Recently I configured WPA2 (Wifi Protected Access) in my network. So I thought to share how to do it all of you out there. Before Starting this article I like to make some assumptions ..
*1 Linux and Windows clients have wireless card configures and its functional
*2 You have Free Radius install and its working without any probs
*3 You quiet a good knowledge in linux administration
*4 Separate linux server with radius installed
*5 A Wireless Access Point (WAP) capable WPA (or 802.1x) authentication with RADIUS
*6 Make sure that your wireless card support WPA ( normally cards manifactured after 2003 support WPA, Id you want to make sure you can check it in www.wi-fi.org)
Also you may need below mention software,
*1 Openssl version 0.9.7j
*2 FreeRadius version 1.1.7
*3 wpa_supplicant for linux clients (you can get this from a repository using yum,apt or emerge)
*4 Windows XP with service pack2
Below are the things I used,
*1 The machine the Radius server resides runs on a Gentoo linux which also has DNS, DHCP and a firewall installed
*2 The client I used to access is Dell Latitude D820 with Ubuntu 7.04 version
*3 Access point I used is a D-Link one
Installation outline,
*1 Make Certificates
*2 Configure FreeRadius
*3 Configure the wireless access point
*4 Configure the client
Making Certificates
Certificates are a digital means of ensuring the identity of a machine or individual and providing keys for encryption. We'll need certificates for the client(s) and RADIUS server. These certificates also need to be certified by a root certification authority (CA), and we'll make one of these as well.
Before we continue details about EAP/TLS, digital server certificates beyond the scope of this article . So if you need more information you try following links,
http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml (This has explained EAP/TLS in detail with diagrams)
We need a Certificate Authority to sign certificate and to validate them.So best options is to create a local CA. Before creating a CA, I advice you to change the openssl.cnf for optimization. Below are the things you need to change.
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./myCA
default_days = 730
countryName_default = LK
stateOrProvinceName_default = Western
localityName_default = Colombo
0.organizationName_default = MyCompany
Ok save openssl.cnf.. Now to create CA you need to run CA.sh script. You can find the script in /usr/share/ssl/CA.sh or /etc/ssl/misc/CA.sh. In this you need to change the CATOP variable to match the dir you gave in openssl.cnf. CATOP =./myCA. Now to create a CA do the following (as root)..
# cd /etc/ssl
# /usr/share/ssl/CA.sh -newca
You then are prompted to create a new root certificate and to type a passphrase for its private key. Choose a difficult-to-guess passphrase, and write it down in a safe place-if you forget it, you'll be unable to use your CA.
After the script is done, your SSL configuration directory should contain a new directory, myCA. At the root level of this directory is your new CA's public certificate; by default this file is named cacert.pem. You need to copy this file to your FreeRADIUS server and to each wireless client.There's one more thing you need to do before creating certificates if you've got Windows XP wireless clients. Windows XP expects certain attributes in server and client certificates, so you need to create a file called xpextensions that contains the lines shown below.
[ xpclient_ext ]
extendedkeyUsage = 1.3.6.1.5.5.7.3.2
[xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
To make WPA2 work you need at least to more certificates. One for the radius server and other for the wireless client. Creating certificates has 3 steps..
*1 Generate a signing request (aka Unsigned certificate)
*2 Sign the signing request with your CA key
*3 copy the signed request to the host
*Run all these commands as root in directory /etc/ssl/*
Generate Radius server key
* Create the signing request
# openssl req -new -keyout radius_key.pem -out radius_req.pem -days 730 -config ./openssl.cnf
This command creates the files radius_req.pem, which contains the actual request an unsigned certificate and radius_key.pem, always remember the passphrase of the private key. First, though, you are prompted for your organization's Country Code, State and so on, much of which can use the default values you tweaked in openssl.conf. Pay special attention, however, to Common Name. When prompted for this, type the fully qualified domain name of your server, for example, radius.mycompany.com.
