Second, TLS (X.509 certificate) authentication provides strong security. Third, it really doesn't require that much work to use OpenSSL to create your own CA.

Our example scenario, therefore, involves Windows XP clients using EAP-TLS to connect to a WPA-enabled access point. The access point, in turn, is configured to authenticate off of a FreeRADIUS 1.0.1 server running Linux.

Getting and Installing FreeRADIUS

SuSE 9.2, Fedora Core 3 and Red Hat Enterprise Linux each has its own FreeRADIUS RPM package, called freeradius. Debian Sarge (Debian-testing) has a DEB package by the same name. With Red Hat, Fedora and Debian-testing, additional packages are available if you want to use a MySQL authentication database. In addition, Debian-testing has a few other features broken out into still more packages. With all four distributions, however, the only package you should need for 802.1x authentication is the base freeradius package. If your favorite Linux distribution doesn't have its own FreeRADIUS package, or if it does but not a recent enough version to meet your needs, you can download the latest FreeRADIUS source code from the Web site (see Resources).

Compiling FreeRADIUS is simple: it's the common ./configure && make && make install routine. If you're new to the compiling game, see the source distribution's INSTALL file for more detailed instructions. You should execute the configure and make commands as some nonroot user and execute only make install as root.

Notice that, by default, the configure script installs FreeRADIUS into subdirectories of /usr/local. Because the Makefile has no uninstall action, I recommend leaving this setting unchanged, as it simplifies removing FreeRADIUS later, should that become necessary.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

error

muks's picture

I followed the steps and tried installing freeradius 2.0.5 and 2.1.3

Both the times i got this error:

radiusd: error while loading shared libraries: libfreeradius-radius-2.1.3.so: cannot open shared object file: No such file or directory

Any idea what's the prob?? I didn't get any other error in the entire installation.

Thanks.

Thanks Mick

Elias's picture

I have used this article to set up my FreeRadius 2.x. It is an excellent paper.

Thanks Mick again.

configuration of suse linux radius server.

Anonymous's picture

Though the explanation is very comprehensive but i am very new to linux. I have suse linux 10.0 and I want it to configure as Radius server and to generate certificates for windows based clients. For that I need step by step procedures.so can i get any help??

Use StartCom Certification Authority...

Anonymous's picture

Why not use the StartCom Certification Authority, which provides free certification? Their free certificates seem to support the needed extensions, and they also provide domain controller - smart card certificates, which could be used with freeRadius. Depending on the access paramters (guess, that's what it's all about in the next article), this certificates are unique per domain name and an administrator of a domain can control the issuance of the client certificates. The certificates of that solution don't have to be installed into a smart card, but can be used with other clients. Perhaps the StartCom certs might make the process somewhat easier, in addition to have it issued by a known CA.

certificate common names

Doug Wright's picture

Something that stumped me for quite some time that is not mentioned in
the article is that your root certificate common name has to be different from your server certificate common name.

Example:

root cert common name: RootCA
server cert common name: server.host.org
client cert common name: client.host.org

After making that change and changes mentioned in other comments everything just worked.

xpextensions not working

sudarshan_kk's picture

I am trying to generate certificate as mentioned but getting following error.

#openssl ca -out master_cert.pem -extensions xpextensions -infiles ./masterreq.pem
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Error Loading extension section xpextensions
6566:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group=CA_default name=email_in_dn

# cat /usr/share/ssl/xpextensions
[ xpclient_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

#ls /usr/share/ssl/
CA cert.pem certs lib misc openssl.cnf private xpextensions

Instalando Freeradius en redes wlan

bellatrix33us's picture

Antes que nada, dejeme expresar que la critica siempre estara presente, pero considero que el articulo esta muy bien redactado.
ESTOY CONFIGURANDO el servidor y hasta el momento mi experiencia es igual a cualquier trabajo de configuracion con linux. Existe una "learning curve" que debe ser trabajada para lograr el aprendisaje de la tarea en linux.
Para aquellos que quieren las cosas faciles , les dolera en la cartera.
Saludos

problems with the private key

herman's picture

I have installed freeradius by the article and get the next message

tls: private_key_file = "/usr/local/etc/raddb/certs/server_keycert.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/server_keycert.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/cacert.pem"
tls: private_key_password = "hoe_moet_ik_dit_onthouden"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
4956:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:389:
rlm_eap_tls: Error reading private key file
rlm_eap: Failed to initialize type tls
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[1902] Unknown module "eap".
radiusd.conf[1849] Failed to parse authenticate section.

what have I to change

greeting

Herman

Hey Dude,

gbonny's picture

Hey Dude,

I have the same problem here, did you figure it out what the problem was?

