Paranoid Penguin - Securing Your WLAN with WPA and FreeRADIUS, Part III

killall -HUP radiusd may not work for some - you may need to kill (stop) the daemon entirely, and restart it for it to reread the .pem files.

Hi Guys - thought this might be useful, (Red Hat'd version of this article). I'm a novice and perhaps this isn't best practice but it's working for me:

-- Certificate Setup --

1. Modify /etc/pki/tls/openssl.cnf - this file contains the defaults information for the certificates.

dir = /etc/ssl
countryName_default = GB
stateOrProvinceName_default = Antrim
localityName_default = Belfast
0.organizationName_default = CSI Ireland Limited

2. Create the file /etc/ssl/xpextensions with the following, these are additional extensions required by XP clients:

[ xpclient_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

3. Create a new self-signed certificate authority (if not already created) in /etc/ssl:

mkdir private
mkdir newcerts
touch index.txt
echo '01' > serial
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650

4. Create server certificate request in /etc/ssl:

openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730

5. Sign server certificate using the certificate authority created earlier (with XP extensions):

openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem

6. Create a server file with both the server key and the server certificate:

cat server_key.pem server_cert.pem > server_keycert.pem

7. Create a client certificate request in /etc/ssl:

openssl req -new -keyout client_key.pem -out client_req.pem -days 730

8. Sign client certificate using the certificate authority created earlier (with XP extensions):

openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem

9. Export the client certificate in the appropriate format (P12) for an XP client:

openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts

10. Export the root certificate of the server in the appropriate format (DER) for an XP client:

openssl x509 -setalias "Radius@CSI" -outform DER -in cacert.pem -out cacert.der

11. The files 'client_cert.p12' and 'cacert.der' can now be safely moved to a folder for import onto the XP clients.

-- FreeRadius Setup --

12. Remove the FreeRadius default certificate files etc:

rm -Rf /etc/raddb/demoCA

13. Create the appropriate directories in /etc/raddb in which to keep the certificate information:

mkdir /etc/raddb/certs

14. Move the server certificate and the root certificate to the FreeRadius folder:

cp /etc/ssl/cacert.pem /etc/raddb/certs/
cp /etc/ssl/server_keycert.pem /etc/raddb/certs/

15. Create the Diffie-Hellman parameters file using for TLS:

openssl dhparam -check -text -5 512 -out dh

16. Create the random bitstream file for TLS:

dd if=/dev/urandom of=random count=2

17. Modify /etc/raddb/eap.conf (full listing):

eap {
default_eap_type = tls

tls {
private_key_password = ************
private_key_file = ${raddbdir}/certs/server_keycert.pem
certificate_file = ${raddbdir}/certs/server_keycert.pem
CA_file = ${raddbdir}/certs/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
}
}

18. Client a radius client for the wireless access point in /etc/raddb/clients.conf:

client x.x.x.x/xx {
secret = **************
shortname = Secure-WAP
}

19. Modify /etc/raddb/radius.conf:

(To see authentication requests and results)
log_auth = yes

authorize {
preprocess
eap
files
}

authenticate{
eap
}

If you used the -nodes on the server key request as in Part II but want to now encrypt the private key, you can use

mv server_key.pem server_key_DELETEME.pem
openssl rsa -in server_key_DELETEME.pem -des3 -out server_key.pem

You will be prompted for a passphrase for the (new) server_key.pem. You must give -des or -des3 for the new key to be encrypted.
You'll want to recreate server_keycert.pem from the new server_key.pem.

The server_cert.pem doesn't change.

You can use this command anytime you might want to change the passphrase on a private key.

I use this command to check users' ssh keys to see that they actually have a passphrase.

openssl rsa -passin 'pass:' -in id_rsa -out /dev/null


Hi all,
I followed the steps in the entire 3 parts of this article but i am not able to establish a connection with the Access point. I am using a Netgear wg311v2 card(uses acx_pci in linux and netgear wireless utility for a GUI based configuration in windows basically a Ndis driver). I am trying to setup the WPA support through the Netgear wireless GUI utility. But WPA-PSK is only available. Does anyone know if Netgear wg311v2 supports other WPA methods say the WPA-RADIUS? This is of utmost priority....Kindly let me know even the basic clues that can make the set up work.

Thank u,
Cheers,
Anuranjani Nandakumar

Great set of articles. I've setup FreeRADIUS, CA, APs & WinXP clients and everything works well (when I log on to WinXP local account). But there's a problem - how can I connect my WinXP client to WPA (EAP-TLS) protected network BEFORE he logs to domain (SAMBA)? Before logging there's no certificate to use for WPA (they are stored in profiles I think). So how can I login to domain and get certificate from profile before connecting to network which needs it?

There's tool - "wpa_supplicant" - I've heard that it can be run as service in WinXP and can connect system to WPA-protected network but I don't want use it (it requires additional configuration and certs are required to be stored on client's disk, not mentioning about unencrypted password for certificate in configuration file, this i potential security hole - someone can copy certs & conf from one computer to another and can gain access to network)

Regards

Chris

Thanks for this wonderfull explanation about wpa in general, and eap-tls in particular. Especially the explanation of how you make appropriate certificates is excellent. Many tutorials about creating those certificates make use of some scripts that come with freeradius, but those never worked for me. With your step by step approach we understand what we're doing, in contrast to those scripts.

Hi. I found a solution, which seems to work: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg156...