* Use the CA key to sign the request
# openssl ca -config ./openssl.cnf -policy policy_anything -out radius_cert.pem \
-extension xpserver_ext -extfile ./xpextensions -infiles ./radius_req.pem
This command reads the file radius_req.pem and, after prompting for your CA key's passphrase, saves a signed version of it plus its corresponding private key to the file radius_cert.pem. Notice the -extensions and -extfile options, this is why earlier we created the file xpextensions. After that open your signed certificate and delete everything upto -----BEGIN CERTIFICATE-----.
Generate Client keys
* Create the signing request
# openssl req -new -keyout client_key.pem -out client_req.pem -days 720 -config ./openssl.cnf
(always wirte down the passphrase in a safe place)
* Use the CA key to sign the request
# openssl ca -config ./openssl.cnf -policy policy_anything -out client_cert.pem \
-extension xpclient_ext -extfile ./xpextensions -infiles ./client_req.pem
Also, if your clients run Linux, you should delete the extraneous stuff in the certificate, like you did with radius_cert.pem.
If your certificate is to be used by a Windows XP client, you have one more step to take. You need to convert the certificate file(s) to a PKCS12-format file, with this command:
# openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts
You are prompted for client_key.pem's passphrase and then for a new passphrase for the new file; you can use the same password as before if you like. Now you can copy over certificates cacert.pem and client_cert.pem and client_key.pem for linux clients. For windows copy cacert.pem and client_cert.p12 for windows. From this point creating certificates phase is over. Now we can move on to preparing radius server.
Preparing Radius Server
Most of the time radius configuration resides in /usr/local/etc/raddb or in /etc/raddb. In the radius configuration directory there's a sub-directory called certs/. This is the location where you need to put your certificates. Copy over cacert.pem and server certificates radius_cert.pem and radius_key.pem. Now give the below mention permission to those files..
(I used radiusd as the freeradius user and group)
-rw-r----- 1 root radiusd 1915 Aug 12 09:34 radius_key.pem
-rw-r----- 1 root radiusd 1915 Aug 12 09:34 radius_cert.pem
-rw-r----- 1 root radiusd 1224 Aug 12 09:35 cacert.pem
--to be continue--
*1 Linux and Windows clients have wireless card configures and its functional
*2 You have Free Radius install and its working without any probs
*3 You quiet a good knowledge in linux administration
*4 Separate linux server with radius installed
*5 A Wireless Access Point (WAP) capable WPA (or 802.1x) authentication with RADIUS
*6 Make sure that your wireless card support WPA ( normally cards manifactured after 2003 support WPA, Id you want to make sure you can check it in www.wi-fi.org)
Also you may need below mention software,
*1 Openssl version 0.9.7j
*2 FreeRadius version 1.1.7
*3 wpa_supplicant for linux clients (you can get this from a repository using yum,apt or emerge)
*4 Windows XP with service pack2
Below are the things I used,
*1 The machine the Radius server resides runs on a Gentoo linux which also has DNS, DHCP and a firewall installed
*2 The client I used to access is Dell Latitude D820 with Ubuntu 7.04 version
*3 Access point I used is a D-Link one
Installation outline,
*1 Make Certificates
*2 Configure FreeRadius
*3 Configure the wireless access point
*4 Configure the client
Making Certificates
Certificates are a digital means of ensuring the identity of a machine or individual and providing keys for encryption. We'll need certificates for the client(s) and RADIUS server. These certificates also need to be certified by a root certification authority (CA), and we'll make one of these as well.
Before we continue details about EAP/TLS, digital server certificates beyond the scope of this article . So if you need more information you try following links,
http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml (This has explained EAP/TLS in detail with diagrams)
We need a Certificate Authority to sign certificate and to validate them.So best options is to create a local CA. Before creating a CA, I advice you to change the openssl.cnf for optimization. Below are the things you need to change.
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./myCA
default_days = 730
countryName_default = LK
stateOrProvinceName_default = Western
localityName_default = Colombo
0.organizationName_default = MyCompany
Ok save openssl.cnf.. Now to create CA you need to run CA.sh script. You can find the script in /usr/share/ssl/CA.sh or /etc/ssl/misc/CA.sh. In this you need to change the CATOP variable to match the dir you gave in openssl.cnf. CATOP =./myCA. Now to create a CA do the following (as root)..