What I noticed was that the defaults for check_crl and check_cert_cn differ from the defaults. Defaults they are respectively "no" and "%{Username}".

Greeting
gbonny

TXT_DB error 2

Nico Gattario's picture

Im having this problem trying to create a certificate for the client:
After issuing the command :
openssl ca -config ./openssl.cnf ...... ./client_req.pem
I get the signature ok
Siganture Ok
but when they ask me to sign the signature I press y and i get the following error:
failed to update the database
TXT_DB error number 2

no error happend to me when I tried to do the same for the server at the beginnig Im using fedora core 3 with openssl 0.9.7a-40

Thank u so much for your help.

NICOLAS GATTARIO

I believe this happens when

Anonymous's picture

I believe this happens when an entry for the specific name already exists in the index.txt file.

what i did is i modified serial, serial.old, by decrementing the HEX integers contained within by 1. Then I modified index.txt, and index.txt.old by removing the last lines contained in each of the files. No problems after that.

TXT_DB error 2

Anonymous's picture

Has anyone fixed the TXT_DB error 2?
It does have to do with the domain cause I put a different one and it signed the certificate.
I did check the database file and i get the 2 certificates, one of the with the correct domain and the other with the wrong domain......does anyone know that if I edit the wrong domain and fix it will it work?

Simple solution

Anonymous's picture

Banged my head a few times then realized as a few others have.. when you generate the client certificate and it gets to the COMMON NAME, don't use the same host name you used on the server, just type in the host name for your client.

Now off to figure out why I get an unknown CA error when it tries to enable TLS

take care!

I ran into that too...

R. Wolf's picture

The issue there is, since I banged my head up against that one too is openssl didn't like me having two certs, one server and one client with the same domain name. I believe that was the issue. It's the part, and it's been a while since I've had to create them...it's the part that asks for your information, organization, state, city, etc. I believe my issue was typing in the domain information in. It didn't want to update two certs by the same domain or local or whatever that little section asked.

Check it out, play with that section because right there is where the issue was. When it's asking you the questions. Also look at the textfile database it creates. Once you open it up, you'll see what I'm talking about. What you've got to change is in there and from memory and that's poor :) it had something to do with the local or domain. It didn't like it when I used the same one.

I hope this helped and since I'm not frustrated right now all the extra flare isn't in me to bash anything!

R. Wolf

confused

custard's picture

Hi,
Thanks for your nice clear article. I'm hiting a big problem and so I'm wondering if you could help out a bit. This is slightly more complicated since this is on a debian box.

Essentlialy, signing anything seems to fail (even as root!) as shown in the error below.

The file is manifestly there, and accessible. Is there any good reason why it should be behaving like this?

It occurs that sometimes the 'r' at the end of the file name is an 'h', in case that helps

thanks for any suggestions.
ramon

# /usr/lib/ssl/misc/CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Error opening CA private key ./ramonetalCA/private/cakey.pem
23910:error:02001002:system library:fopen:No such file or
directory:bss_file.c:278:fopen('./ramonetalCA/private/cakey.pem','r')
23910:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:280:
unable to load CA private key
cat: newcert.pem: No such file or directory
Signed certificate is in newcert.pem

# ls -ld ramontetalCA
drwxr-xr-x 6 root root 4096 Sep 24 01:07 ramontetalCA
# ls -l ramontetalCA
total 24
-rw-r--r-- 1 root root 1306 Sep 24 01:07 cacert.pem
drwxr-xr-x 2 root root 4096 Sep 24 01:06 certs
drwxr-xr-x 2 root root 4096 Sep 24 01:06 crl
-rw-r--r-- 1 root root 0 Sep 24 01:06 index.txt
drwxr-xr-x 2 root root 4096 Sep 24 01:06 newcerts
drwxr-xr-x 2 root root 4096 Sep 24 01:07 private
-rw-r--r-- 1 root root 3 Sep 24 01:06 serial
# ls -l ramontetalCA/private
total 4
-rw-r--r-- 1 root root 963 Sep 24 01:07 cakey.pem

So called "CLEAR" article...

