Upload
todd-watson
View
230
Download
0
Embed Size (px)
Citation preview
7/23/2019 Freeradius for XP Client
http://slidepdf.com/reader/full/freeradius-for-xp-client 1/16
How To: Setting up FreeRADIUS for WPA & WPA2Enterprise - Part 2
Equipent an! Software Setup
Before we get into the nitty gritty of getting your own CA, public and private keys set up, here's the run down on the
equipment and software I'll be using and the typeface conventions I'll be following for the code listings.
hen we're talking about setting up an industrial strength security implememtation, !inu" is the natural choice. I've tried to
make this #ow $o as general as I can, but you'll have to be aware of the little distro%to%distro differences. &o I've included
my setup in $able .
My Setup
Distribution Slackware 10.2
Kernel 2.6.21 Series (Custom Compiled)
OpenSSL ersion 0.!."#
$ree%&D'S ersion 1.1.
*ireless %outer+&, D-Link DL-/00
I'm going to compile everything from source which will work on every distro. But I recommend you use your distro'spackage management software such as APT, or portage, if you are familiar with using it (it will make the installation that
much easier).
It is very important that you use at least version 0.9.8g of OpenSSL, which was released *ust a few weeks before this
#ow $o was published. +ou'll need this version or higher because some of the options we need to use didn't appear until
the .-.g release.
T"pefa#e $on%entions
$o make it easier to follow and copy/paste, I am going to provide copies of the actual shell commands that I used and their
output. $hey'll appear in blocks like this0
Code Goes in Here...
1verything you enter will appear in boldfae. $he output from the command will be in normal formatting.
~ $ openssl version
OpenSSL 0.9.8e 23 Feb 2007
Any parameters (such as filenames, passwords, etc.) that you'll need to ad*ust for your setup will be in bold-italic .
~ $ openssl sha1 myfile.txt
SHA1(myi!e."#"% d&39&3ee'eb)b0d32''be9'01890&d80709
2cassionally, I'll break up long commands onto multiple lines by 3escaping3 the newline at the end of the command. $his
is done by typing a backslash (4), hitting return and continuing the command.
~ $ somecommand -that -has -a -million \
-options -and -you -have -to \
-use -them -all -on myfile.txt
5or my bash shell I've set 6& like this0
b&s*+3.1$ export PS1="\w \$ "
~ $
&ome commands will require super%user privileges, so elevate yourself to super%users status by using0
~ $ su
7/23/2019 Freeradius for XP Client
http://slidepdf.com/reader/full/freeradius-for-xp-client 2/16
!ote" 7buntu is slightly different here, you'll need to enter 3sudo su3, then, when prompted, enter your user
password and you'll have a root shell.
e're going to be digging into some pretty monstrous config files in a moment, so I'll print line numbers at the beginning of
the line and highlight what I've changed/added in bold-italic .
2123 pos"+pro#y ,
212)
212' - yo/ &n" "o *&e & !o o rep!ies rom & *ome serer
212 - /n+4ommen" "*e o!!oin !ine &nd "*e 5de"&i! pos"6pro#y6!o5
2127 - se4"ion &boe.
2128 - pos"6pro#y6!o
2129
2130 - &""r6reri"e
2131
2132 - n4ommen" "*e o!!oin !ine i yo/ &n" "o i!"er rep!ies rom
2133 - remo"e pro#ies b&sed on "*e r/!es deined in "*e 5&""rs5 i!e.
213)
213' # attr_filter
213
2137 -
2138 - yo/ &re pro#yin LA yo/ :S; 4oni/re "*e A
2139 - mod/!e &nd yo/ :S; !is" i" *ere in "*e pos"+pro#y
21)0 - s"&e.
21)1 -
21)2 - <o/ :S; &!so /se "*e 5nos"rip5 op"ion in "*e 5re&!m5
21)3 - 4oni/r&"ion. O"*erise "*e ser+=&me &""rib/"e
21)) - in "*e pro#ied re>/es" i!! no" m&"4* "*e /ser n&me
21)' - *idden inside o "*e A p&4?e" &nd "*e end serer i!!
21) - re@e4" "*e A re>/es".
21)7 -
21)8 eap
21)9
And I'll occasionally abbreviate long uninteresting output with an ellipsis.
~ $ command
nin"eres"in o/"p/" "*&" ?eeps oin.
...
&o, without further ado, let's lock down our wireless network.
7/23/2019 Freeradius for XP Client
http://slidepdf.com/reader/full/freeradius-for-xp-client 3/16
Setting up penSS'
$he first step in getting the ra8or%wire set up around your wireless A6 is to generate your very own CA (Certificate
Authority).
5irst, download the latest version of OpenSSL. As noted earlier, this is 0.9.8g as I write this.
~ $ wget http://wwwopensslorg/source/openssl-!#gtarg
It's always good practice to verify the checksum of any source download (especially with security related software). 5or
some odd reason 2pen&&! doesn't list a properly formatted md9 checksum file, so you'll have to eye%ball it.
~ $ cat openssl-!#gtargmd%
&470&13'9b3'8bdb7)bd&14))19
~ $ md%sum openssl-!#gtarg
&470&13'9b3'8bdb7)bd&14))19 openss!+0.9.8."&r.B
:e"t, e"tract 2pen&&! from the tarball.
~ $ tar xv& openssl-!#gtarg
;ove into the newly e"tracted 2pen&&! directory and run the config script.
~ $ cd openssl-!#g~openss!+0.9.8 $ /con&ig
5inally, compile and install 2pen&&!.
~openss!+0.9.8 $ ma'e
...
~openss!+0.9.8 $ su -c "ma'e install"
&ssordD pA55w0Rd
...
2k, now that we've got 2pen&&! installed, we need to set up a few directories to organi8e the keys we're about to create.
<epending on where you look and who you ask, there are numerous ways to do this. I'm a fan of the #ISS approach, so
here is how I set it up.
Change back into your home directory and create a 3CA3 directory with a 3signed=certs3 sub directory and a 3private3 sub
directory.
~openss!+0.9.8 $ cd
~ $ m'dir CA
~ $ m'dir CA/signed_certs
~ $ m'dir CA/private
~ $ chmod (!! CA/private
3signed=certs3 will hold copies of all the certificates that we sign with our CA. $hat way, if we need to revoke a certificate,
we'll have a copy locally. 3private3 will hold the CA's private key. It's very important to keep the CA key secret. Because if it
gets compromised, it could be used to sign untrusted certificates that might be used to trick clients into unknowingly
sharing sensitive information with a untrusted machine. I've locked it down above, by changing the permissions so that
only I can read, write and e"ecute it.
$here are quite a few command line options and even more infomation required in prompts that are pretty redundant. &o
it's easiest to create a local copy of the 2pen&&! config, modify it and force 2pen&&! to use it with the 3%config3 option.
(:ote0 the location of the original openssl.cnf file may be different if you didn't build from source.)
~ $ cp /etc/ssl/openssl.cnf /home/brandon/CA/
7/23/2019 Freeradius for XP Client
http://slidepdf.com/reader/full/freeradius-for-xp-client 4/16
2pen up openssl.cnf with your favorite te"t editor and change the following in the 3CA=default3 section0 (>emember that
the numbers that appear first on each line are line numbers, don't enter them into the config file.)
3' E CA6de&/!" 337 dir % /home/brandon/CA - *ere eery"*in is ?ep"
38 4er"s % dir/ - *ere "*e iss/ed 4er"s &re ?ep"
39 4r!6dir % $dir4r! - *ere "*e iss/ed 4r! &re ?ep"
)0 d&"&b&se % $dirinde#."#" - d&"&b&se inde# i!e.
)1 -/ni>/e6s/b@e4" % no - Se" "o 5no5 "o &!!o 4re&"ion o
)2 - seer&! 4"ii4&"es i"* s&me s/b@e4".
)3 ne64er"s6dir % dir/signed_certs - de&/!" p!&4e or ne 4er"s.
))
)' 4er"ii4&"e % $dir4&4er".pem - ;*e CA 4er"ii4&"e
) seri&! % $dirseri&! - ;*e 4/rren" seri&! n/mber
)7 4r!n/mber % $dir4r!n/mber - "*e 4/rren" 4r! n/mber
)8 - m/s" be 4ommen"ed o/" "o !e&e & 1 CIL
)9 4r! % $dir4r!.pem - ;*e 4/rren" CIL
'0 pri&"e6?ey % $dirpri&"e4&?ey.pem- ;*e pri&"e ?ey
'1 IA=JFL % $dirpri&"e.r&nd - pri&"e r&ndom n/mber i!e
'2
'3 #'096e#"ensions % /sr64er" - ;*e e#"en"ions "o &dd "o "*e 4er"
If you're planning on using indows to manage the wireless network on the clients, we need to add some additional
e"tensions to the end of the config file. Add the following sections to the end of 3openssl.cnf3 (this happens to be line ?@
for me)0
31 - indos K ;LS #"ens"ions
317 E #p4!ien"6e#"
318 e#"endedeys&e%1.3..1.'.'.7.3.2
319 E #pserer6e#"
320 e#"endedeys&e%1.3..1.'.'.7.3.1
:e"t, head on down to line ? and change the defaults for the 3distinguished name3 to suit your application. $he
3distinguished name3 section contains little bits of useful information for labeling public keys. As we'll see in a moment, the
keys themselves are pretty ugly (even when encoded in A&CII). $o help keep track of them, they're labeled with some
information, and at this point the public key is referred to as a certificate. I'll use certificate to stay consistent with how
2pen&&! refers to them, but functionally they're equivalent.
123 E re>6dis"in/is*ed6n&me
12) 4o/n"ry=&me % Co/n"ry =&me (2 !e""er 4ode
12' 4o/n"ry=&me6de&/!" % !"
12 4o/n"ry=&me6min % 2
127 4o/n"ry=&me6m&# % 2
...
+ou can set a default value for any of the parameters listed here by adding 3=default3 to the end of the variable name. In
the e"ample above, 3countryName_default 3 is the default value for 3country:ame3.5inally, touch 3inde".t"t3, a simple te"t%
based database used to track signed certificates.
~CA $ touch indextxt
7/23/2019 Freeradius for XP Client
http://slidepdf.com/reader/full/freeradius-for-xp-client 5/16
Respe#t (" )$ertifi#ate* Aut+orit",
:ow that we've got our environment set up, it's time to create the CA and issue some keys. &ince 2pen&&! is so
comple", it works a little bit differently than the usual :I commands. ;ost notably, it has a handful of sub%commands
(the first argument) that handle the details. 4
$o create a new key pair, first we create a 3certificate request3 (sub%command 3req3). $he certificate request is then sent
off to be signed by the CA and becomes a bonafide public key. Creating the CA key pair starts off the same way we'd
create a regular key pair, using the command below.
5or most of the responses, you *ust hit the 1nter key to accept the defaults we set up in the config file. ;ake sure to use
a strong pass$ord for the CA keyD it's the only thing standing between the hacker and your CA key if it's ever
compromised.
~CA $ openssl re) -new -'eyout private/caey.pem -out care$.pem \
-con&ig /opensslcn&
Gener&"in & 20)8 bi" ISA pri&"e ?ey
..........................................MMM
...MMM
ri"in ne pri&"e ?ey "o 5pri&"e4&?ey.pem5
n"er : p&ss p*r&seD pA55w0r%
eriyin + n"er : p&ss p*r&seD pA55w0r%
+++++
<o/ &re &bo/" "o be &s?ed "o en"er inorm&"ion "*&" i!! be in4orpor&"ed
in"o yo/r 4er"ii4&"e re>/es".
*&" yo/ &re &bo/" "o en"er is *&" is 4&!!ed & Jis"in/is*ed =&me or & J=.
;*ere &re >/i"e & e ie!ds b/" yo/ 4&n !e&e some b!&n?
For some ie!ds "*ere i!! be & de&/!" &!/e
yo/ en"er 5.5 "*e ie!d i!! be !e" b!&n?.
+++++
Co/n"ry =&me (2 !e""er 4ode ESD
S"&"e or roin4e =&me (/!! n&me E;*e Gre&" S"&"e <o/ Lie nDLo4&!i"y =&me (e 4i"y E:y ;on SAD
Or&niB&"ion =&me (e 4omp&ny ESm&!!=e"N/i!derD
Or&niB&"ion&! ni" =&me (e se4"ion ESe4/ri"y JiisionD
Common =&me (e <OI n&me ED*+
m&i! Address ED yo&'example.com
!e&se en"er "*e o!!oin 5e#"r&5 &""rib/"es
"o be sen" i"* yo/r 4er"ii4&"e re>/es"
A 4*&!!ene p&ssord ED
An op"ion&! 4omp&ny n&me ED
:e"t, we need to 3self%sign3 the certificate to turn it into a CA.
~CA $ openssl ca -create,serial -out cacertpem -'ey&ile private/caey.pem \
-sel&sign -extensions v,ca -con&ig /opensslcn& -in care)pem
sin 4oni/r&"ion rom .openss!.4n
n"er p&ss p*r&se or pri&"e4&?ey.pemD pA55w0r%
C*e4? "*&" "*e re>/es" m&"4*es "*e sin&"/re
Sin&"/re o?
Cer"ii4&"e Je"&i!sD
Seri&! =/mberD
7/23/2019 Freeradius for XP Client
http://slidepdf.com/reader/full/freeradius-for-xp-client 6/16
2D48D)&Dd0D'D09D28Db7
&!idi"y
=o" NeoreD O4" 2) 03D17D)9 2007 G:;
=o" A"er D O4" 23 03D17D)9 2008 G:;
S/b@e4"D
4o/n"ry=&me % S
s"&"eOrroin4e=&me % ;*e Gre&" S"&"e <o/ Lie n
or&niB&"ion=&me % Sm&!!=e"N/i!der
or&niB&"ion&!ni"=&me % Se4/ri"y Jiision
4ommon=&me % CA
em&i!Address % yo/e#&mp!e.4om
K'093 e#"ensionsD
K'093 S/b@e4" ey den"iierD
J0D1DNFD7NDA8D2DN9D98DN0D81D98D2D7D9DCAD'7D3JD7DF3D02
K'093 A/"*ori"y ey den"iierD
?eyidDJ0D1DNFD7NDA8D2DN9D98DN0D81D98D2D7D9DCAD'7D3JD7DF3D02
Jir=&meDC%SS;%;*e Gre&" S"&"e <o/ Lie nO ...
seri&!DF2DC8D)ADJ0DF'D09D28DN7
K'093 N&si4 Cons"r&in"sD
CAD;I
Cer"ii4&"e is "o be 4er"iied /n"i! O4" 23 03D17D)9 2008 G:; (3' d&ys
Sin "*e 4er"ii4&"eP EynDy
1 o/" o 1 4er"ii4&"e re>/es"s 4er"iied 4ommi"P Eyny
ri"e o/" d&"&b&se i"* 1 ne en"ries
J&"& N&se pd&"ed
(:ote that the DirName: line above was truncated E...F because it was too wide for most browser screensG)
In the command above, 3-create_serial 3 (new in recent versions of 2pen&&!) creates a he" serial number for this key. 3-
extensions3 specifies the section of the openssl.cnf config file to look in for specific e"tensions to append to the newlycreated certificate (public key). In this case, we're using the v3_ca section which, among other things, contains this setting
on line ?H0
b&si4Cons"r&in"s % CAD"r/e
$his allows the key to be used to sign other keys, acting as the CA.
$he last step is to create a copy of the CA certificate encoded in the <1> format, because indows likes only binary
encoded certificates.
~CA $ openssl x%! -in&orm P. -out&orm 0. -in cacert.pem -out cacert.der
$reating t+e $ient an! Ser%er .e"s
:ow that we've got our CA all set up, we need to issue key pairs for the server and all of our clients. &tart by creating a
new key pair0
~CA $ openssl re) -new -con&ig /opensslcn& -'eyout server_ey.pem \
-out server_re$.pem
Gener&"in & 20)8 bi" ISA pri&"e ?ey
.......MMM
.................................MMM
ri"in ne pri&"e ?ey "o 5serer6?ey.pem5
7/23/2019 Freeradius for XP Client
http://slidepdf.com/reader/full/freeradius-for-xp-client 7/16
n"er : p&ss p*r&seD pA55w0r%
eriyin + n"er : p&ss p*r&seD pA55w0r%
+++++
<o/ &re &bo/" "o be &s?ed "o en"er inorm&"ion "*&" i!! be in4orpor&"ed
in"o yo/r 4er"ii4&"e re>/es".
*&" yo/ &re &bo/" "o en"er is *&" is 4&!!ed & Jis"in/is*ed =&me or & J=.
;*ere &re >/i"e & e ie!ds b/" yo/ 4&n !e&e some b!&n?
For some ie!ds "*ere i!! be & de&/!" &!/e
yo/ en"er 5.5 "*e ie!d i!! be !e" b!&n?.
+++++
Co/n"ry =&me (2 !e""er 4ode ESD
S"&"e or roin4e =&me (/!! n&me E;*e Gre&" S"&"e <o/ Lie nD
Lo4&!i"y =&me (e 4i"y E:y ;on SAD
Or&niB&"ion =&me (e 4omp&ny ESm&!!=e"N/i!derD
Or&niB&"ion&! ni" =&me (e se4"ion ESe4/ri"y JiisionD
Common =&me (e <OI n&me ED server
m&i! Address ED
!e&se en"er "*e o!!oin 5e#"r&5 &""rib/"es"o be sen" i"* yo/r 4er"ii4&"e re>/es"
A 4*&!!ene p&ssord ED
An op"ion&! 4omp&ny n&me ED
:ow sign the key with our newly created CA0
~CA $ openssl ca -con&ig /opensslcn& -in server_re$.pem -out server_cert.pem
sin 4oni/r&"ion rom .openss!.4n
n"er p&ss p*r&se or *omebr&ndonCApri&"e4&?ey.pemD pA55w0r%
C*e4? "*&" "*e re>/es" m&"4*es "*e sin&"/re
Sin&"/re o?
Cer"ii4&"e Je"&i!sD
Seri&! =/mberD
2D48D)&Dd0D'D09D28Db8
&!idi"y
=o" NeoreD =o 1 02D32D07 2007 G:;
=o" A"er D O4" 31 02D32D07 2008 G:;
S/b@e4"D
4o/n"ry=&me % S
s"&"eOrroin4e=&me % ;*e Gre&" S"&"e <o/ Lie n
or&niB&"ion=&me % Sm&!!=e"N/i!der
or&niB&"ion&!ni"=&me % Se4/ri"y Jiision
4ommon=&me % serer
K'093 e#"ensionsD
K'093 N&si4 Cons"r&in"sD
CADFALS
=e"s4&pe Commen"D
OpenSSL Gener&"ed Cer"ii4&"e
K'093 S/b@e4" ey den"iierD
71DA0DFND1CD3'DN7DN8D1JD1CDA)DCDJFDA'DNAD80DD89D09DN7DC
K'093 A/"*ori"y ey den"iierD
?eyidDJ0D1DNFD7NDA8D2DN9D98DN0D81D98D2D7D9DCAD'7D3JD7DF3D02
7/23/2019 Freeradius for XP Client
http://slidepdf.com/reader/full/freeradius-for-xp-client 8/16
Cer"ii4&"e is "o be 4er"iied /n"i! O4" 31 02D32D07 2008 G:; (3' d&ys
Sin "*e 4er"ii4&"eP EynD y
1 o/" o 1 4er"ii4&"e re>/es"s 4er"iied 4ommi"P Eyn y
ri"e o/" d&"&b&se i"* 1 ne en"ries
J&"& N&se pd&"ed
:ote0 If you're planning on using indows to manage the wireless connection on the clients use the %&09v' e"tensions
we added earlier instead0
~CA $ openssl ca -con&ig /opensslcn& -extensions xpserver,ext \
-in server_re$.pem -out server_cert.pem
Create key pairs for your clients using the e"act same command. ust change the key filenames and the 3Common
:ame3 to something meaningful for your application. #ere's what I used for this set up0
~CA $ openssl re) -new -con&ig /opensslcn& -'eyout lin&x_laptop_ey.pem \
-out lin&x_laptop_re$.pem
...
Common =&me (e <OI n&me ED lin&x_laptop
And0
~CA $ openssl re) -new -con&ig /opensslcn& -'eyout winxp_laptop_ey.pem \
-out winxp_laptop_re$.pem
...
Common =&me (e <OI n&me ED winxp_laptop
&ign both certificate requests the same way we signed the server's certificate. #ere's the command for my !inu" laptop
key0
~CA $ openssl ca -con&ig /opensslcn& -in lin&x_laptop_re$.pem \
-out lin&x_laptop_cert.pem
Again, use the %&09v' e"tensions if indows is managing wireless on the clients0
~CA $ openssl ca -con&ig /opensslcn& -extensions xpclient,ext \
-in winxp_laptop_re$.pem -out winxp_laptop_cert.pem
:ow we've got both pairs of keys created and signed. indows needs a little help to understand all this security, so we
have to package the client certificate coresponding private key into a P#(S)*+ file. !inu" is happy working with them
either way, so we'll package them both for consistency.
~CA $ openssl p'cs12 -export -clcerts -in winxp_laptop_cert.pem \
-in'ey winxp_laptop_ey.pem -out winxp_laptop.p()
n"er p&ss p*r&se or in#p6!&p"op6?ey.pemD pA55w0r%
n"er #por" &ssordD pA55w0r%
eriyin + n"er #por" &ssordD pA55w0r%
$he command above uses 2pen&&!'s pkcs utility to 3-export 3 a new 6JC&K file. 3-clcerts3 tells 2pen&&! to only
e"port the client certificate and private key (in other configurations, multiple certificates and keys can be packaged into a
single 6JC&K file). 6ackage the !inu" certificate and private key using the same command. Lenerating good keys
relies on having a good set of 3random3 data to seed the key generation. hile not strictly related to generating 6JI keys,
we'll need this data later on for 5ree>AI<7&. e'll use 2pen&&! to generate ,iffie-ellman parameters for symmetric
key generation.
7/23/2019 Freeradius for XP Client
http://slidepdf.com/reader/full/freeradius-for-xp-client 9/16
5irst, elevate yourself to superuser and create a directory that will house the CA certificate, server public and private keys,
a dh file for <iffie%#ellman parameters and a random date file. I chose to put these in /etc/wirelessD anywhere readable to
5ree>A<I7& is fine.
~CA $ su
&ssordD pA55w0r%
*omebr&ndonCA - m'dir /etc/wireless
:ow, copy the server's public and private key and the CA's certificate to /etc/wireless0
*omebr&ndonCA - cp cacert.pem server_cert.pem server_ey.pem /etc/wireless/
Create H%bit <iffie%#ellman parameters with the following0
e"4ire!ess - openssl dhparam -out dh 1!23
:e"t create a random file to seed key generation0
e"4ire!ess - dd i&=/dev/urandom o&=random count=2
Instaing an! $onfiguring FreeRADIUS
:ow it's time to install 5ree>A<I7&. <ownload /reeA,I1S and unpack.
~ $ tar xv& &reeradius-11(targ
Configure, install and update your dynamic linked libraries after the install. By default, 5ree>A<I7& installs in /usr/local
and reads its configuration files from /usr/local/etc/raddb.
~ $ cd &reeradius-11(
~reer&di/s+1.1.7 $ /con&igure
~reer&di/s+1.1.7 $ ma'e
~reer&di/s+1.1.7 $ su -c "ma'e install"
&ssordD pA55w0r%
...
~reer&di/s+1.1.7 $ su -c ldcon&ig
&ssordD pA55w0r%
...
5ree>A<I7& comes packaged with a pretty monstrous, but well documented set of config files. &etting up 6A
authentication really only scratches the surface of what 5ree>A<I7& is capable of. &ince the default settings get us pretty
close, we *ust need to make a few minor changes to some config files to get >A<I7& authentication up and running.2pen
up radiusd.conf with your favorite te"t editor and ad*ust the directory pointers (lines ? through H) to suit your system.
23 prei# % /sr!o4&!
2) e#e46prei# % *prefix+
2' sys4ondir % *prefix+/etc
2 !o4&!s"&"edir % *prefix+/var
27 sbindir % *exec_prefix+/sbin
28 !odir % *localstatedir+/log/radi&s
29 r&ddbdir % *sysconfdir+/raddb
30 r&d&44"dir % *logdir+/radacct
31
32 - Lo4&"ion o 4oni &nd !oi!es.
33 4ondir % *raddbdir+
7/23/2019 Freeradius for XP Client
http://slidepdf.com/reader/full/freeradius-for-xp-client 10/16
3) r/n6dir % *localstatedir+/r&n/radi&sd
3'
3 -
37 - ;*e !oin mess&es or "*e serer &re &ppended "o "*e
38 - "&i! o "*is i!e.
39 -
)0 !o6i!e % *logdir+/radi&s.log
The loation of the log file on line 20 is espeially important. 5ree>A<I7& usually isn't very informative about runtime
errors, instead writing everything the log. &o if you have any problems with 5ree>A<I7&, take a look at the log.$he rest of
this config file is hugeMH- lines huge. $he good news is we don't need -N of the options 5ree>A<I7& has for 6A.
&o we can distill the whole config file down to around lines.
+ou can safely comment out (or delete) *ust about anything that doesn't have to do with $!& or 1A6 (such as the module
sections dealing with 61A6, C#A6, ;&C#A6, etc.). Instead of walking you through every change, here is a copy of what I
use (this is likely more than the absolute minimum even with all the comments removed).
2ne big change that needs to be made is changing to an unprivileged user and group on lines - and 0
109 user = no4ody110 group = no4ody
:e"t, open up clients.conf and add a section for your router. $he router is the only true 3client3 to the >A<I7& serverD the
computers that connect are called users. 7se the I6 address of your router and a strong secret (this is the 3password3 that
the router will use to talk to the >A<I7& server).$he 3shortname3 variable is used only for logging, so it can be whatever
makes the most sense for you. 7nless your :A& (:etwork Access &erver) type is e"plicitly listed above in the clients.conf
file, use 3other3 for the :A& type.
4!ien" (0.)0.,.( ,
se4re" % smallnetb&ilder
s*or"n&me % wireless_ap n&s"ype % other
:e"t, edit the users file. Add the default line and lines for each of the client keys we created using the common name
supplied for the key as the user name. #ave some fun with the default re*ection message.
- /sers i!e or FreeIAJS
winxp_laptop +uth-type := .+P
lin&x_laptop +uth-type := .+P
0.5+678 +uth-type := e9ect
eply-essage := "our *omputer +in;t <elcome ere>"
:ow we'll need to edit eap.conf . Change default=eap=type to $!& on line ?0 de&/!"6e&p6"ype % tls
Ad*ust the $!& configuration to suit your set up0
123 "!s ,
12) pri&"e6?ey6p&ssord % pA55w0r%
12' pri&"e6?ey6i!e % /etc/wireless/server_ey.pem
12
127 - ri&"e ?ey Q Cer"ii4&"e &re !o4&"ed in
7/23/2019 Freeradius for XP Client
http://slidepdf.com/reader/full/freeradius-for-xp-client 11/16
128 - "*e s&me i!e "*en pri&"e6?ey6i!e Q
129 - 4er"ii4&"e6i!e m/s" 4on"&in "*e s&me i!e
130 - n&me.
131 4er"ii4&"e6i!e % /etc/wireless/server_cert.pem
132
133 - ;r/s"ed Ioo" CA !is"
13) CA6i!e % /etc/wireless/cacert.pem
13'
13
137 -
138 - For JH 4ip*er s/i"es "o or? yo/ *&e "o
139 - r/n OpenSSL "o 4re&"e "*e JH i!e irs"D
1)0 -
1)1 - openss! d*p&r&m +o/" 4er"sd* 102)
1)2 -
1)3 d*6i!e % /etc/wireless/dh
1)) r&ndom6i!e % /etc/wireless/random
$onfiguring t+e Router
I used a <%!ink <L!%H? Erevie$edF, so your setup pages may differ. 2pen up your wireless router or A6's wireless
configuration section and find the ireless &ecurity settings. Change the security mode to WPA-nterprise or WPA!-
nterprise mode, add the >A<I7& server's I6 address and the shared secret (5igures and ).
$onfiguring a 'inu/ $ient
Connecting a !inu" client using 6A or 6A security requires $pa3suppliant. Configure wpa=supplicant with the
following options set in 3.config3 file in addition to the drivers and interfaces you need for your setup0
CO=FG68021K6AOL%y
CO=FG6A6;LS%y
CO=FG6CS12%y
-:&?e s/re "o in4!/de &ny o"*er op"ions yo/ need &s e!!
>e%compile and re%install wpa=supplicant. :ow create a folder on the !inu" client to house the client public and private
keys (6JC&K file) and the CA certificate. In my case, I set it up in /etc/wireless.
:e"t edit 3wpa_supplicant.conf 3 and add a section similar to the following, to point to your new 6A%1nterprise setup.
- A2+AAS /sin A+;LS
ne"or?%,
ssid%Rsmallnetb&ilder R
?ey6mm"%A+A
e&p%;LS
iden"i"y%Rlin&x_laptop R
4&64er"%R/etc/wireless/cacert.pem R
pri&"e6?ey%R/etc/wireless/lin&x_laptop.p() R
pri&"e6?ey6p&ssd%R pA55w0r% R
7/23/2019 Freeradius for XP Client
http://slidepdf.com/reader/full/freeradius-for-xp-client 12/16
$he 3identity3 field should match the common name on the client certificate and the user we set up in 5ree>A<I7&' users
file. >estart wpa=supplicant and connect to the network.
$onfiguring a Win!ows 0P $ient
indows users will require the 6A path, if it's not already installed. A quick way to check for this is to open up the
advanced properties on any wireless network. If 6A is not an option available from the :etwork Authentication
dropdown, you need the patch.
After installing the patch, transfer the CA certificate and the p file containing the client certificate and key securely from
the server (via a 7&B flash drive is the easiest).
5irst, install the CA certificate as a trusted authority by double%clicking on it.
/igure '" Installing the (A
Click 3Install Certificate3 and complete the wi8ard. :e"t, double%click on the p file that contains the client certificate and
key to install it.
/igure 2" Installing the (lient #eys
7/23/2019 Freeradius for XP Client
http://slidepdf.com/reader/full/freeradius-for-xp-client 13/16
1nter the password for the client's private key. (+ou can optionally require that the password is entered everytime the key
is used, this gets annoying real quick, so I usually leave that unchecked.)
/igure &" (lient Pass$ord
!et indows automatically store the certificate where it thinks it should go.
/igure 4" Storing the (lient #eys
$onfiguring a Win!ows 0P $ient - ore
5inish the wi8ard, and view the wireless networks by double%clicking on the wireless network icon in the taskbar. &elect
the your network and click on 3Change Advanced &ettings3.
7/23/2019 Freeradius for XP Client
http://slidepdf.com/reader/full/freeradius-for-xp-client 14/16
/igure 5" 6ireless !et$or7s
2n the 3ireless :etworks3 tab, click 3Add3 under 6referred :etworks.
/igure 5" Advaned (onfiguration
1nter the &&I< of your router and change the :etwork Authentication to 6A.
7/23/2019 Freeradius for XP Client
http://slidepdf.com/reader/full/freeradius-for-xp-client 15/16
/igure 8" 6PA+ (onfiguration
2n the 3Authentication3 tab, click 6roperties under 1A6 $ype.
/igure 9" AP (onfiguration
&elect your CA from the list, and check 37se a different username for this connection3.
7/23/2019 Freeradius for XP Client
http://slidepdf.com/reader/full/freeradius-for-xp-client 16/16
/igure *0" (ertifiate Seletion
#it 2J to finish. 2pen up the wireless networks again and connect to your newly secured network.
Trou1es+ooting
$here are quite a few pieces that have to play nicely together to get 6A%1nterprise working. #ere are a few tools that
come in handy if things don't work smoothly on the first try0
(he7 the /reeA,I1S log. $here is a lot of good information in the log that can point you right to the problem. $his is especially handy when tweakingthe config files, as anything that doesn't parse correctly will log an error.
un /reeA,I1S in debug mode in the foreground $ith radiusd -%.
$his will show you *ust what 5ree>A<I7& is thinking. :ot all the errors show up here, but the ma*or ones that cause5ree>A<I7& to quit do.
Test loal onnetivity $ith radtest test test loalhost 0 testing*+'.
$his one comes straight out of the I:&$A!! file. If you run5ree>A<I7& in the foreground with 3radiusd %3 in anotherterminal you should be able to see the 5ree>AI<7& dump all kinds of messages when 3radtest3 runs.
$on#usion
ith a little e"tra hardware, you can add the e"tra level of security that authentication provides to your wireless network.
$his gives you better control over the clients that can connect to your network and also helps to keep clients from
connecting to untrusted networks. $he combination of A1& 1ncryption in 6A and secure authentication of clients will
help protect your network and keep your data secured from prying eyes.