# cd /etc/ssl
# /usr/share/ssl/CA.sh -newca
You then are prompted to create a new root certificate and to type a passphrase for its private key. Choose a difficult-to-guess passphrase, and write it down in a safe place-if you forget it, you'll be unable to use your CA.
After the script is done, your SSL configuration directory should contain a new directory, myCA. At the root level of this directory is your new CA's public certificate; by default this file is named cacert.pem. You need to copy this file to your FreeRADIUS server and to each wireless client.There's one more thing you need to do before creating certificates if you've got Windows XP wireless clients. Windows XP expects certain attributes in server and client certificates, so you need to create a file called xpextensions that contains the lines shown below.
[ xpclient_ext ]
extendedkeyUsage = 1.3.6.1.5.5.7.3.2
[xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
To make WPA2 work you need at least to more certificates. One for the radius server and other for the wireless client. Creating certificates has 3 steps..
*1 Generate a signing request (aka Unsigned certificate)
*2 Sign the signing request with your CA key
*3 copy the signed request to the host
*Run all these commands as root in directory /etc/ssl/*
Generate Radius server key
* Create the signing request
# openssl req -new -keyout radius_key.pem -out radius_req.pem -days 730 -config ./openssl.cnf
This command creates the files radius_req.pem, which contains the actual request an unsigned certificate and radius_key.pem, always remember the passphrase of the private key. First, though, you are prompted for your organization's Country Code, State and so on, much of which can use the default values you tweaked in openssl.conf. Pay special attention, however, to Common Name. When prompted for this, type the fully qualified domain name of your server, for example, radius.mycompany.com.
* Use the CA key to sign the request
# openssl ca -config ./openssl.cnf -policy policy_anything -out radius_cert.pem \
-extension xpserver_ext -extfile ./xpextensions -infiles ./radius_req.pem
This command reads the file radius_req.pem and, after prompting for your CA key's passphrase, saves a signed version of it plus its corresponding private key to the file radius_cert.pem. Notice the -extensions and -extfile options, this is why earlier we created the file xpextensions. After that open your signed certificate and delete everything upto -----BEGIN CERTIFICATE-----.
Generate Client keys
* Create the signing request
# openssl req -new -keyout client_key.pem -out client_req.pem -days 720 -config ./openssl.cnf
(always wirte down the passphrase in a safe place)
* Use the CA key to sign the request
# openssl ca -config ./openssl.cnf -policy policy_anything -out client_cert.pem \
-extension xpclient_ext -extfile ./xpextensions -infiles ./client_req.pem
Also, if your clients run Linux, you should delete the extraneous stuff in the certificate, like you did with radius_cert.pem.
If your certificate is to be used by a Windows XP client, you have one more step to take. You need to convert the certificate file(s) to a PKCS12-format file, with this command:
# openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts
You are prompted for client_key.pem's passphrase and then for a new passphrase for the new file; you can use the same password as before if you like. Now you can copy over certificates cacert.pem and client_cert.pem and client_key.pem for linux clients. For windows copy cacert.pem and client_cert.p12 for windows. From this point creating certificates phase is over. Now we can move on to preparing radius server.
Preparing Radius Server
Most of the time radius configuration resides in /usr/local/etc/raddb or in /etc/raddb. In the radius configuration directory there's a sub-directory called certs/. This is the location where you need to put your certificates. Copy over cacert.pem and server certificates radius_cert.pem and radius_key.pem. Now give the below mention permission to those files..
(I used radiusd as the freeradius user and group)
-rw-r----- 1 root radiusd 1915 Aug 12 09:34 radius_key.pem
-rw-r----- 1 root radiusd 1915 Aug 12 09:34 radius_cert.pem
-rw-r----- 1 root radiusd 1224 Aug 12 09:35 cacert.pem
--to be continue--