Loading
Paranoid Penguin - Securing Your WLAN with WPA and FreeRADIUS, Part III
The final step in this new, more secure wireless network project includes hooking up some non-Linux clients to the new standard.
In the previous two Paranoid Penguin columns, I described how Wi-Fi protected access (WPA) can protect wireless LANs (WLANs) from unauthorized access and eavesdropping. I also began explaining how to use FreeRADIUS to implement WPA on your own WLAN. So far, we covered installing FreeRADIUS, creating a certificate authority (CA) and generating and signing digital certificates for WPA use. This month, I show you where to put those certificates, how to configure FreeRADIUS and how to configure your wireless access point and clients. With this information, you should be off to a good start in securing your WLAN.
In case you're new to this series of articles or simply need some reminders about precisely what we're trying to achieve, let's briefly review our purpose and scope. WPA adds powerful authentication functionality to the older, cryptographically broken WEP protocol in the form of the 802.1x protocol and its subprotocols, such as EAP, PEAP and EAP-TLS. WPA also adds dynamic session key negotiation and automatic key regeneration, by way of the TKIP protocol. If your wireless client software supports WPA—that is, if it includes a WPA supplicant—and your wireless access point supports WPA, you're two-thirds of the way there already. But if you want to take full advantage of 802.1x, you need a back-end RADIUS server, which is where FreeRADIUS comes in.
In the example scenario I established last time, we're configuring a FreeRADIUS server to authenticate Windows XP wireless clients connecting to any WPA-compatible wireless access point. Our 802.1x method is EAP-TLS. EAP-TLS, you might recall, uses the TLS protocol to authenticate wireless supplicants (clients) and your access point to one another by using X.509 digital certificates.
The tasks at hand in this column are:
To install the server and CA certificates we created last time onto our FreeRADIUS server.
To configure FreeRADIUS to use these certificates with EAP-TLS to authenticate users for our access point.
To configure our access point to redirect authentication to our FreeRADIUS server.
To install the client and CA certificates we created last time onto a Windows XP client and configure it to use WPA when connecting to the WLAN.
In Part II of this WPA series, we created three X.509 digital certificates: a certificate authority certificate, called cacert.pem; one server certificate, called server_keycert.pem; and a client certificate, called client_cert.p12. The server and client files contain both a certificate and its private key, so each of these must be handled carefully. The CA certificate, however, is stored separately from its key, so you can distribute cacert.pem freely.
FreeRADIUS stores its configuration files in either /etc/raddb/ or /usr/local/etc/raddb/, depending on your distribution. This directory contains a subdirectory, certs/—this, naturally, is where you need to copy your CA certificate and your server certificate/key. Make sure that cacert.pem is owned by the user root and that its permissions are set to -r--r--r--. server_keycert.pem, on the other hand, should be owned by the user nobody and its permissions set to -r--------. Listing 1 shows the long directory listings for these two files.
As long as you're attending to file ownerships, you also should make sure that the file /var/log/radius/radius.log and the directory /var/run/radiusd/ are writable by nobody. If you compiled FreeRADIUS from source, these paths instead may be /usr/local/var/log/radius/radius.log and /usr/local/var/run/radiusd/. Both radius.log and radiusd/ may be owned by nobody.
Before we dive into FreeRADIUS' configuration files, we need to create two files that FreeRADIUS must have in order to use TLS. The first is a Diffie-Hellman parameters file, or dh file, which is used for negotiating TLS session keys. To create a dh file, change your working directory to FreeRADIUS' raddb/certs/ directory and issue this command:
# openssl dhparam -check -text -5 512 -out dh
The second file you need is a data file that contains a random bitstream that also is used in TLS operations. Do not simply stick the current timestamp or any other similarly nonrandom string into a file called random, as is suggested in at least one WPA procedure I've seen on the Internet. Rather, use the kernel's high-quality random number generator. From within raddb/certs, run this command:
# dd if=/dev/urandom of=random count=2
Both of these files need to be readable by the user nobody, but they should not be writable by anybody.
______________________
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Private PaaS for the Agile Enterprise
If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.
Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.
Sponsored by ActiveState
- Containers—Not Virtual Machines—Are the Future Cloud
- Non-Linux FOSS: libnotify, OS X Style
- Linux Systems Administrator
- Validate an E-Mail Address with PHP, the Right Way
- Lock-Free Multi-Producer Multi-Consumer Queue on Ring Buffer
- Senior Perl Developer
- Technical Support Rep
- UX Designer
- Introduction to MapReduce with Hadoop on Linux
- RSS Feeds
- One advantage with VMs
1 hour 33 min ago - about info
2 hours 6 min ago - info
2 hours 7 min ago - info
2 hours 8 min ago - info
2 hours 10 min ago - info
2 hours 11 min ago - abut info
2 hours 12 min ago - info
2 hours 13 min ago - info
2 hours 15 min ago - info
2 hours 16 min ago
Featured Jobs
| Linux Systems Administrator | Houston and Austin, Texas | Host Gator |
| Senior Perl Developer | Austin, Texas | Host Gator |
| Technical Support Rep | Houston and Austin, Texas | Host Gator |
| UX Designer | Austin, Texas | Host Gator |
| Web & UI Developer (JavaScript & j Query) | Austin, Texas | Host Gator |
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
Developer Poll
Comments
Addendum
killall -HUP radiusd may not work for some - you may need to kill (stop) the daemon entirely, and restart it for it to reread the .pem files.
Addendum
killall -HUP radiusd may not work for some - you may need to kill (stop) the daemon entirely, and restart it for it to reread the .pem files.
Getting CRLs to work properly (hurrah!)
This guide on FreeRADIUS & WPA Enterprise is brilliant, but I had major problems getting a CRL to work/check correctly - but have figured it out and will share it with everyone CLEARLY, to save other poor souls the problems I've had (along with others who get no clear help on the FreeRADIUS lists!)
To revoke a certificate, run :
openssl ca -revoke CERT_TO_REVOKE.pem -keyfile ca.key -cert ca.pem -config ./ca.cnf
Obviously your filenames may vary :)
Once it's revoked, run these commands :
openssl ca -gencrl -keyfile ca.key -cert ca.pem -out mycrl.pem -config ca.cnf
cat ca.pem mycrl.pem > ca_and_crl.pem
That will build a CRL file (mycrl.pem), and then concatenate your ca.pem file with it, to build ca_and_crl.pem
The ca_and_crl.pem is now your CA cert WITH the CRL. This is KEY to the whole thing working!
Then, edit your eap.conf and edit CA_file so it reads :
CA_file = ${certdir}/ca_and_crl.pem
Then change include_length, check_crl and CA_path to be :
include_length = yes
check_crl = yes
CA_path = ${certdir}/
Then run killall -HUP radiusd and radius will restart, and now should accept certs which are NOT revoked, but throw out your rejected cert.
I hope that helps someone! Bear in mind if you DON'T concatenate the ca.pem and mycrl.pem, anything you revoked will NOT be revoked (the CA will still say it's signed and ok) - so ENSURE you keep your CRL file handy, OR ensure your client certificates are not issued for HUGE amounts of time :)
Thank you Mr Pete
I mean it. Worked 'out of the box'.
I'm so pleased with this page
Very new to Linux but following this instruction step by step, i was able to establish a TLS connection to a RedHat9 server within 1 working day. I use Ruckus Wireless Access Point and Odyssey client. Choose option to ignore server validation. Works like charm. Thank you so much !!!
Working RH v5.1 Version
Hi Guys - thought this might be useful, (Red Hat'd version of this article). I'm a novice and perhaps this isn't best practice but it's working for me:
-- Certificate Setup --
1. Modify /etc/pki/tls/openssl.cnf - this file contains the defaults information for the certificates.
dir = /etc/ssl
countryName_default = GB
stateOrProvinceName_default = Antrim
localityName_default = Belfast
0.organizationName_default = CSI Ireland Limited
2. Create the file /etc/ssl/xpextensions with the following, these are additional extensions required by XP clients:
[ xpclient_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
3. Create a new self-signed certificate authority (if not already created) in /etc/ssl:
mkdir private
mkdir newcerts
touch index.txt
echo '01' > serial
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650
4. Create server certificate request in /etc/ssl:
openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730
5. Sign server certificate using the certificate authority created earlier (with XP extensions):
openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem
6. Create a server file with both the server key and the server certificate:
cat server_key.pem server_cert.pem > server_keycert.pem
7. Create a client certificate request in /etc/ssl:
openssl req -new -keyout client_key.pem -out client_req.pem -days 730
8. Sign client certificate using the certificate authority created earlier (with XP extensions):
openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem
9. Export the client certificate in the appropriate format (P12) for an XP client:
openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts
10. Export the root certificate of the server in the appropriate format (DER) for an XP client:
openssl x509 -setalias "Radius@CSI" -outform DER -in cacert.pem -out cacert.der
11. The files 'client_cert.p12' and 'cacert.der' can now be safely moved to a folder for import onto the XP clients.
-- FreeRadius Setup --
12. Remove the FreeRadius default certificate files etc:
rm -Rf /etc/raddb/demoCA
13. Create the appropriate directories in /etc/raddb in which to keep the certificate information:
mkdir /etc/raddb/certs
14. Move the server certificate and the root certificate to the FreeRadius folder:
cp /etc/ssl/cacert.pem /etc/raddb/certs/
cp /etc/ssl/server_keycert.pem /etc/raddb/certs/
15. Create the Diffie-Hellman parameters file using for TLS:
openssl dhparam -check -text -5 512 -out dh
16. Create the random bitstream file for TLS:
dd if=/dev/urandom of=random count=2
17. Modify /etc/raddb/eap.conf (full listing):
eap {
default_eap_type = tls
tls {
private_key_password = ************
private_key_file = ${raddbdir}/certs/server_keycert.pem
certificate_file = ${raddbdir}/certs/server_keycert.pem
CA_file = ${raddbdir}/certs/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
}
}
18. Client a radius client for the wireless access point in /etc/raddb/clients.conf:
client x.x.x.x/xx {
secret = **************
shortname = Secure-WAP
}
19. Modify /etc/raddb/radius.conf:
(To see authentication requests and results)
log_auth = yes
authorize {
preprocess
eap
files
}
authenticate{
eap
}
excellent documentation
this step by step explanation is really helpful. It worked for me..Thanks
Encrypting the unencrypted private key
If you used the -nodes on the server key request as in Part II but want to now encrypt the private key, you can use
mv server_key.pem server_key_DELETEME.pem
openssl rsa -in server_key_DELETEME.pem -des3 -out server_key.pem
You will be prompted for a passphrase for the (new) server_key.pem. You must give -des or -des3 for the new key to be encrypted.
You'll want to recreate server_keycert.pem from the new server_key.pem.
The server_cert.pem doesn't change.
You can use this command anytime you might want to change the passphrase on a private key.
I use this command to check users' ssh keys to see that they actually have a passphrase.
openssl rsa -passin 'pass:' -in id_rsa -out /dev/null
peap with tls not working
I followed the steps as mentioned in this article, configured PEAP with TLS but unable to establish connection with the access point. But when i enable "Authentication as
computer when computer info is available" on xp supplicant i could see the traffic hitting freeradius server for the 1st time alone.
Am using intel pro/2200 bg wireless card on xp supplicant and linksys wap54g AP. I have enabled wpa_enterprise on the AP and configured the same on xp supplicant.
did anyone faced this issue ?
supplicant in windows
Hi all,
I followed the steps in the entire 3 parts of this article but i am not able to establish a connection with the Access point. I am using a Netgear wg311v2 card(uses acx_pci in linux and netgear wireless utility for a GUI based configuration in windows basically a Ndis driver). I am trying to setup the WPA support through the Netgear wireless GUI utility. But WPA-PSK is only available. Does anyone know if Netgear wg311v2 supports other WPA methods say the WPA-RADIUS? This is of utmost priority....Kindly let me know even the basic clues that can make the set up work.
Thank u,
Cheers,
Anuranjani Nandakumar
Network snarfing of private keys? Huh?
There's no need to ever transfer private keys around between CA hosts and RADIUS servers.
You avoid this completely by generating the private key on the RADIUS host, generating your certificate request on that host, transfering the request to the CA, signing it there (with the CA private key that never leaves the CA host) and copying the signed certificate (which contains no private information) back to the RADIUS host (in the clear if you really want).
Now, for convenience it might be handy to keep the private key and cert together and generate both on the CA host, but we're erring on the side of security here, right? ;)
Certain proprietary operating systems might make it hard for you to take this approach, of course.
How to connect to WPA-protected WLAN before logging (to domain)?
Great set of articles. I've setup FreeRADIUS, CA, APs & WinXP clients and everything works well (when I log on to WinXP local account). But there's a problem - how can I connect my WinXP client to WPA (EAP-TLS) protected network BEFORE he logs to domain (SAMBA)? Before logging there's no certificate to use for WPA (they are stored in profiles I think). So how can I login to domain and get certificate from profile before connecting to network which needs it?
There's tool - "wpa_supplicant" - I've heard that it can be run as service in WinXP and can connect system to WPA-protected network but I don't want use it (it requires additional configuration and certs are required to be stored on client's disk, not mentioning about unencrypted password for certificate in configuration file, this i potential security hole - someone can copy certs & conf from one computer to another and can gain access to network)
Regards
Chris
How to connect to WPA-protected WLAN before logging (to domain)?
Any ideas?
Great guide!!
Thanks for this wonderfull explanation about wpa in general, and eap-tls in particular. Especially the explanation of how you make appropriate certificates is excellent. Many tutorials about creating those certificates make use of some scripts that come with freeradius, but those never worked for me. With your step by step approach we understand what we're doing, in contrast to those scripts.
Great article, but needs some corrections
Great Article.
I had the same errors as described above:
- The first error is in the listing of eap.conf:
private_key_file = ${raddbdir}/certs/bt_keycert.pem
certificate_file = ${raddbdir}/certs/bt_keycert.pem
This should read:
private_key_file = ${raddbdir}/certs/server_keycert.pem
certificate_file = ${raddbdir}/certs/server_keycert.pem
Most distributions already create radiusd user + group so if you install from a package just run radius as that user instead of user nobody.
After this I still had trouble running it under user radiusd (error reading root CA stuff) running as user root was working!
found solution at google groups:
I did a #chown -R radiusd /etc/raddb/.
This is from google groups (not sure if you need to do this)
[root@p doc]# chmod -R -rwx /etc/raddb
[root@p doc]# chmod u+rwx /etc/raddb
[root@p doc]# chmod u+rwx /etc/raddb/certs/
[root@p doc]# chmod u+rwx /etc/raddb/certs/demoCA/
[root@p doc]# chmod -R u+rw /etc/raddb
[root@p doc]# mkdir /var/run/radiusd
[root@p doc]# chown radiusd:radiusd /var/run/radiusd.pid
[root@p doc]# chown -R radiusd:radius /var/run/radiusd
[root@p run]# /etc/init.d/radiusd stop
Stopping RADIUS server: [FAILED]
[root@p run]# /etc/init.d/radiusd start
Starting RADIUS server: [ OK ]
[root@p run]# /etc/init.d/radiusd status
radiusd (pid 6239) is running...
Now radius started without errors...I now have to check if I can get my clients to connect...
WLAN FREE RADIUS with windows xp SP2 supplicant
I followed the article and made corrections to eap.conf.
- The first error is in the listing of eap.conf:
private_key_file = ${raddbdir}/certs/bt_keycert.pem
certificate_file = ${raddbdir}/certs/bt_keycert.pem
This should read:
private_key_file = ${raddbdir}/certs/server_keycert.pem
certificate_file = ${raddbdir}/certs/server_keycert.pem
Radius server started with no errors.
I want to add one point to the article regarding configuring the windows xp sp2 supplicant.
After you follow the article for configuring win xp sp2 supplicant. go the wireless network properties under Authentication Tab click properties and uncheck validate server.
Once i did that i was able to connect to the wireless network. I dont know if this is right or i did something wrong while creating the certificates.
Thanks again
Thank you for the three-part article. It was very useful and as far as I'm concerned it works.
My test system is composed of:
1 radius server on Gentoo Linux,
2 Linksys WAP54G
1 Linksys WRT54G
1 AMD Turion64 laptop with Broadcom wifi (used native WinXP SP2 supplicant)
Would like to point out that on the Linksys APs you should use the WPA-Enterprise security option (not the RADIUS option).
fopen error
Hi. I found a solution, which seems to work: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg156...
cacert.pem
I have followed your step and keep getting this error. I checked the perrmissions on cacert.pem and it is set as you say to set it.
8830:error:0200100D:system library:fopen:Permission denied:bss_file.c:104:fopen('/etc/raddb/certs/cacert.pem','r')
18830:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:109:
18830:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274:
rlm_eap_tls: Error reading Trusted root CA list
rlm_eap: Failed to initialize type tls
radiusd.conf[9]: eap: Module instantiation failed.
in radiusd.conf coment out
in radiusd.conf coment out lines :
# user = radiusd
# group = radiusd
maybe it is not safe to run radius as root but at least it solves the problem :)
CA.all script file
In the 30th line of CA.all script (ie. under the freeradius source directory) file make sure you have set the path properly, that should resolve this issue.
me too
me too
fopen:Permission denied:bss_file.c
I too have this same problem
Fixing fopen:Permission denied:bss_file.c
When freeradius is installed via the RPMS available for CentOS and I assume Fedora the permissions on /etc/raddb prevent other user from executing the directory. To get rid of the fopen error and still keep things relatively closed down just execute:
chmod o+x /etc/raddb
I also had to change
I also had to change permissions on the certs directory in /etc/raddb to be able to connect successfully
chmod o+x /etc/raddb
sorry that was u+x
sorry that was u+x /etc/raddb/certs
OMG that solved my problem..
OMG that solved my problem.. Thank you!!
small problem
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
rlm_eap_tls: Error reading certificate file
rlm_eap: Failed to initialize type tls
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[1919] Unknown module "eap".
radiusd.conf[1866] Failed to parse authenticate section.
any idea?
Verify that password for
Verify that password for private key in eap.conf is properly set.
how did u fix this issue?
i meet the same status~
Plz tell me how to fix this issue?
THX
What did you do to fix this?
What did you do to fix this?
ok i got it
ok i got it
but when i want to connect to my wlan i got invalid cerificate...
What did you do to fix this issue?
Hi, I also have the same problem. What have you done to get this fixed? Could you pase a copy of your radiusd.conf?
i had the same issue in
i had the same issue in debian, apparently you have to build a package instead of ./configure, make and make install, i used the instruction here http://wiki.freeradius.org/Build#Building_Debian_packages hope that helps