R. Wolf's picture

Many many many assumptions with this article. I'm a novice!!! Do the "Pro's" need "tutorials"? I think you assume too much, like we know what the hell we're doing!!! This other dude has the same error I have, fortunately I'm the shit and figured it out although I'm just now getting past it 20 minutes later!!! Ohhhhhhh the frustration with Linux. This is why Windows is sooooo superior. It configures itself but because my manager asked me to help him out, I'll use the crappy Linux OS for now :)

Now, to fix your problem. If you don't have a sweet support ticket you can put in with the Sofware vendor like some lame ass support management...they have a privelage, they don't need to know how to troubleshoot.

I unfortunately as you...don't have the sweet support ticket to get someone else to do my work for me so we've got to figure it out ourselves.

What you need to do dude...look at the error.

My error, although similar probably has a different directory path.

Notice my crappy error.

"Error opening CA private key ./scitCA/private/cakey.pem"

You need to edit your openssl.cnf and manually type in the directory above that one, my case was ./misc/scitCA"

That should be typed into...

[ CA_default ]
dir = ./scitCA

I had to change it to get it to work. Changed to ./misc/scitCA!!! I'll change it back as soon as I move on to the next step in the guide.

I totally think this guide is not for novice's, it's for Linux Fags!!!

Love R.Wolf - Microsoft Certified Bitch!!!
http://www.pimpmybook.com - Get the word out!!!

Opinions

Anonymous's picture

Mr Wolf,

Why must you slam others? Personally I wonder why you would call someone a fag because they chose to use Linux. If you do however, why would you insult yourself by making comments on how Microsofts products are so much easier to use? Isn't this publicly announcing to everyone "Hey I'm not smart enough to be a Linux certified "Bitch"?"

Personally I think all of the extra crap you put in the response was completely unnecessary. If you want to help someone do so, don't slam people in doing so.

Anonymous

MCSE, CSE, CCNA, CCIE, RHCE Bitch!!

Style dude style...

R. Wolf's picture

"Mr. Anonymous",

That's just my style dude...

What I said was mostly out of frustratin because Linux documentation is horrible!

You shouldn't have taken it to personal, I see you probably took it personal since you have certification envy and feel the need to let people know how "smart" you are by listing all your certs. I'm surprised you didn't upload scanned copies of all your cert cards.

Moreover, what I see is you not taking your own advice, are you helping others or slamming others? At least I offer some help with a slam.

You just offer a slam and some showy certs. Weak sauce dude, weak sauce. I would expect that with a cert you'd be able to give a crum or maybe a tiny piece of your genius to help us poor helpless people out.

You are right about one thing, all the extra I put in my responses helps nobody, I was venting frustration and for that I was wrong but now it's on :)

Linux has it's merits but you have to configure the merits to no end and bang your head into the wall a million times more the MSFT. Good luck to any and all who try to use this article for freeradius intallation even if you're using the same distro!!! I tried the same distro in the article and I still had issues. I guess I'm a looser because there's no "next" button.

The article will take you there but it won't get you home, it is somewhat helpful but has it's faults. You can't just be any Geek off the street if you know what I mean (Old School Warren G quote!!!).

R. Wolf
Certifications: Looser, Linux Idiot, Microsoft Bitch, Retarded Poster

I hope those certs really impress the masses!!!

for linux workstation

S.M Tie's picture

hi

thanks for this article, i've got it to work with windows using the PK12 keys. I've also got the linux's xsupplicant and Mac's to work with this solution.

Then a few months later, my linux xsupplicant wont work anymore. I dont know why this is so, however, using another method of generating the PEM keys, the radius server will work again.

Has anyone got it to work using Xsupplicant with PK12 keys ? how can i get this to work with a linux workstation ?? please help ?

Sam

Thank you!

Eric Mayo's picture

Nice article. It certainly helped me and I own the O'Reilly OpenSSL book! Your coverage of the xpextensions was AWESOME and it was the missing bits I didn't find in the book....

Keep up the great work!

We just deployed a 10 acre WIFI farm using EAP-TLS & client side certs.

One thing I would like to offer is that in WindowsXP, you can check the option to not look to the public CAs -- you can choose options to ignore or specify your own CA.

~Eric Mayo

Putting it Together: Interested in a high-level article?

Anonymous's picture

Great article. Not wanting to reinvent the wheel, I put this together with a real world install of FreeRADIUS on an Ubuntu server into an article I wrote on my site. I cite both this article series as well as excellent how-to for tweaking FreeRADIUS from the Ubuntu Forums site.

http://www.breezy.ca/?q=node/220

Great Article for OpenSSL on Windows

Anonymous's picture

I am using OpenSSL on Windows and this article was great in helping fix a problem I was having signing the certificate.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix