WPA Enterprise mit EAP PEAP

von

Howto für Ubuntu und Debian

Für dieses Howto wird freeradius mit openssl Support benötigt.

Eine Anleitung für freeradius+openssl ist hier zu finden: Freeradius mit EAP Support

Die Pakete wie in der Anleitung beschrieben installieren.

Die unten aufgeführten Konfigurationsteile sind Ergänzungen oder Änderungen der Default Config.

openssl installieren
apt-get install openssl
RootCA anlegen

In das Verzeichnis /etc/freeradius/certs wechseln

cd /etc/freeradius/certs

openssl liefert ein einfaches Script um eine CA anzulegen.

/usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)

Mit [Enter] bestätigen.

Making CA certificate ...
Generating a 1024 bit RSA private key
...............................................++++++
..........++++++
writing new private key to './demoCA/private/cakey.pem'

Ein Passwort definieren und eingeben.

Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:

-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bayern
Locality Name (eg, city) []:München
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test
Organizational Unit Name (eg, section) []:Testabteilung
Common Name (eg, YOUR name) []:rootca
Email Address []:rootca@example.org

Please enter the following 'extra' attributes
to be sent with your certificate request

2 mal mit [Enter] bestätigen.

A challenge password []:
An optional company name []:

Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            b7:bc:7f:60:3c:98:84:b2
        Validity
            Not Before: Jul 31 07:33:47 2009 GMT
            Not After : Jul 30 07:33:47 2012 GMT
        Subject:
            countryName               = DE
            stateOrProvinceName       = Bayern
            organizationName          = Test
            organizationalUnitName    = Testabteilung
            commonName                = rootca
            emailAddress              = rootca@example.org
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                5C:85:A3:1C:70:8E:E3:60:62:C9:5A:60:83:A2:D5:3C:EA:64:C7:C9
            X509v3 Authority Key Identifier:
                keyid:5C:85:A3:1C:70:8E:E3:60:62:C9:5A:60:83:A2:D5:3C:EA:64:C7:C9
                DirName:/C=DE/ST=Bayern/O=Test/OU=Testabteilung/CN=rootca/emailAddress=rootca@example.org
                serial:B7:BC:7F:60:3C:98:84:B2

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Jul 30 07:33:47 2012 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
Server Zertifikat erzeugen
openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730 -config /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
...++++++
..............................................................................++++++
writing new private key to 'server_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bayern
Locality Name (eg, city) []:München
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test
Organizational Unit Name (eg, section) []:Testabteilung
Common Name (eg, YOUR name) []:server
Email Address []:server@example.org

Please enter the following 'extra' attributes
to be sent with your certificate request

A challenge password []:
An optional company name []:

Server Zertifikat mit der rootCA signieren
openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -out server_cert.pem -infiles ./server_req.pem
Using configuration from /etc/ssl/openssl.cnf

Passwort der CA eingeben:

Enter pass phrase for ./demoCA/private/cakey.pem:

Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            b7:bc:7f:60:3c:98:84:b3
        Validity
            Not Before: Jul 31 08:10:11 2009 GMT
            Not After : Jul 31 08:10:11 2010 GMT
        Subject:
            countryName               = DE
            stateOrProvinceName       = Bayern
            localityName              = M\C3\BCnchen
            organizationName          = Test
            organizationalUnitName    = Testabteilung
            commonName                = server
            emailAddress              = server@example.org
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                D7:95:A8:C4:D7:70:BE:4C:D4:52:B1:E6:B5:A6:CD:37:B2:4A:6B:AE
            X509v3 Authority Key Identifier:
                keyid:5C:85:A3:1C:70:8E:E3:60:62:C9:5A:60:83:A2:D5:3C:EA:64:C7:C9

Certificate is to be certified until Jul 31 08:10:11 2010 GMT (365 days)

Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries
Data Base Updated
Server Zertifikat zusammenbauen
cat server_key.pem server_cert.pem > server.pem
radiusd.conf
mschap {
 authtype = MS-CHAP
 use_mppe = yes
 require_encryption = yes
 require_strong = yes
clients.conf

In clients.conf muss für den Accesspoint ein „Shared Secret“ festgelegt werden. 192.168.0.10 ist die IP des Accesspoints.

client 192.168.0.10 {
        # This is the shared secret between the Authenticator (the
        # access point) and the Authentication Server (RADIUS).
        secret          = 123password456
        shortname       = accesspoint
    }
users

Einen neuen User anlegen. Am Ende der users Datei einen neuen Benutzer hinzufügen. ACHTUNG in mehreren Howtos wird der Syntax User-Password == „password“ noch verwendet. Dieser Syntax ist für freeradius Version 2.x obsolet. Der neue Syntax lautet Cleartext-Password := „password“.

"mobil-user"     Cleartext-Password := "password123"
eap.conf
eap {
 default_eap_type = peap
  tls {
   CA_file = ${cadir}/demoCA/cacert.pem
  }
}
sites-enabled/default
authorize {
 mschap
 # unix
}

authenticate {
 Auth-Type MS-CHAP {
  mschap
 }
 # unix
}

accounting {
 # unix
}
freeradius testen
freeradius -X

Wenn alles ohne Fehler durchläuft sollte da folgendes erscheinen

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
Daemon starten
[Strg-C]
/etc/init.d/freeradius start
Accesspoint einstellen -Allgemein-
  • Radiusserver + Radiusport + Shared Secret eingeben
  • Modus: WPA2-Enterprise
Client anbinden -Allgemein-
  • CAcert.pem zu den vertrauten Zertifizierungsstellen hinzufügen
  • Mode WPA2-Enterprise
  • EAP PEAP auswählen
Fertig!

Schreibe einen Kommentar

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.