Paranoid Penguin - Securing Your WLAN with WPA and FreeRADIUS, Part III

The final step in this new, more secure wireless network project includes hooking up some non-Linux clients to the new standard.

In the previous two Paranoid Penguin columns, I described how Wi-Fi protected access (WPA) can protect wireless LANs (WLANs) from unauthorized access and eavesdropping. I also began explaining how to use FreeRADIUS to implement WPA on your own WLAN. So far, we covered installing FreeRADIUS, creating a certificate authority (CA) and generating and signing digital certificates for WPA use. This month, I show you where to put those certificates, how to configure FreeRADIUS and how to configure your wireless access point and clients. With this information, you should be off to a good start in securing your WLAN.

A Brief Review

In case you're new to this series of articles or simply need some reminders about precisely what we're trying to achieve, let's briefly review our purpose and scope. WPA adds powerful authentication functionality to the older, cryptographically broken WEP protocol in the form of the 802.1x protocol and its subprotocols, such as EAP, PEAP and EAP-TLS. WPA also adds dynamic session key negotiation and automatic key regeneration, by way of the TKIP protocol. If your wireless client software supports WPA—that is, if it includes a WPA supplicant—and your wireless access point supports WPA, you're two-thirds of the way there already. But if you want to take full advantage of 802.1x, you need a back-end RADIUS server, which is where FreeRADIUS comes in.

In the example scenario I established last time, we're configuring a FreeRADIUS server to authenticate Windows XP wireless clients connecting to any WPA-compatible wireless access point. Our 802.1x method is EAP-TLS. EAP-TLS, you might recall, uses the TLS protocol to authenticate wireless supplicants (clients) and your access point to one another by using X.509 digital certificates.

The tasks at hand in this column are:

  • To install the server and CA certificates we created last time onto our FreeRADIUS server.

  • To configure FreeRADIUS to use these certificates with EAP-TLS to authenticate users for our access point.

  • To configure our access point to redirect authentication to our FreeRADIUS server.

  • To install the client and CA certificates we created last time onto a Windows XP client and configure it to use WPA when connecting to the WLAN.

Preparing the FreeRADIUS Server

In Part II of this WPA series, we created three X.509 digital certificates: a certificate authority certificate, called cacert.pem; one server certificate, called server_keycert.pem; and a client certificate, called client_cert.p12. The server and client files contain both a certificate and its private key, so each of these must be handled carefully. The CA certificate, however, is stored separately from its key, so you can distribute cacert.pem freely.

FreeRADIUS stores its configuration files in either /etc/raddb/ or /usr/local/etc/raddb/, depending on your distribution. This directory contains a subdirectory, certs/—this, naturally, is where you need to copy your CA certificate and your server certificate/key. Make sure that cacert.pem is owned by the user root and that its permissions are set to -r--r--r--. server_keycert.pem, on the other hand, should be owned by the user nobody and its permissions set to -r--------. Listing 1 shows the long directory listings for these two files.

As long as you're attending to file ownerships, you also should make sure that the file /var/log/radius/radius.log and the directory /var/run/radiusd/ are writable by nobody. If you compiled FreeRADIUS from source, these paths instead may be /usr/local/var/log/radius/radius.log and /usr/local/var/run/radiusd/. Both radius.log and radiusd/ may be owned by nobody.

Before we dive into FreeRADIUS' configuration files, we need to create two files that FreeRADIUS must have in order to use TLS. The first is a Diffie-Hellman parameters file, or dh file, which is used for negotiating TLS session keys. To create a dh file, change your working directory to FreeRADIUS' raddb/certs/ directory and issue this command:

# openssl dhparam -check -text -5 512 -out dh

The second file you need is a data file that contains a random bitstream that also is used in TLS operations. Do not simply stick the current timestamp or any other similarly nonrandom string into a file called random, as is suggested in at least one WPA procedure I've seen on the Internet. Rather, use the kernel's high-quality random number generator. From within raddb/certs, run this command:

# dd if=/dev/urandom of=random count=2

Both of these files need to be readable by the user nobody, but they should not be writable by anybody.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Addendum

Mr Pete's picture

killall -HUP radiusd may not work for some - you may need to kill (stop) the daemon entirely, and restart it for it to reread the .pem files.

Addendum

Mr Pete's picture

killall -HUP radiusd may not work for some - you may need to kill (stop) the daemon entirely, and restart it for it to reread the .pem files.

Getting CRLs to work properly (hurrah!)

Mr Pete's picture

This guide on FreeRADIUS & WPA Enterprise is brilliant, but I had major problems getting a CRL to work/check correctly - but have figured it out and will share it with everyone CLEARLY, to save other poor souls the problems I've had (along with others who get no clear help on the FreeRADIUS lists!)

To revoke a certificate, run :

openssl ca -revoke CERT_TO_REVOKE.pem -keyfile ca.key -cert ca.pem -config ./ca.cnf

Obviously your filenames may vary :)

Once it's revoked, run these commands :

openssl ca -gencrl -keyfile ca.key -cert ca.pem -out mycrl.pem -config ca.cnf
cat ca.pem mycrl.pem > ca_and_crl.pem

That will build a CRL file (mycrl.pem), and then concatenate your ca.pem file with it, to build ca_and_crl.pem

The ca_and_crl.pem is now your CA cert WITH the CRL. This is KEY to the whole thing working!

Then, edit your eap.conf and edit CA_file so it reads :

CA_file = ${certdir}/ca_and_crl.pem

Then change include_length, check_crl and CA_path to be :

include_length = yes
check_crl = yes
CA_path = ${certdir}/

Then run killall -HUP radiusd and radius will restart, and now should accept certs which are NOT revoked, but throw out your rejected cert.

I hope that helps someone! Bear in mind if you DON'T concatenate the ca.pem and mycrl.pem, anything you revoked will NOT be revoked (the CA will still say it's signed and ok) - so ENSURE you keep your CRL file handy, OR ensure your client certificates are not issued for HUGE amounts of time :)

Thank you Mr Pete

vp's picture

I mean it. Worked 'out of the box'.

I'm so pleased with this page

Angela Nguyen's picture

Very new to Linux but following this instruction step by step, i was able to establish a TLS connection to a RedHat9 server within 1 working day. I use Ruckus Wireless Access Point and Odyssey client. Choose option to ignore server validation. Works like charm. Thank you so much !!!

Working RH v5.1 Version

Mark-CSI's picture

Hi Guys - thought this might be useful, (Red Hat'd version of this article). I'm a novice and perhaps this isn't best practice but it's working for me:

-- Certificate Setup --

1. Modify /etc/pki/tls/openssl.cnf - this file contains the defaults information for the certificates.

dir = /etc/ssl
countryName_default = GB
stateOrProvinceName_default = Antrim
localityName_default = Belfast
0.organizationName_default = CSI Ireland Limited

2. Create the file /etc/ssl/xpextensions with the following, these are additional extensions required by XP clients:

[ xpclient_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

3. Create a new self-signed certificate authority (if not already created) in /etc/ssl:

mkdir private
mkdir newcerts
touch index.txt
echo '01' > serial
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650

4. Create server certificate request in /etc/ssl:

openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730

5. Sign server certificate using the certificate authority created earlier (with XP extensions):

openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem

6. Create a server file with both the server key and the server certificate:

cat server_key.pem server_cert.pem > server_keycert.pem

7. Create a client certificate request in /etc/ssl:

openssl req -new -keyout client_key.pem -out client_req.pem -days 730

8. Sign client certificate using the certificate authority created earlier (with XP extensions):

openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem

9. Export the client certificate in the appropriate format (P12) for an XP client:

openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts

10. Export the root certificate of the server in the appropriate format (DER) for an XP client:

openssl x509 -setalias "Radius@CSI" -outform DER -in cacert.pem -out cacert.der

11. The files 'client_cert.p12' and 'cacert.der' can now be safely moved to a folder for import onto the XP clients.

-- FreeRadius Setup --

12. Remove the FreeRadius default certificate files etc:

rm -Rf /etc/raddb/demoCA

13. Create the appropriate directories in /etc/raddb in which to keep the certificate information:

mkdir /etc/raddb/certs

14. Move the server certificate and the root certificate to the FreeRadius folder:

cp /etc/ssl/cacert.pem /etc/raddb/certs/
cp /etc/ssl/server_keycert.pem /etc/raddb/certs/

15. Create the Diffie-Hellman parameters file using for TLS:

openssl dhparam -check -text -5 512 -out dh

16. Create the random bitstream file for TLS:

dd if=/dev/urandom of=random count=2

17. Modify /etc/raddb/eap.conf (full listing):

eap {
default_eap_type = tls

tls {
private_key_password = ************
private_key_file = ${raddbdir}/certs/server_keycert.pem
certificate_file = ${raddbdir}/certs/server_keycert.pem
CA_file = ${raddbdir}/certs/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
}
}

18. Client a radius client for the wireless access point in /etc/raddb/clients.conf:

client x.x.x.x/xx {
secret = **************
shortname = Secure-WAP
}

19. Modify /etc/raddb/radius.conf:

(To see authentication requests and results)
log_auth = yes

authorize {
preprocess
eap
files
}

authenticate{
eap
}

excellent documentation

Kiran Kumar N's picture

this step by step explanation is really helpful. It worked for me..Thanks

Encrypting the unencrypted private key

Anonymous's picture

If you used the -nodes on the server key request as in Part II but want to now encrypt the private key, you can use

mv server_key.pem server_key_DELETEME.pem
openssl rsa -in server_key_DELETEME.pem -des3 -out server_key.pem

You will be prompted for a passphrase for the (new) server_key.pem. You must give -des or -des3 for the new key to be encrypted.
You'll want to recreate server_keycert.pem from the new server_key.pem.

The server_cert.pem doesn't change.

You can use this command anytime you might want to change the passphrase on a private key.

I use this command to check users' ssh keys to see that they actually have a passphrase.

openssl rsa -passin 'pass:' -in id_rsa -out /dev/null

peap with tls not working

karthi's picture

I followed the steps as mentioned in this article, configured PEAP with TLS but unable to establish connection with the access point. But when i enable "Authentication as
computer when computer info is available" on xp supplicant i could see the traffic hitting freeradius server for the 1st time alone.

Am using intel pro/2200 bg wireless card on xp supplicant and linksys wap54g AP. I have enabled wpa_enterprise on the AP and configured the same on xp supplicant.

did anyone faced this issue ?

supplicant in windows

Anuranjani N's picture

Hi all,
I followed the steps in the entire 3 parts of this article but i am not able to establish a connection with the Access point. I am using a Netgear wg311v2 card(uses acx_pci in linux and netgear wireless utility for a GUI based configuration in windows basically a Ndis driver). I am trying to setup the WPA support through the Netgear wireless GUI utility. But WPA-PSK is only available. Does anyone know if Netgear wg311v2 supports other WPA methods say the WPA-RADIUS? This is of utmost priority....Kindly let me know even the basic clues that can make the set up work.

Thank u,
Cheers,
Anuranjani Nandakumar

Network snarfing of private keys? Huh?

Adrian Close's picture

There's no need to ever transfer private keys around between CA hosts and RADIUS servers.

You avoid this completely by generating the private key on the RADIUS host, generating your certificate request on that host, transfering the request to the CA, signing it there (with the CA private key that never leaves the CA host) and copying the signed certificate (which contains no private information) back to the RADIUS host (in the clear if you really want).

Now, for convenience it might be handy to keep the private key and cert together and generate both on the CA host, but we're erring on the side of security here, right? ;)

Certain proprietary operating systems might make it hard for you to take this approach, of course.

How to connect to WPA-protected WLAN before logging (to domain)?

Xysiu's picture

Great set of articles. I've setup FreeRADIUS, CA, APs & WinXP clients and everything works well (when I log on to WinXP local account). But there's a problem - how can I connect my WinXP client to WPA (EAP-TLS) protected network BEFORE he logs to domain (SAMBA)? Before logging there's no certificate to use for WPA (they are stored in profiles I think). So how can I login to domain and get certificate from profile before connecting to network which needs it?

There's tool - "wpa_supplicant" - I've heard that it can be run as service in WinXP and can connect system to WPA-protected network but I don't want use it (it requires additional configuration and certs are required to be stored on client's disk, not mentioning about unencrypted password for certificate in configuration file, this i potential security hole - someone can copy certs & conf from one computer to another and can gain access to network)

Regards

Chris

How to connect to WPA-protected WLAN before logging (to domain)?

Nav's picture

Any ideas?

Great guide!!

Flupper's picture

Thanks for this wonderfull explanation about wpa in general, and eap-tls in particular. Especially the explanation of how you make appropriate certificates is excellent. Many tutorials about creating those certificates make use of some scripts that come with freeradius, but those never worked for me. With your step by step approach we understand what we're doing, in contrast to those scripts.

Great article, but needs some corrections

Anonymous's picture

Great Article.
I had the same errors as described above:

- The first error is in the listing of eap.conf:
private_key_file = ${raddbdir}/certs/bt_keycert.pem
certificate_file = ${raddbdir}/certs/bt_keycert.pem

This should read:
private_key_file = ${raddbdir}/certs/server_keycert.pem
certificate_file = ${raddbdir}/certs/server_keycert.pem

Most distributions already create radiusd user + group so if you install from a package just run radius as that user instead of user nobody.
After this I still had trouble running it under user radiusd (error reading root CA stuff) running as user root was working!
found solution at google groups:
I did a #chown -R radiusd /etc/raddb/.
This is from google groups (not sure if you need to do this)
[root@p doc]# chmod -R -rwx /etc/raddb
[root@p doc]# chmod u+rwx /etc/raddb
[root@p doc]# chmod u+rwx /etc/raddb/certs/
[root@p doc]# chmod u+rwx /etc/raddb/certs/demoCA/
[root@p doc]# chmod -R u+rw /etc/raddb
[root@p doc]# mkdir /var/run/radiusd
[root@p doc]# chown radiusd:radiusd /var/run/radiusd.pid
[root@p doc]# chown -R radiusd:radius /var/run/radiusd

[root@p run]# /etc/init.d/radiusd stop
Stopping RADIUS server: [FAILED]
[root@p run]# /etc/init.d/radiusd start
Starting RADIUS server: [ OK ]
[root@p run]# /etc/init.d/radiusd status
radiusd (pid 6239) is running...
Now radius started without errors...I now have to check if I can get my clients to connect...

WLAN FREE RADIUS with windows xp SP2 supplicant

naveen's picture

I followed the article and made corrections to eap.conf.

- The first error is in the listing of eap.conf:
private_key_file = ${raddbdir}/certs/bt_keycert.pem
certificate_file = ${raddbdir}/certs/bt_keycert.pem

This should read:
private_key_file = ${raddbdir}/certs/server_keycert.pem
certificate_file = ${raddbdir}/certs/server_keycert.pem

Radius server started with no errors.

I want to add one point to the article regarding configuring the windows xp sp2 supplicant.

After you follow the article for configuring win xp sp2 supplicant. go the wireless network properties under Authentication Tab click properties and uncheck validate server.

Once i did that i was able to connect to the wireless network. I dont know if this is right or i did something wrong while creating the certificates.

Thanks again

Reader's picture

Thank you for the three-part article. It was very useful and as far as I'm concerned it works.
My test system is composed of:
1 radius server on Gentoo Linux,
2 Linksys WAP54G
1 Linksys WRT54G
1 AMD Turion64 laptop with Broadcom wifi (used native WinXP SP2 supplicant)

Would like to point out that on the Linksys APs you should use the WPA-Enterprise security option (not the RADIUS option).

fopen error

Anders Olesen's picture

cacert.pem

Ben Rice's picture

I have followed your step and keep getting this error. I checked the perrmissions on cacert.pem and it is set as you say to set it.

8830:error:0200100D:system library:fopen:Permission denied:bss_file.c:104:fopen('/etc/raddb/certs/cacert.pem','r')
18830:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:109:
18830:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274:
rlm_eap_tls: Error reading Trusted root CA list
rlm_eap: Failed to initialize type tls
radiusd.conf[9]: eap: Module instantiation failed.

in radiusd.conf coment out

Anonymous's picture

in radiusd.conf coment out lines :

# user = radiusd
# group = radiusd

maybe it is not safe to run radius as root but at least it solves the problem :)

CA.all script file

Anonymous's picture

In the 30th line of CA.all script (ie. under the freeradius source directory) file make sure you have set the path properly, that should resolve this issue.

me too

Anonymous's picture

me too

fopen:Permission denied:bss_file.c

dhesse's picture

I too have this same problem

Fixing fopen:Permission denied:bss_file.c

Anonymous's picture

When freeradius is installed via the RPMS available for CentOS and I assume Fedora the permissions on /etc/raddb prevent other user from executing the directory. To get rid of the fopen error and still keep things relatively closed down just execute:

chmod o+x /etc/raddb

I also had to change

Anonymous's picture

I also had to change permissions on the certs directory in /etc/raddb to be able to connect successfully

chmod o+x /etc/raddb

sorry that was u+x

Anonymous's picture

sorry that was u+x /etc/raddb/certs

OMG that solved my problem..

Anonymous's picture

OMG that solved my problem.. Thank you!!

small problem

polak's picture

rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
rlm_eap_tls: Error reading certificate file
rlm_eap: Failed to initialize type tls
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[1919] Unknown module "eap".
radiusd.conf[1866] Failed to parse authenticate section.

any idea?

Verify that password for

Anonymous's picture

Verify that password for private key in eap.conf is properly set.

how did u fix this issue?

Colin's picture

i meet the same status~
Plz tell me how to fix this issue?
THX

What did you do to fix this?

Anonymous's picture

What did you do to fix this?

ok i got it

polak's picture

ok i got it
but when i want to connect to my wlan i got invalid cerificate...

What did you do to fix this issue?

flow's picture

Hi, I also have the same problem. What have you done to get this fixed? Could you pase a copy of your radiusd.conf?

i had the same issue in

mick's picture

i had the same issue in debian, apparently you have to build a package instead of ./configure, make and make install, i used the instruction here http://wiki.freeradius.org/Build#Building_Debian_packages hope that helps

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix