Freeradius for XP Client

7/23/2019 Freeradius for XP Client

http://slidepdf.com/reader/full/freeradius-for-xp-client 1/16

How To: Setting up FreeRADIUS for WPA & WPA2Enterprise - Part 2

Equipent an! Software Setup

Before we get into the nitty gritty of getting your own CA, public and private keys set up, here's the run down on the

equipment and software I'll be using and the typeface conventions I'll be following for the code listings.

hen we're talking about setting up an industrial strength security implememtation, !inu" is the natural choice. I've tried to

make this #ow $o as general as I can, but you'll have to be aware of the little distro%to%distro differences. &o I've included

my setup in $able .

My Setup

Distribution Slackware 10.2

Kernel 2.6.21 Series (Custom Compiled)

OpenSSL ersion 0.!."#

$ree%&D'S ersion 1.1.

*ireless %outer+&, D-Link DL-/00

I'm going to compile everything from source which will work on every distro. But I recommend you use your distro'spackage management software such as APT, or portage, if you are familiar with using it (it will make the installation that

much easier).

It is very important that you use at least version 0.9.8g of OpenSSL, which was released *ust a few weeks before this

#ow $o was published. +ou'll need this version or higher because some of the options we need to use didn't appear until

the .-.g release.

T"pefa#e $on%entions

$o make it easier to follow and copy/paste, I am going to provide copies of the actual shell commands that I used and their

output. $hey'll appear in blocks like this0

Code Goes in Here...

1verything you enter will appear in boldfae. $he output from the command will be in normal formatting.

~ $ openssl version

OpenSSL 0.9.8e 23 Feb 2007

Any parameters (such as filenames, passwords, etc.) that you'll need to ad*ust for your setup will be in bold-italic .

~ $ openssl sha1 myfile.txt

SHA1(myi!e."#"% d&39&3ee'eb)b0d32''be9'01890&d80709

2cassionally, I'll break up long commands onto multiple lines by 3escaping3 the newline at the end of the command. $his

is done by typing a backslash (4), hitting return and continuing the command.

~ $ somecommand -that -has -a -million \

-options -and -you -have -to \

-use -them -all -on myfile.txt

5or my bash shell I've set 6& like this0

b&s*+3.1$ export PS1="\w \$ "

~ $

&ome commands will require super%user privileges, so elevate yourself to super%users status by using0

~ $ su

http://www.smallnetbuilder.com/wireless/wireless-howto/30213-how-to-setting-up-freeradius-for-wpa-a-wpa2-enterprise-part-2


http://en.wikipedia.org/wiki/Advanced_Packaging_Tool



http://en.wikipedia.org/wiki/Portage_(software)








!ote" 7buntu is slightly different here, you'll need to enter 3sudo su3, then, when prompted, enter your user

password and you'll have a root shell.

e're going to be digging into some pretty monstrous config files in a moment, so I'll print line numbers at the beginning of

the line and highlight what I've changed/added in bold-italic .

2123 pos"+pro#y ,

212)

212' - yo/ &n" "o *&e & !o o rep!ies rom & *ome serer

212 - /n+4ommen" "*e o!!oin !ine &nd "*e 5de"&i! pos"6pro#y6!o5

2127 - se4"ion &boe.

2128 - pos"6pro#y6!o

2129

2130 - &""r6reri"e

2131

2132 - n4ommen" "*e o!!oin !ine i yo/ &n" "o i!"er rep!ies rom

2133 - remo"e pro#ies b&sed on "*e r/!es deined in "*e 5&""rs5 i!e.

213)

213' # attr_filter

213

2137 -

2138 - yo/ &re pro#yin LA yo/ :S; 4oni/re "*e A

2139 - mod/!e &nd yo/ :S; !is" i" *ere in "*e pos"+pro#y

21)0 - s"&e.

21)1 -

21)2 - <o/ :S; &!so /se "*e 5nos"rip5 op"ion in "*e 5re&!m5

21)3 - 4oni/r&"ion. O"*erise "*e ser+=&me &""rib/"e

21)) - in "*e pro#ied re>/es" i!! no" m&"4* "*e /ser n&me

21)' - *idden inside o "*e A p&4?e" &nd "*e end serer i!!

21) - re@e4" "*e A re>/es".

21)7 -

21)8 eap

21)9

And I'll occasionally abbreviate long uninteresting output with an ellipsis.

~ $ command

nin"eres"in o/"p/" "*&" ?eeps oin.

...

&o, without further ado, let's lock down our wireless network.



Setting up penSS'

$he first step in getting the ra8or%wire set up around your wireless A6 is to generate your very own CA (Certificate

Authority).

5irst, download the latest version of OpenSSL. As noted earlier, this is 0.9.8g as I write this.

~ $ wget http://wwwopensslorg/source/openssl-!#gtarg

It's always good practice to verify the checksum of any source download (especially with security related software). 5or

some odd reason 2pen&&! doesn't list a properly formatted md9 checksum file, so you'll have to eye%ball it.

~ $ cat openssl-!#gtargmd%

&470&13'9b3'8bdb7)bd&14))19

~ $ md%sum openssl-!#gtarg

&470&13'9b3'8bdb7)bd&14))19 openss!+0.9.8."&r.B

:e"t, e"tract 2pen&&! from the tarball.

~ $ tar xv& openssl-!#gtarg

;ove into the newly e"tracted 2pen&&! directory and run the config script.

~ $ cd openssl-!#g~openss!+0.9.8 $ /con&ig

5inally, compile and install 2pen&&!.

~openss!+0.9.8 $ ma'e

...

~openss!+0.9.8 $ su -c "ma'e install"

&ssordD pA55w0Rd

...

2k, now that we've got 2pen&&! installed, we need to set up a few directories to organi8e the keys we're about to create.

<epending on where you look and who you ask, there are numerous ways to do this. I'm a fan of the #ISS approach, so

here is how I set it up.

Change back into your home directory and create a 3CA3 directory with a 3signed=certs3 sub directory and a 3private3 sub

directory.

~openss!+0.9.8 $ cd

~ $ m'dir CA

~ $ m'dir CA/signed_certs

~ $ m'dir CA/private

~ $ chmod (!! CA/private

3signed=certs3 will hold copies of all the certificates that we sign with our CA. $hat way, if we need to revoke a certificate,

we'll have a copy locally. 3private3 will hold the CA's private key. It's very important to keep the CA key secret. Because if it

gets compromised, it could be used to sign untrusted certificates that might be used to trick clients into unknowingly

sharing sensitive information with a untrusted machine. I've locked it down above, by changing the permissions so that

only I can read, write and e"ecute it.

$here are quite a few command line options and even more infomation required in prompts that are pretty redundant. &o

it's easiest to create a local copy of the 2pen&&! config, modify it and force 2pen&&! to use it with the 3%config3 option.

(:ote0 the location of the original openssl.cnf file may be different if you didn't build from source.)

~ $ cp /etc/ssl/openssl.cnf /home/brandon/CA/

http://www.openssl.org/

http://en.wikipedia.org/wiki/KISS_principle


http://www.openssl.org/




2pen up openssl.cnf with your favorite te"t editor and change the following in the 3CA=default3 section0 (>emember that

the numbers that appear first on each line are line numbers, don't enter them into the config file.)

3' E CA6de&/!" 337 dir % /home/brandon/CA - *ere eery"*in is ?ep"

38 4er"s % dir/ - *ere "*e iss/ed 4er"s &re ?ep"

39 4r!6dir % $dir4r! - *ere "*e iss/ed 4r! &re ?ep"

)0 d&"&b&se % $dirinde#."#" - d&"&b&se inde# i!e.

)1 -/ni>/e6s/b@e4" % no - Se" "o 5no5 "o &!!o 4re&"ion o

)2 - seer&! 4"ii4&"es i"* s&me s/b@e4".

)3 ne64er"s6dir % dir/signed_certs - de&/!" p!&4e or ne 4er"s.

