HOME
How to create a RADIUS server for wireless authentication
created 9/4/07
This tutorial will assist the user in setting up a RADIUS server for wireless authentication. It is a quick step by step to get this server up and running quickly. For a more comprehensive tutorial, I encourage the user to read the tutorial by Mike Bauer, who wrote this set of tutorials for Linux Journal:
PARANOID PENGUIN - Securing WLANs with WPA and Free RADIUS, Part I
PARANOID PENGUIN - Securing WLANs with WPA and Free RADIUS, Part II
PARANOID PENGUIN - Securing WLANs with WPA and Free RADIUS, Part III
Note: This tutorial is specific to setting up wireless authentication and encryption using TKIP and EAP-TLS. It has been successfully tested using freeradius on the server and creating certificates and keys with openssl for the server and clients. The operating system I used is Fedora Core 6. The wireless access point is a Linksys WRT54G.
Additional notes: I use vi for a text editor, but that is not required. If you need the fluff of a gui app like kwrite, go right ahead. So, when you see the command: vi /path/to/somefile, that just means that somefile is being opened in the vi text editor for , um, editing.
Edit the openssl.cnf file
# vi /etc/pki/tls/openssl.cnf
dir = ./myCA
further down the file:
countryName_default = US stateOrProvinceName_default = Yourstate localityName_default = Yourcity
Save and close the file.
Edit the CA file
# vi /etc/pki/tls/misc/CA
CATOP=./myCA
Create a new Certificate Authority
cd /etc/pki/tls/ # misc/CA -newca
follow the instructions
Create xpextensions file
# vi /etc/pki/tls/xpextensions
[ xpclient_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1
Save and close the file.
Create server certificate signing request
# cd /etc/pki/tls
# openssl req -new -nodes -keyout yourserver_key.pem -out yourserver_req.pem -days 730 -config ./openssl.cnf
follow the prompts and answer the questions
Sign the server request with the CA
# cd /etc/pki/tls # openssl ca -config ./openssl.cnf -policy policy_anything -out yourserver_cert.pem -extensions xpserver_ext -extfile ./xpextensions -infiles ./yourserver_req.pem
answer questions as prompted.
Edit yourserver_cert.pem file and delete unneeded text
# vi yourserver_cert.pem
Delete all before ----------BEGIN CERTIFICATE----------
Create keycert file
# cat yourserver_key.pem yourserver_cert.pem > yourserver_keycert.pem
Create client certificate signing request
# openssl req -new -keyout yourclient_key.pem -out yourclient_req.pem -days 730 -config ./openssl.cnf
Sign the client request with the CA
# openssl ca -config ./openssl.cnf -policy policy_anything -out yourclient_cert.pem -extensions xpclient_ext -extfile ./xpextensions -infiles ./yourclient_req.pem
Make certificate for Windows clients
# openssl pkcs12 -export -in yourclient_cert.pem -inkey yourclient_key.pem -out yourclient_cert.p12 -clcerts
Note: Leave export passphrase blank
Copy cacert and server keycert files to raddb for Freeradius
# cp /etc/pki/tls/myCA/cacert.pem /etc/raddb/certs # cp /etc/pki/tls/myCA/yourserver_keycert.pem /etc/raddb/certs
Create Diffie-Kellman parameters file from within /etc/raddb/certs directory for use of negotiating TLS session keys
# cd /etc/raddb/certs # openssl dhparam -check -text -5 512 -out dh
Create data file containing random bitstream for TLS
# dd if=/dev/urandom of=random count=2
Edit radiusd.conf file
# vi /etc/raddb/radiusd.conf
Find and make changes to these lines
user=nobody group=nobody
Edit eap.conf file
# vi /etc/raddb/eap.conf
Look for and change the following lines:
Make sure to uncomment necesary lines
default_eap_type = tls
tls {
private_key_password = somepassword
private_key_file = ${raddbdir}/certs/server_keycert.pem
certificate_file = ${raddbdir}/certs/server_keycert.pem
CA_file = ${raddbdir}/certs/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
Edit clients.conf file
# vi /etc/raddb/clients.conf
client 192.168.1.0/24 {
secret = somesecret
shortname = somename
}
Freeradius is now configured. Time to start it up
# /etc/init.d/radiusd start
If you find that clients cannot connect to wireless, the first step should be to check the logs at /var/log/radius/radius.log.
Please report any errors or give feedback to fedorafreak@fincelfamily.com