Paranoid Penguin - Securing Your WLAN with WPA and FreeRADIUS, Part III

The final step in this new, more secure wireless network project includes hooking up some non-Linux clients to the new standard.
Configuring the Access Point

The next step is the easiest part of this entire process: configure your wireless access point to use WPA and to point to your FreeRADIUS server. This requires only two pieces of information, the RADIUS secret you entered in your FreeRADIUS server's clients.conf file and the IP address of your FreeRADIUS server.

How you present those two pieces of information to your access point depends on your particular hardware and software. My own access point is an Actiontec DSL router with WLAN functionality. From its Web interface I clicked Setup→Advanced Setup→Wireless Settings and set Security to WPA. I then configured it to use 802.1x rather than a pre-shared key. I also provided it with a Server IP Address of, my FreeRADIUS server's IP and a Secret of 1sUpErpASSw0rD, as shown in Listing 4. I left the value for Port to its default of 1812.

Speaking of which, if your access point and RADIUS server are separated by a firewall, you need to allow the access point to reach the RADIUS server on UDP ports 1812 and 1813. Doing so also allows the RADIUS server to send packets back from those ports.

Configuring Windows XP Clients

And that brings us to configuring a Windows XP wireless client to use your newly WPA-enabled access point. This being a Linux magazine, I'm not going to describe this process in painstaking detail—for that you can see section 4.3 of Ken Roser's HOWTO, listed in the on-line Resources. In summary, you need to:

  1. Run the command mmc from Start→Run....

  2. In Microsoft Management Console, select File→Add/Remove Snap-in, add the Certificates snap-in and set it to manage certificates for My user account and, on the next screen, only for the Local computer.

  3. Copy your CA (cacert.pem) certificate to your Windows system's hard drive, for example, to C:\cacert.pem.

  4. From within MMC, expand Console Root and Certificates - Current User and right-click on Trusted Root Certification Authorities. In the pop-up menu, select All Tasks→Import. Tell the subsequent wizard to import the file C:\cacert.pem and to store it in Trusted Root Certification Authorities.

  5. Copy your client certificate/key file to your Windows system, for example, to C:\client_cert.p12.

  6. From within MMC→Console Root→Certificates, expand Personal and right-click on Certificates. In the pop-up menu, select All Tasks→Import. Tell the subsequent wizard to import the file C:\client_cert.p12.

  7. The certificate-import wizard then prompts you for the certificate's passphrase. In the same dialog, it offers the option to enable strong private key protection. Unfortunately, enabling this breaks WPA, so be sure to leave this option unchecked. Also, leave the option to mark this key as exportable unchecked—you're better off backing up the password-protected file you just imported rather than allowing the imported nonprotected version to be exportable.

  8. In the subsequent screen, let the wizard Automatically select the certificate store.

Now your Windows XP system is ready to go—all that remains is to create a wireless network profile. This, however, varies depending on your wireless card's drivers and which Windows XP Service Pack you're running. On my Windows XP SP1 system, using a Centrino chipset and XP's native WPA supplicant, I created a wireless network profile specifying my WLAN's SSID. I set Network Authentication to WPA, Data encryption to TKIP and EAP type to Smart Card or other Certificate. Windows automatically determined which client certificate I used—this is because we took pains to create a client certificate that references Windows XP's extended attributes (see my previous column).

After you configure your wireless network profile, your Windows system should connect automatically to your access point and negotiate a WPA connection. If this succeeds, Network Connections should show a status of Authentication succeeded for your Wireless Network Connection entry.


I hope you've gotten this far successfully and are off to a good start with WPA. WPA isn't perfect—the world needs WPA supplicants that can handle passphrase-protected client certificates without storing passphrases in clear text. But, wireless networking is, it seems, finally headed in a secure direction.

Resources for this article: /article/8200.

Mick Bauer, CISSP, is Linux Journal's security editor and an IS security consultant in Minneapolis, Minnesota. O'Reilly & Associates recently released the second edition of his book Linux Server Security (January 2005). Mick also composes industrial polka music but has the good taste seldom to perform it.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.


Mr Pete's picture

killall -HUP radiusd may not work for some - you may need to kill (stop) the daemon entirely, and restart it for it to reread the .pem files.


Mr Pete's picture

killall -HUP radiusd may not work for some - you may need to kill (stop) the daemon entirely, and restart it for it to reread the .pem files.

Getting CRLs to work properly (hurrah!)

Mr Pete's picture

This guide on FreeRADIUS & WPA Enterprise is brilliant, but I had major problems getting a CRL to work/check correctly - but have figured it out and will share it with everyone CLEARLY, to save other poor souls the problems I've had (along with others who get no clear help on the FreeRADIUS lists!)

To revoke a certificate, run :

openssl ca -revoke CERT_TO_REVOKE.pem -keyfile ca.key -cert ca.pem -config ./ca.cnf

Obviously your filenames may vary :)

Once it's revoked, run these commands :

openssl ca -gencrl -keyfile ca.key -cert ca.pem -out mycrl.pem -config ca.cnf
cat ca.pem mycrl.pem > ca_and_crl.pem

That will build a CRL file (mycrl.pem), and then concatenate your ca.pem file with it, to build ca_and_crl.pem

The ca_and_crl.pem is now your CA cert WITH the CRL. This is KEY to the whole thing working!

Then, edit your eap.conf and edit CA_file so it reads :

CA_file = ${certdir}/ca_and_crl.pem

Then change include_length, check_crl and CA_path to be :

include_length = yes
check_crl = yes
CA_path = ${certdir}/

Then run killall -HUP radiusd and radius will restart, and now should accept certs which are NOT revoked, but throw out your rejected cert.

I hope that helps someone! Bear in mind if you DON'T concatenate the ca.pem and mycrl.pem, anything you revoked will NOT be revoked (the CA will still say it's signed and ok) - so ENSURE you keep your CRL file handy, OR ensure your client certificates are not issued for HUGE amounts of time :)

Thank you Mr Pete

vp's picture

I mean it. Worked 'out of the box'.

I'm so pleased with this page

Angela Nguyen's picture

Very new to Linux but following this instruction step by step, i was able to establish a TLS connection to a RedHat9 server within 1 working day. I use Ruckus Wireless Access Point and Odyssey client. Choose option to ignore server validation. Works like charm. Thank you so much !!!

Working RH v5.1 Version

Mark-CSI's picture

Hi Guys - thought this might be useful, (Red Hat'd version of this article). I'm a novice and perhaps this isn't best practice but it's working for me:

-- Certificate Setup --

1. Modify /etc/pki/tls/openssl.cnf - this file contains the defaults information for the certificates.

dir = /etc/ssl
countryName_default = GB
stateOrProvinceName_default = Antrim
localityName_default = Belfast
0.organizationName_default = CSI Ireland Limited

2. Create the file /etc/ssl/xpextensions with the following, these are additional extensions required by XP clients:

[ xpclient_ext ]
extendedKeyUsage =

[ xpserver_ext ]
extendedKeyUsage =

3. Create a new self-signed certificate authority (if not already created) in /etc/ssl:

mkdir private
mkdir newcerts
touch index.txt
echo '01' > serial
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650

4. Create server certificate request in /etc/ssl:

openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730

5. Sign server certificate using the certificate authority created earlier (with XP extensions):

openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem

6. Create a server file with both the server key and the server certificate:

cat server_key.pem server_cert.pem > server_keycert.pem

7. Create a client certificate request in /etc/ssl:

openssl req -new -keyout client_key.pem -out client_req.pem -days 730

8. Sign client certificate using the certificate authority created earlier (with XP extensions):

openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem

9. Export the client certificate in the appropriate format (P12) for an XP client:

openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts

10. Export the root certificate of the server in the appropriate format (DER) for an XP client:

openssl x509 -setalias "Radius@CSI" -outform DER -in cacert.pem -out cacert.der

11. The files 'client_cert.p12' and 'cacert.der' can now be safely moved to a folder for import onto the XP clients.

-- FreeRadius Setup --

12. Remove the FreeRadius default certificate files etc:

rm -Rf /etc/raddb/demoCA

13. Create the appropriate directories in /etc/raddb in which to keep the certificate information:

mkdir /etc/raddb/certs

14. Move the server certificate and the root certificate to the FreeRadius folder:

cp /etc/ssl/cacert.pem /etc/raddb/certs/
cp /etc/ssl/server_keycert.pem /etc/raddb/certs/

15. Create the Diffie-Hellman parameters file using for TLS:

openssl dhparam -check -text -5 512 -out dh

16. Create the random bitstream file for TLS:

dd if=/dev/urandom of=random count=2

17. Modify /etc/raddb/eap.conf (full listing):

eap {
default_eap_type = tls

tls {
private_key_password = ************
private_key_file = ${raddbdir}/certs/server_keycert.pem
certificate_file = ${raddbdir}/certs/server_keycert.pem
CA_file = ${raddbdir}/certs/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random

18. Client a radius client for the wireless access point in /etc/raddb/clients.conf:

client x.x.x.x/xx {
secret = **************
shortname = Secure-WAP

19. Modify /etc/raddb/radius.conf:

(To see authentication requests and results)
log_auth = yes

authorize {


excellent documentation

Kiran Kumar N's picture

this step by step explanation is really helpful. It worked for me..Thanks

Encrypting the unencrypted private key

Anonymous's picture

If you used the -nodes on the server key request as in Part II but want to now encrypt the private key, you can use

mv server_key.pem server_key_DELETEME.pem
openssl rsa -in server_key_DELETEME.pem -des3 -out server_key.pem

You will be prompted for a passphrase for the (new) server_key.pem. You must give -des or -des3 for the new key to be encrypted.
You'll want to recreate server_keycert.pem from the new server_key.pem.

The server_cert.pem doesn't change.

You can use this command anytime you might want to change the passphrase on a private key.

I use this command to check users' ssh keys to see that they actually have a passphrase.

openssl rsa -passin 'pass:' -in id_rsa -out /dev/null

peap with tls not working

karthi's picture

I followed the steps as mentioned in this article, configured PEAP with TLS but unable to establish connection with the access point. But when i enable "Authentication as
computer when computer info is available" on xp supplicant i could see the traffic hitting freeradius server for the 1st time alone.

Am using intel pro/2200 bg wireless card on xp supplicant and linksys wap54g AP. I have enabled wpa_enterprise on the AP and configured the same on xp supplicant.

did anyone faced this issue ?

supplicant in windows

Anuranjani N's picture

Hi all,
I followed the steps in the entire 3 parts of this article but i am not able to establish a connection with the Access point. I am using a Netgear wg311v2 card(uses acx_pci in linux and netgear wireless utility for a GUI based configuration in windows basically a Ndis driver). I am trying to setup the WPA support through the Netgear wireless GUI utility. But WPA-PSK is only available. Does anyone know if Netgear wg311v2 supports other WPA methods say the WPA-RADIUS? This is of utmost priority....Kindly let me know even the basic clues that can make the set up work.

Thank u,
Anuranjani Nandakumar

Network snarfing of private keys? Huh?

Adrian Close's picture

There's no need to ever transfer private keys around between CA hosts and RADIUS servers.

You avoid this completely by generating the private key on the RADIUS host, generating your certificate request on that host, transfering the request to the CA, signing it there (with the CA private key that never leaves the CA host) and copying the signed certificate (which contains no private information) back to the RADIUS host (in the clear if you really want).

Now, for convenience it might be handy to keep the private key and cert together and generate both on the CA host, but we're erring on the side of security here, right? ;)

Certain proprietary operating systems might make it hard for you to take this approach, of course.

How to connect to WPA-protected WLAN before logging (to domain)?

Xysiu's picture

Great set of articles. I've setup FreeRADIUS, CA, APs & WinXP clients and everything works well (when I log on to WinXP local account). But there's a problem - how can I connect my WinXP client to WPA (EAP-TLS) protected network BEFORE he logs to domain (SAMBA)? Before logging there's no certificate to use for WPA (they are stored in profiles I think). So how can I login to domain and get certificate from profile before connecting to network which needs it?

There's tool - "wpa_supplicant" - I've heard that it can be run as service in WinXP and can connect system to WPA-protected network but I don't want use it (it requires additional configuration and certs are required to be stored on client's disk, not mentioning about unencrypted password for certificate in configuration file, this i potential security hole - someone can copy certs & conf from one computer to another and can gain access to network)



How to connect to WPA-protected WLAN before logging (to domain)?

Nav's picture

Any ideas?

Great guide!!

Flupper's picture

Thanks for this wonderfull explanation about wpa in general, and eap-tls in particular. Especially the explanation of how you make appropriate certificates is excellent. Many tutorials about creating those certificates make use of some scripts that come with freeradius, but those never worked for me. With your step by step approach we understand what we're doing, in contrast to those scripts.

Great article, but needs some corrections

Anonymous's picture

Great Article.
I had the same errors as described above:

- The first error is in the listing of eap.conf:
private_key_file = ${raddbdir}/certs/bt_keycert.pem
certificate_file = ${raddbdir}/certs/bt_keycert.pem

This should read:
private_key_file = ${raddbdir}/certs/server_keycert.pem
certificate_file = ${raddbdir}/certs/server_keycert.pem

Most distributions already create radiusd user + group so if you install from a package just run radius as that user instead of user nobody.
After this I still had trouble running it under user radiusd (error reading root CA stuff) running as user root was working!
found solution at google groups:
I did a #chown -R radiusd /etc/raddb/.
This is from google groups (not sure if you need to do this)
[root@p doc]# chmod -R -rwx /etc/raddb
[root@p doc]# chmod u+rwx /etc/raddb
[root@p doc]# chmod u+rwx /etc/raddb/certs/
[root@p doc]# chmod u+rwx /etc/raddb/certs/demoCA/
[root@p doc]# chmod -R u+rw /etc/raddb
[root@p doc]# mkdir /var/run/radiusd
[root@p doc]# chown radiusd:radiusd /var/run/
[root@p doc]# chown -R radiusd:radius /var/run/radiusd

[root@p run]# /etc/init.d/radiusd stop
Stopping RADIUS server: [FAILED]
[root@p run]# /etc/init.d/radiusd start
Starting RADIUS server: [ OK ]
[root@p run]# /etc/init.d/radiusd status
radiusd (pid 6239) is running...
Now radius started without errors...I now have to check if I can get my clients to connect...

WLAN FREE RADIUS with windows xp SP2 supplicant

naveen's picture

I followed the article and made corrections to eap.conf.

- The first error is in the listing of eap.conf:
private_key_file = ${raddbdir}/certs/bt_keycert.pem
certificate_file = ${raddbdir}/certs/bt_keycert.pem

This should read:
private_key_file = ${raddbdir}/certs/server_keycert.pem
certificate_file = ${raddbdir}/certs/server_keycert.pem

Radius server started with no errors.

I want to add one point to the article regarding configuring the windows xp sp2 supplicant.

After you follow the article for configuring win xp sp2 supplicant. go the wireless network properties under Authentication Tab click properties and uncheck validate server.

Once i did that i was able to connect to the wireless network. I dont know if this is right or i did something wrong while creating the certificates.

Thanks again

Reader's picture

Thank you for the three-part article. It was very useful and as far as I'm concerned it works.
My test system is composed of:
1 radius server on Gentoo Linux,
2 Linksys WAP54G
1 Linksys WRT54G
1 AMD Turion64 laptop with Broadcom wifi (used native WinXP SP2 supplicant)

Would like to point out that on the Linksys APs you should use the WPA-Enterprise security option (not the RADIUS option).

fopen error

Anders Olesen's picture


Ben Rice's picture

I have followed your step and keep getting this error. I checked the perrmissions on cacert.pem and it is set as you say to set it.

8830:error:0200100D:system library:fopen:Permission denied:bss_file.c:104:fopen('/etc/raddb/certs/cacert.pem','r')
18830:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:109:
18830:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274:
rlm_eap_tls: Error reading Trusted root CA list
rlm_eap: Failed to initialize type tls
radiusd.conf[9]: eap: Module instantiation failed.

in radiusd.conf coment out

Anonymous's picture

in radiusd.conf coment out lines :

# user = radiusd
# group = radiusd

maybe it is not safe to run radius as root but at least it solves the problem :)

CA.all script file

Anonymous's picture

In the 30th line of CA.all script (ie. under the freeradius source directory) file make sure you have set the path properly, that should resolve this issue.

me too

Anonymous's picture

me too

fopen:Permission denied:bss_file.c

dhesse's picture

I too have this same problem

Fixing fopen:Permission denied:bss_file.c

Anonymous's picture

When freeradius is installed via the RPMS available for CentOS and I assume Fedora the permissions on /etc/raddb prevent other user from executing the directory. To get rid of the fopen error and still keep things relatively closed down just execute:

chmod o+x /etc/raddb

I also had to change

Anonymous's picture

I also had to change permissions on the certs directory in /etc/raddb to be able to connect successfully

chmod o+x /etc/raddb

sorry that was u+x

Anonymous's picture

sorry that was u+x /etc/raddb/certs

OMG that solved my problem..

Anonymous's picture

OMG that solved my problem.. Thank you!!

small problem

polak's picture

rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
rlm_eap_tls: Error reading certificate file
rlm_eap: Failed to initialize type tls
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[1919] Unknown module "eap".
radiusd.conf[1866] Failed to parse authenticate section.

any idea?

Verify that password for

Anonymous's picture

Verify that password for private key in eap.conf is properly set.

how did u fix this issue?

Colin's picture

i meet the same status~
Plz tell me how to fix this issue?

What did you do to fix this?

Anonymous's picture

What did you do to fix this?

ok i got it

polak's picture

ok i got it
but when i want to connect to my wlan i got invalid cerificate...

What did you do to fix this issue?

flow's picture

Hi, I also have the same problem. What have you done to get this fixed? Could you pase a copy of your radiusd.conf?

i had the same issue in

mick's picture

i had the same issue in debian, apparently you have to build a package instead of ./configure, make and make install, i used the instruction here hope that helps