))

)' 4er"ii4&"e % $dir4&4er".pem - ;*e CA 4er"ii4&"e

) seri&! % $dirseri&! - ;*e 4/rren" seri&! n/mber

)7 4r!n/mber % $dir4r!n/mber - "*e 4/rren" 4r! n/mber

)8 - m/s" be 4ommen"ed o/" "o !e&e & 1 CIL

)9 4r! % $dir4r!.pem - ;*e 4/rren" CIL

'0 pri&"e6?ey % $dirpri&"e4&?ey.pem- ;*e pri&"e ?ey

'1 IA=JFL % $dirpri&"e.r&nd - pri&"e r&ndom n/mber i!e

'2

'3 #'096e#"ensions % /sr64er" - ;*e e#"en"ions "o &dd "o "*e 4er"

If you're planning on using indows to manage the wireless network on the clients, we need to add some additional

e"tensions to the end of the config file. Add the following sections to the end of 3openssl.cnf3 (this happens to be line ?@

for me)0

31 - indos K ;LS #"ens"ions

317 E #p4!ien"6e#"

318 e#"endedeys&e%1.3..1.'.'.7.3.2

319 E #pserer6e#"

320 e#"endedeys&e%1.3..1.'.'.7.3.1

:e"t, head on down to line ? and change the defaults for the 3distinguished name3 to suit your application. $he

3distinguished name3 section contains little bits of useful information for labeling public keys. As we'll see in a moment, the

keys themselves are pretty ugly (even when encoded in A&CII). $o help keep track of them, they're labeled with some

information, and at this point the public key is referred to as a certificate. I'll use certificate to stay consistent with how

2pen&&! refers to them, but functionally they're equivalent.

123 E re>6dis"in/is*ed6n&me

12) 4o/n"ry=&me % Co/n"ry =&me (2 !e""er 4ode

12' 4o/n"ry=&me6de&/!" % !"

12 4o/n"ry=&me6min % 2

127 4o/n"ry=&me6m&# % 2

...

+ou can set a default value for any of the parameters listed here by adding 3=default3 to the end of the variable name. In

the e"ample above, 3countryName_default 3 is the default value for 3country:ame3.5inally, touch 3inde".t"t3, a simple te"t%

based database used to track signed certificates.

~CA $ touch indextxt



Respe#t (" )$ertifi#ate* Aut+orit",

:ow that we've got our environment set up, it's time to create the CA and issue some keys. &ince 2pen&&! is so

comple", it works a little bit differently than the usual :I commands. ;ost notably, it has a handful of sub%commands

(the first argument) that handle the details. 4

$o create a new key pair, first we create a 3certificate request3 (sub%command 3req3). $he certificate request is then sent

off to be signed by the CA and becomes a bonafide public key. Creating the CA key pair starts off the same way we'd

create a regular key pair, using the command below.

5or most of the responses, you *ust hit the 1nter key to accept the defaults we set up in the config file. ;ake sure to use

a strong pass$ord for the CA keyD it's the only thing standing between the hacker and your CA key if it's ever

compromised.

~CA $ openssl re) -new -'eyout private/caey.pem -out care$.pem \

-con&ig /opensslcn&

Gener&"in & 20)8 bi" ISA pri&"e ?ey

..........................................MMM

...MMM

ri"in ne pri&"e ?ey "o 5pri&"e4&?ey.pem5

n"er : p&ss p*r&seD pA55w0r%

eriyin + n"er : p&ss p*r&seD pA55w0r%

+++++

<o/ &re &bo/" "o be &s?ed "o en"er inorm&"ion "*&" i!! be in4orpor&"ed

in"o yo/r 4er"ii4&"e re>/es".

*&" yo/ &re &bo/" "o en"er is *&" is 4&!!ed & Jis"in/is*ed =&me or & J=.

;*ere &re >/i"e & e ie!ds b/" yo/ 4&n !e&e some b!&n?

For some ie!ds "*ere i!! be & de&/!" &!/e

yo/ en"er 5.5 "*e ie!d i!! be !e" b!&n?.

+++++

Co/n"ry =&me (2 !e""er 4ode ESD

S"&"e or roin4e =&me (/!! n&me E;*e Gre&" S"&"e <o/ Lie nDLo4&!i"y =&me (e 4i"y E:y ;on SAD

Or&niB&"ion =&me (e 4omp&ny ESm&!!=e"N/i!derD

Or&niB&"ion&! ni" =&me (e se4"ion ESe4/ri"y JiisionD

Common =&me (e <OI n&me ED*+

m&i! Address ED yo&'example.com

!e&se en"er "*e o!!oin 5e#"r&5 &""rib/"es

"o be sen" i"* yo/r 4er"ii4&"e re>/es"

A 4*&!!ene p&ssord ED

An op"ion&! 4omp&ny n&me ED

:e"t, we need to 3self%sign3 the certificate to turn it into a CA.

~CA $ openssl ca -create,serial -out cacertpem -'ey&ile private/caey.pem \

-sel&sign -extensions v,ca -con&ig /opensslcn& -in care)pem

sin 4oni/r&"ion rom .openss!.4n

n"er p&ss p*r&se or pri&"e4&?ey.pemD pA55w0r%

C*e4? "*&" "*e re>/es" m&"4*es "*e sin&"/re

Sin&"/re o?

Cer"ii4&"e Je"&i!sD

Seri&! =/mberD

http://strongpasswordgenerator.com/





2D48D)&Dd0D'D09D28Db7

&!idi"y

=o" NeoreD O4" 2) 03D17D)9 2007 G:;

=o" A"er D O4" 23 03D17D)9 2008 G:;

S/b@e4"D

4o/n"ry=&me % S

s"&"eOrroin4e=&me % ;*e Gre&" S"&"e <o/ Lie n

or&niB&"ion=&me % Sm&!!=e"N/i!der

or&niB&"ion&!ni"=&me % Se4/ri"y Jiision

4ommon=&me % CA

em&i!Address % yo/e#&mp!e.4om

K'093 e#"ensionsD

K'093 S/b@e4" ey den"iierD

J0D1DNFD7NDA8D2DN9D98DN0D81D98D2D7D9DCAD'7D3JD7DF3D02

K'093 A/"*ori"y ey den"iierD

?eyidDJ0D1DNFD7NDA8D2DN9D98DN0D81D98D2D7D9DCAD'7D3JD7DF3D02

Jir=&meDC%SS;%;*e Gre&" S"&"e <o/ Lie nO ...

seri&!DF2DC8D)ADJ0DF'D09D28DN7

K'093 N&si4 Cons"r&in"sD

CAD;I

Cer"ii4&"e is "o be 4er"iied /n"i! O4" 23 03D17D)9 2008 G:; (3' d&ys

Sin "*e 4er"ii4&"eP EynDy

1 o/" o 1 4er"ii4&"e re>/es"s 4er"iied 4ommi"P Eyny

ri"e o/" d&"&b&se i"* 1 ne en"ries

J&"& N&se pd&"ed

(:ote that the DirName: line above was truncated E...F because it was too wide for most browser screensG)

In the command above, 3-create_serial 3 (new in recent versions of 2pen&&!) creates a he" serial number for this key. 3-

extensions3 specifies the section of the openssl.cnf config file to look in for specific e"tensions to append to the newlycreated certificate (public key). In this case, we're using the v3_ca section which, among other things, contains this setting

on line ?H0

b&si4Cons"r&in"s % CAD"r/e

$his allows the key to be used to sign other keys, acting as the CA.

$he last step is to create a copy of the CA certificate encoded in the <1> format, because indows likes only binary

encoded certificates.

~CA $ openssl x%! -in&orm P. -out&orm 0. -in cacert.pem -out cacert.der

$reating t+e $ient an! Ser%er .e"s

:ow that we've got our CA all set up, we need to issue key pairs for the server and all of our clients. &tart by creating a

new key pair0

~CA $ openssl re) -new -con&ig /opensslcn& -'eyout server_ey.pem \

-out server_re$.pem

Gener&"in & 20)8 bi" ISA pri&"e ?ey

.......MMM

.................................MMM

ri"in ne pri&"e ?ey "o 5serer6?ey.pem5



n"er : p&ss p*r&seD pA55w0r%

eriyin + n"er : p&ss p*r&seD pA55w0r%

+++++

<o/ &re &bo/" "o be &s?ed "o en"er inorm&"ion "*&" i!! be in4orpor&"ed

in"o yo/r 4er"ii4&"e re>/es".

*&" yo/ &re &bo/" "o en"er is *&" is 4&!!ed & Jis"in/is*ed =&me or & J=.

;*ere &re >/i"e & e ie!ds b/" yo/ 4&n !e&e some b!&n?

For some ie!ds "*ere i!! be & de&/!" &!/e

yo/ en"er 5.5 "*e ie!d i!! be !e" b!&n?.

+++++

Co/n"ry =&me (2 !e""er 4ode ESD

S"&"e or roin4e =&me (/!! n&me E;*e Gre&" S"&"e <o/ Lie nD

Lo4&!i"y =&me (e 4i"y E:y ;on SAD

Or&niB&"ion =&me (e 4omp&ny ESm&!!=e"N/i!derD

Or&niB&"ion&! ni" =&me (e se4"ion ESe4/ri"y JiisionD

Common =&me (e <OI n&me ED server

m&i! Address ED

!e&se en"er "*e o!!oin 5e#"r&5 &""rib/"es"o be sen" i"* yo/r 4er"ii4&"e re>/es"

A 4*&!!ene p&ssord ED

An op"ion&! 4omp&ny n&me ED

:ow sign the key with our newly created CA0

~CA $ openssl ca -con&ig /opensslcn& -in server_re$.pem -out server_cert.pem

sin 4oni/r&"ion rom .openss!.4n

n"er p&ss p*r&se or *omebr&ndonCApri&"e4&?ey.pemD pA55w0r%

C*e4? "*&" "*e re>/es" m&"4*es "*e sin&"/re

Sin&"/re o?

Cer"ii4&"e Je"&i!sD

Seri&! =/mberD

2D48D)&Dd0D'D09D28Db8

&!idi"y

=o" NeoreD =o 1 02D32D07 2007 G:;

=o" A"er D O4" 31 02D32D07 2008 G:;

S/b@e4"D

4o/n"ry=&me % S

s"&"eOrroin4e=&me % ;*e Gre&" S"&"e <o/ Lie n

or&niB&"ion=&me % Sm&!!=e"N/i!der

or&niB&"ion&!ni"=&me % Se4/ri"y Jiision

4ommon=&me % serer

K'093 e#"ensionsD

K'093 N&si4 Cons"r&in"sD

CADFALS

=e"s4&pe Commen"D

OpenSSL Gener&"ed Cer"ii4&"e

K'093 S/b@e4" ey den"iierD

71DA0DFND1CD3'DN7DN8D1JD1CDA)DCDJFDA'DNAD80DD89D09DN7DC

K'093 A/"*ori"y ey den"iierD

?eyidDJ0D1DNFD7NDA8D2DN9D98DN0D81D98D2D7D9DCAD'7D3JD7DF3D02



Cer"ii4&"e is "o be 4er"iied /n"i! O4" 31 02D32D07 2008 G:; (3' d&ys

Sin "*e 4er"ii4&"eP EynD y

1 o/" o 1 4er"ii4&"e re>/es"s 4er"iied 4ommi"P Eyn y

ri"e o/" d&"&b&se i"* 1 ne en"ries

J&"& N&se pd&"ed

:ote0 If you're planning on using indows to manage the wireless connection on the clients use the %&09v' e"tensions

we added earlier instead0

~CA $ openssl ca -con&ig /opensslcn& -extensions xpserver,ext \

-in server_re$.pem -out server_cert.pem

Create key pairs for your clients using the e"act same command. ust change the key filenames and the 3Common

:ame3 to something meaningful for your application. #ere's what I used for this set up0

~CA $ openssl re) -new -con&ig /opensslcn& -'eyout lin&x_laptop_ey.pem \

-out lin&x_laptop_re$.pem

...

Common =&me (e <OI n&me ED lin&x_laptop

And0

~CA $ openssl re) -new -con&ig /opensslcn& -'eyout winxp_laptop_ey.pem \

-out winxp_laptop_re$.pem

...

Common =&me (e <OI n&me ED winxp_laptop

&ign both certificate requests the same way we signed the server's certificate. #ere's the command for my !inu" laptop

key0

~CA $ openssl ca -con&ig /opensslcn& -in lin&x_laptop_re$.pem \

-out lin&x_laptop_cert.pem

Again, use the %&09v' e"tensions if indows is managing wireless on the clients0

~CA $ openssl ca -con&ig /opensslcn& -extensions xpclient,ext \

-in winxp_laptop_re$.pem -out winxp_laptop_cert.pem

:ow we've got both pairs of keys created and signed. indows needs a little help to understand all this security, so we

have to package the client certificate coresponding private key into a P#(S)*+ file. !inu" is happy working with them

either way, so we'll package them both for consistency.

~CA $ openssl p'cs12 -export -clcerts -in winxp_laptop_cert.pem \

-in'ey winxp_laptop_ey.pem -out winxp_laptop.p()

n"er p&ss p*r&se or in#p6!&p"op6?ey.pemD pA55w0r%

n"er #por" &ssordD pA55w0r%

eriyin + n"er #por" &ssordD pA55w0r%

$he command above uses 2pen&&!'s pkcs utility to 3-export 3 a new 6JC&K file. 3-clcerts3 tells 2pen&&! to only

e"port the client certificate and private key (in other configurations, multiple certificates and keys can be packaged into a

single 6JC&K file). 6ackage the !inu" certificate and private key using the same command. Lenerating good keys

relies on having a good set of 3random3 data to seed the key generation. hile not strictly related to generating 6JI keys,

we'll need this data later on for 5ree>AI<7&. e'll use 2pen&&! to generate ,iffie-ellman parameters for symmetric

key generation.

http://en.wikipedia.org/wiki/X.509


http://en.wikipedia.org/wiki/PKCS12


http://en.wikipedia.org/wiki/Diffie-Hellman




http://en.wikipedia.org/wiki/Diffie-Hellman



5irst, elevate yourself to superuser and create a directory that will house the CA certificate, server public and private keys,

a dh file for <iffie%#ellman parameters and a random date file. I chose to put these in /etc/wirelessD anywhere readable to

5ree>A<I7& is fine.

~CA $ su

&ssordD pA55w0r%

*omebr&ndonCA - m'dir /etc/wireless

:ow, copy the server's public and private key and the CA's certificate to /etc/wireless0

*omebr&ndonCA - cp cacert.pem server_cert.pem server_ey.pem /etc/wireless/

Create H%bit <iffie%#ellman parameters with the following0

e"4ire!ess - openssl dhparam -out dh 1!23

:e"t create a random file to seed key generation0

e"4ire!ess - dd i&=/dev/urandom o&=random count=2

Instaing an! $onfiguring FreeRADIUS

:ow it's time to install 5ree>A<I7&. <ownload /reeA,I1S and unpack.

~ $ tar xv& &reeradius-11(targ

Configure, install and update your dynamic linked libraries after the install. By default, 5ree>A<I7& installs in /usr/local

and reads its configuration files from /usr/local/etc/raddb.

~ $ cd &reeradius-11(

~reer&di/s+1.1.7 $ /con&igure

~reer&di/s+1.1.7 $ ma'e

~reer&di/s+1.1.7 $ su -c "ma'e install"

&ssordD pA55w0r%

...

~reer&di/s+1.1.7 $ su -c ldcon&ig

&ssordD pA55w0r%

...

5ree>A<I7& comes packaged with a pretty monstrous, but well documented set of config files. &etting up 6A

authentication really only scratches the surface of what 5ree>A<I7& is capable of. &ince the default settings get us pretty

close, we *ust need to make a few minor changes to some config files to get >A<I7& authentication up and running.2pen

up radiusd.conf with your favorite te"t editor and ad*ust the directory pointers (lines ? through H) to suit your system.

23 prei# % /sr!o4&!

2) e#e46prei# % *prefix+

2' sys4ondir % *prefix+/etc

2 !o4&!s"&"edir % *prefix+/var

27 sbindir % *exec_prefix+/sbin

28 !odir % *localstatedir+/log/radi&s

29 r&ddbdir % *sysconfdir+/raddb

30 r&d&44"dir % *logdir+/radacct

31

32 - Lo4&"ion o 4oni &nd !oi!es.

33 4ondir % *raddbdir+

http://www.freeradius.org/download.html

http://www.freeradius.org/download.html



3) r/n6dir % *localstatedir+/r&n/radi&sd

3'

3 -

37 - ;*e !oin mess&es or "*e serer &re &ppended "o "*e

38 - "&i! o "*is i!e.

39 -

)0 !o6i!e % *logdir+/radi&s.log

The loation of the log file on line 20 is espeially important. 5ree>A<I7& usually isn't very informative about runtime

errors, instead writing everything the log. &o if you have any problems with 5ree>A<I7&, take a look at the log.$he rest of

this config file is hugeMH- lines huge. $he good news is we don't need -N of the options 5ree>A<I7& has for 6A.

&o we can distill the whole config file down to around lines.

+ou can safely comment out (or delete) *ust about anything that doesn't have to do with $!& or 1A6 (such as the module

sections dealing with 61A6, C#A6, ;&C#A6, etc.). Instead of walking you through every change, here is a copy of what I

use (this is likely more than the absolute minimum even with all the comments removed).

2ne big change that needs to be made is changing to an unprivileged user and group on lines - and 0

109 user = no4ody110 group = no4ody

:e"t, open up clients.conf and add a section for your router. $he router is the only true 3client3 to the >A<I7& serverD the

computers that connect are called users. 7se the I6 address of your router and a strong secret (this is the 3password3 that

the router will use to talk to the >A<I7& server).$he 3shortname3 variable is used only for logging, so it can be whatever

makes the most sense for you. 7nless your :A& (:etwork Access &erver) type is e"plicitly listed above in the clients.conf

file, use 3other3 for the :A& type.

4!ien" (0.)0.,.( ,

se4re" % smallnetb&ilder

s*or"n&me % wireless_ap n&s"ype % other

:e"t, edit the users file. Add the default line and lines for each of the client keys we created using the common name

supplied for the key as the user name. #ave some fun with the default re*ection message.

- /sers i!e or FreeIAJS

winxp_laptop +uth-type := .+P

lin&x_laptop +uth-type := .+P

0.5+678 +uth-type := e9ect

eply-essage := "our *omputer +in;t <elcome ere>"

:ow we'll need to edit eap.conf . Change default=eap=type to $!& on line ?0 de&/!"6e&p6"ype % tls

Ad*ust the $!& configuration to suit your set up0

123 "!s ,

12) pri&"e6?ey6p&ssord % pA55w0r%

12' pri&"e6?ey6i!e % /etc/wireless/server_ey.pem

12

127 - ri&"e ?ey Q Cer"ii4&"e &re !o4&"ed in

http://www.smallnetbuilder.com/mydownloads/radiusd.conf

http://www.smallnetbuilder.com/mydownloads/radiusd.conf



128 - "*e s&me i!e "*en pri&"e6?ey6i!e Q

129 - 4er"ii4&"e6i!e m/s" 4on"&in "*e s&me i!e

130 - n&me.

131 4er"ii4&"e6i!e % /etc/wireless/server_cert.pem

132

133 - ;r/s"ed Ioo" CA !is"

13) CA6i!e % /etc/wireless/cacert.pem

13'

13

137 -

138 - For JH 4ip*er s/i"es "o or? yo/ *&e "o

139 - r/n OpenSSL "o 4re&"e "*e JH i!e irs"D

1)0 -

1)1 - openss! d*p&r&m +o/" 4er"sd* 102)

1)2 -

1)3 d*6i!e % /etc/wireless/dh

1)) r&ndom6i!e % /etc/wireless/random

$onfiguring t+e Router

I used a <%!ink <L!%H? Erevie$edF, so your setup pages may differ. 2pen up your wireless router or A6's wireless

configuration section and find the ireless &ecurity settings. Change the security mode to WPA-nterprise or WPA!-

nterprise mode, add the >A<I7& server's I6 address and the shared secret (5igures and ).

$onfiguring a 'inu/ $ient

Connecting a !inu" client using 6A or 6A security requires $pa3suppliant. Configure wpa=supplicant with the

following options set in 3.config3 file in addition to the drivers and interfaces you need for your setup0

CO=FG68021K6AOL%y

CO=FG6A6;LS%y

CO=FG6CS12%y

-:&?e s/re "o in4!/de &ny o"*er op"ions yo/ need &s e!!

>e%compile and re%install wpa=supplicant. :ow create a folder on the !inu" client to house the client public and private

keys (6JC&K file) and the CA certificate. In my case, I set it up in /etc/wireless.

:e"t edit 3wpa_supplicant.conf 3 and add a section similar to the following, to point to your new 6A%1nterprise setup.

- A2+AAS /sin A+;LS

ne"or?%,

ssid%Rsmallnetb&ilder R

?ey6mm"%A+A

e&p%;LS

iden"i"y%Rlin&x_laptop R

4&64er"%R/etc/wireless/cacert.pem R

pri&"e6?ey%R/etc/wireless/lin&x_laptop.p() R

pri&"e6?ey6p&ssd%R pA55w0r% R

http://www.smallnetbuilder.com/content/view/24726/96/


http://hostap.epitest.fi/wpa_supplicant/






$he 3identity3 field should match the common name on the client certificate and the user we set up in 5ree>A<I7&' users

file. >estart wpa=supplicant and connect to the network.

$onfiguring a Win!ows 0P $ient

indows users will require the 6A path, if it's not already installed. A quick way to check for this is to open up the

advanced properties on any wireless network. If 6A is not an option available from the :etwork Authentication

dropdown, you need the patch.

After installing the patch, transfer the CA certificate and the p file containing the client certificate and key securely from

the server (via a 7&B flash drive is the easiest).

5irst, install the CA certificate as a trusted authority by double%clicking on it.

/igure '" Installing the (A

Click 3Install Certificate3 and complete the wi8ard. :e"t, double%click on the p file that contains the client certificate and

key to install it.

/igure 2" Installing the (lient #eys

http://www.microsoft.com/downloads/details.aspx?familyid=662BB74D-E7C1-48D6-95EE-1459234F4483&displaylang=en

http://www.microsoft.com/downloads/details.aspx?familyid=662BB74D-E7C1-48D6-95EE-1459234F4483&displaylang=en



1nter the password for the client's private key. (+ou can optionally require that the password is entered everytime the key

is used, this gets annoying real quick, so I usually leave that unchecked.)

/igure &" (lient Pass$ord

!et indows automatically store the certificate where it thinks it should go.

/igure 4" Storing the (lient #eys

$onfiguring a Win!ows 0P $ient - ore

5inish the wi8ard, and view the wireless networks by double%clicking on the wireless network icon in the taskbar. &elect

the your network and click on 3Change Advanced &ettings3.



/igure 5" 6ireless !et$or7s

2n the 3ireless :etworks3 tab, click 3Add3 under 6referred :etworks.

/igure 5" Advaned (onfiguration

1nter the &&I< of your router and change the :etwork Authentication to 6A.



/igure 8" 6PA+ (onfiguration

2n the 3Authentication3 tab, click 6roperties under 1A6 $ype.

/igure 9" AP (onfiguration

&elect your CA from the list, and check 37se a different username for this connection3.



/igure *0" (ertifiate Seletion

#it 2J to finish. 2pen up the wireless networks again and connect to your newly secured network.

Trou1es+ooting

$here are quite a few pieces that have to play nicely together to get 6A%1nterprise working. #ere are a few tools that

come in handy if things don't work smoothly on the first try0

(he7 the /reeA,I1S log. $here is a lot of good information in the log that can point you right to the problem. $his is especially handy when tweakingthe config files, as anything that doesn't parse correctly will log an error.

un /reeA,I1S in debug mode in the foreground $ith radiusd -%.

$his will show you *ust what 5ree>A<I7& is thinking. :ot all the errors show up here, but the ma*or ones that cause5ree>A<I7& to quit do.

Test loal onnetivity $ith radtest test test loalhost 0 testing*+'.

$his one comes straight out of the I:&$A!! file. If you run5ree>A<I7& in the foreground with 3radiusd %3 in anotherterminal you should be able to see the 5ree>AI<7& dump all kinds of messages when 3radtest3 runs.

$on#usion

ith a little e"tra hardware, you can add the e"tra level of security that authentication provides to your wireless network.

$his gives you better control over the clients that can connect to your network and also helps to keep clients from

connecting to untrusted networks. $he combination of A1& 1ncryption in 6A and secure authentication of clients will

help protect your network and keep your data secured from prying eyes.

Documents

Freeradius for XP Client