WPA Enterprise mit EAP PEAP

Howto für Ubuntu und Debian

Für dieses Howto wird freeradius mit openssl Support benötigt.

Eine Anleitung für freeradius+openssl ist hier zu finden: Freeradius mit EAP Support

Die Pakete wie in der Anleitung beschrieben installieren.

Die unten aufgeführten Konfigurationsteile sind Ergänzungen oder Änderungen der Default Config.

openssl installieren
apt-get install openssl
RootCA anlegen

In das Verzeichnis /etc/freeradius/certs wechseln

cd /etc/freeradius/certs

openssl liefert ein einfaches Script um eine CA anzulegen.

/usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)

Mit [Enter] bestätigen.

Making CA certificate ...
Generating a 1024 bit RSA private key
...............................................++++++
..........++++++
writing new private key to './demoCA/private/cakey.pem'

Ein Passwort definieren und eingeben.

Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:

-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bayern
Locality Name (eg, city) []:München
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test
Organizational Unit Name (eg, section) []:Testabteilung
Common Name (eg, YOUR name) []:rootca
Email Address []:rootca@example.org

Please enter the following 'extra' attributes
to be sent with your certificate request

2 mal mit [Enter] bestätigen.

A challenge password []:
An optional company name []:

Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            b7:bc:7f:60:3c:98:84:b2
        Validity
            Not Before: Jul 31 07:33:47 2009 GMT
            Not After : Jul 30 07:33:47 2012 GMT
        Subject:
            countryName               = DE
            stateOrProvinceName       = Bayern
            organizationName          = Test
            organizationalUnitName    = Testabteilung
            commonName                = rootca
            emailAddress              = rootca@example.org
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                5C:85:A3:1C:70:8E:E3:60:62:C9:5A:60:83:A2:D5:3C:EA:64:C7:C9
            X509v3 Authority Key Identifier:
                keyid:5C:85:A3:1C:70:8E:E3:60:62:C9:5A:60:83:A2:D5:3C:EA:64:C7:C9
                DirName:/C=DE/ST=Bayern/O=Test/OU=Testabteilung/CN=rootca/emailAddress=rootca@example.org
                serial:B7:BC:7F:60:3C:98:84:B2

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Jul 30 07:33:47 2012 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
Server Zertifikat erzeugen
openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730 -config /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
...++++++
..............................................................................++++++
writing new private key to 'server_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bayern
Locality Name (eg, city) []:München
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test
Organizational Unit Name (eg, section) []:Testabteilung
Common Name (eg, YOUR name) []:server
Email Address []:server@example.org

Please enter the following 'extra' attributes
to be sent with your certificate request

A challenge password []:
An optional company name []:

Server Zertifikat mit der rootCA signieren
openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -out server_cert.pem -infiles ./server_req.pem
Using configuration from /etc/ssl/openssl.cnf

Passwort der CA eingeben:

Enter pass phrase for ./demoCA/private/cakey.pem:

Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            b7:bc:7f:60:3c:98:84:b3
        Validity
            Not Before: Jul 31 08:10:11 2009 GMT
            Not After : Jul 31 08:10:11 2010 GMT
        Subject:
            countryName               = DE
            stateOrProvinceName       = Bayern
            localityName              = M\C3\BCnchen
            organizationName          = Test
            organizationalUnitName    = Testabteilung
            commonName                = server
            emailAddress              = server@example.org
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                D7:95:A8:C4:D7:70:BE:4C:D4:52:B1:E6:B5:A6:CD:37:B2:4A:6B:AE
            X509v3 Authority Key Identifier:
                keyid:5C:85:A3:1C:70:8E:E3:60:62:C9:5A:60:83:A2:D5:3C:EA:64:C7:C9

Certificate is to be certified until Jul 31 08:10:11 2010 GMT (365 days)

Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries
Data Base Updated
Server Zertifikat zusammenbauen
cat server_key.pem server_cert.pem > server.pem
radiusd.conf
mschap {
 authtype = MS-CHAP
 use_mppe = yes
 require_encryption = yes
 require_strong = yes
clients.conf

In clients.conf muss für den Accesspoint ein „Shared Secret“ festgelegt werden. 192.168.0.10 ist die IP des Accesspoints.

client 192.168.0.10 {
        # This is the shared secret between the Authenticator (the
        # access point) and the Authentication Server (RADIUS).
        secret          = 123password456
        shortname       = accesspoint
    }
users

Einen neuen User anlegen. Am Ende der users Datei einen neuen Benutzer hinzufügen. ACHTUNG in mehreren Howtos wird der Syntax User-Password == „password“ noch verwendet. Dieser Syntax ist für freeradius Version 2.x obsolet. Der neue Syntax lautet Cleartext-Password := „password“.

"mobil-user"     Cleartext-Password := "password123"
eap.conf
eap {
 default_eap_type = peap
  tls {
   CA_file = ${cadir}/demoCA/cacert.pem
  }
}
sites-enabled/default
authorize {
 mschap
 # unix
}

authenticate {
 Auth-Type MS-CHAP {
  mschap
 }
 # unix
}

accounting {
 # unix
}
freeradius testen
freeradius -X

Wenn alles ohne Fehler durchläuft sollte da folgendes erscheinen

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
Daemon starten
[Strg-C]
/etc/init.d/freeradius start
Accesspoint einstellen -Allgemein-
  • Radiusserver + Radiusport + Shared Secret eingeben
  • Modus: WPA2-Enterprise
Client anbinden -Allgemein-
  • CAcert.pem zu den vertrauten Zertifizierungsstellen hinzufügen
  • Mode WPA2-Enterprise
  • EAP PEAP auswählen
Fertig!

Schreibe einen Kommentar

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.

Wir benutzen Cookies um die Nutzerfreundlichkeit der Webseite zu verbessen. Durch Deinen Besuch stimmst Du dem zu.