Für dieses Howto wird freeradius mit openssl Support benötigt.
Eine Anleitung für freeradius+openssl ist hier zu finden: Freeradius mit EAP Support
Die Pakete wie in der Anleitung beschrieben installieren.
Die unten aufgeführten Konfigurationsteile sind Ergänzungen oder Änderungen der Default Config.
openssl installieren
apt-get install openssl
RootCA anlegen
In das Verzeichnis /etc/freeradius/certs wechseln
cd /etc/freeradius/certs
openssl liefert ein einfaches Script um eine CA anzulegen.
/usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
Mit [Enter] bestätigen.
Making CA certificate ... Generating a 1024 bit RSA private key ...............................................++++++ ..........++++++ writing new private key to './demoCA/private/cakey.pem'
Ein Passwort definieren und eingeben.
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bayern
Locality Name (eg, city) []:München
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test
Organizational Unit Name (eg, section) []:Testabteilung
Common Name (eg, YOUR name) []:rootca
Email Address []:rootca@example.org
Please enter the following 'extra' attributes to be sent with your certificate request
2 mal mit [Enter] bestätigen.
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: b7:bc:7f:60:3c:98:84:b2 Validity Not Before: Jul 31 07:33:47 2009 GMT Not After : Jul 30 07:33:47 2012 GMT Subject: countryName = DE stateOrProvinceName = Bayern organizationName = Test organizationalUnitName = Testabteilung commonName = rootca emailAddress = rootca@example.org X509v3 extensions: X509v3 Subject Key Identifier: 5C:85:A3:1C:70:8E:E3:60:62:C9:5A:60:83:A2:D5:3C:EA:64:C7:C9 X509v3 Authority Key Identifier: keyid:5C:85:A3:1C:70:8E:E3:60:62:C9:5A:60:83:A2:D5:3C:EA:64:C7:C9 DirName:/C=DE/ST=Bayern/O=Test/OU=Testabteilung/CN=rootca/emailAddress=rootca@example.org serial:B7:BC:7F:60:3C:98:84:B2 X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Jul 30 07:33:47 2012 GMT (1095 days) Write out database with 1 new entries Data Base Updated
Server Zertifikat erzeugen
openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730 -config /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key ...++++++ ..............................................................................++++++ writing new private key to 'server_key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bayern
Locality Name (eg, city) []:München
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test
Organizational Unit Name (eg, section) []:Testabteilung
Common Name (eg, YOUR name) []:server
Email Address []:server@example.org
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
Server Zertifikat mit der rootCA signieren
openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -out server_cert.pem -infiles ./server_req.pem
Using configuration from /etc/ssl/openssl.cnf
Passwort der CA eingeben:
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature Signature ok Certificate Details: Serial Number: b7:bc:7f:60:3c:98:84:b3 Validity Not Before: Jul 31 08:10:11 2009 GMT Not After : Jul 31 08:10:11 2010 GMT Subject: countryName = DE stateOrProvinceName = Bayern localityName = M\C3\BCnchen organizationName = Test organizationalUnitName = Testabteilung commonName = server emailAddress = server@example.org X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D7:95:A8:C4:D7:70:BE:4C:D4:52:B1:E6:B5:A6:CD:37:B2:4A:6B:AE X509v3 Authority Key Identifier: keyid:5C:85:A3:1C:70:8E:E3:60:62:C9:5A:60:83:A2:D5:3C:EA:64:C7:C9 Certificate is to be certified until Jul 31 08:10:11 2010 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries Data Base Updated
Server Zertifikat zusammenbauen
cat server_key.pem server_cert.pem > server.pem
radiusd.conf
mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes
clients.conf
In clients.conf muss für den Accesspoint ein „Shared Secret“ festgelegt werden. 192.168.0.10 ist die IP des Accesspoints.
client 192.168.0.10 { # This is the shared secret between the Authenticator (the # access point) and the Authentication Server (RADIUS). secret = 123password456 shortname = accesspoint }
users
Einen neuen User anlegen. Am Ende der users Datei einen neuen Benutzer hinzufügen. ACHTUNG in mehreren Howtos wird der Syntax User-Password == „password“ noch verwendet. Dieser Syntax ist für freeradius Version 2.x obsolet. Der neue Syntax lautet Cleartext-Password := „password“.
"mobil-user" Cleartext-Password := "password123"
eap.conf
eap { default_eap_type = peap tls { CA_file = ${cadir}/demoCA/cacert.pem } }
sites-enabled/default
authorize { mschap # unix } authenticate { Auth-Type MS-CHAP { mschap } # unix } accounting { # unix }
freeradius testen
freeradius -X
Wenn alles ohne Fehler durchläuft sollte da folgendes erscheinen
Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests.
Daemon starten
[Strg-C] /etc/init.d/freeradius start
Accesspoint einstellen -Allgemein-
- Radiusserver + Radiusport + Shared Secret eingeben
- Modus: WPA2-Enterprise
Client anbinden -Allgemein-
- CAcert.pem zu den vertrauten Zertifizierungsstellen hinzufügen
- Mode WPA2-Enterprise
- EAP PEAP auswählen