FreeRADIUS and Linux for Your WLAN
February 05, 2008
Best of ENP: Part Two—RADIUS and Linux can be a potent combination for WLAN security. Here's how to get it configured.
Last week we had an bird's-eye of the current state of wireless security protocols, and a quick peek at using a RADIUS server for authentication, authorization, and accounting. Today we shall configure FreeRADIUS to secure wireless authentication and transmission. A RADIUS server running on Linux can authenticate clients on any platform.
We are going to implement EAP-TLS encryption, because it is widely supported and secure. Be sure you have FreeRADIUS and OpenSSL installed. Then create your SSL certificates, copy them to the server and clients, set up client access on the RADIUS server, and poof! all done.
Ok, so I wouldn't call it easy. But it's not too bad. The neat thing about this is the server and clients authenticate to each other with the SSL certificates, so you don't need to hassle with logins and passwords.
Generating Server Certificates
First we will create a CA, or certificate authority. The CA authenticates your public user and server certificates, and also revokes them -- which you'll need to do as staffers come and go. (See Resources for a list of excellent books on the subject. Don't leave home without them.)
First, edit openssl.cnf, which should be in /etc/ssl/openssl.cnf, but given the herd-of-cats nature of Linux I make no promises, and edit it to include your own information. The file is big, but all you need is to find these lines and customize them:
[ CA_default ]
dir = ./masterCA # Where everything is kept
countryName_default = US
stateOrProvinceName_default = Oregon
0.organizationName_default = Carla's Yummy Cookie Co.
stateOrProvinceName = Oregon
stateOrProvinceName_default = OR
localityName = Portland
organizationalUnitName = Doughboys
organizationalUnitName_default = Doughboys
commonName = Carla AceAdmin
emailAddress = email@example.com
Now find the certificate-creating script, hopefully /usr/lib/ssl/misc/CA.sh. At any rate find CA.sh. Edit this line to tell CA.sh where to put your new certificates, giving it any name you like:
Then change to the directory where you want to store your certificates. /etc/ssl is the usual choice, and run CA.sh. You'll be asked to create a passphrase- make it gnarly, and write it down and lock it away.
# /usr/lib/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
writing new private key to './masterCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Carlas Cookies [Carlas Cookies]:
Carla AceAdmin :
This creates the /etc/ssl/masterCA/ directory, and populates it with all manner of files and directories, including your new server CA, private/cakey.pem.
We'll use the /usr/bin/openssl command to do the rest of the work. /usr/bin/openssl has a lot of useful command-line options, and is better-suited for a job like this where we want to customize the certificate names. CA.sh is nice for simple needs, so consider this your formal introduction.
Next, create the signing request, naming the :
# openssl req -new -nodes -keyout masterkey.pem -out masterreq.pem
Now we'll sign the request:
# openssl ca -out master_cert.pem -infiles ./masterreq.pem
This creates master_cert.pem, our shiny new server certificate which will be copied to the FreeRADIUS server.
Creating Client Certificates
Remember, you'll need your cacert.pem passphrase:
# openssl req -new -nodes -keyout clientkey.pem -out clientreq.pem
# openssl ca -out client_cert.pem -infiles ./clientreq.pem