The Linux Page - RADIUS server

HOME
Back to the Linux Page

How to create a RADIUS server for wireless authentication
created 9/4/07

This tutorial will assist the user in setting up a RADIUS server for wireless authentication. It is a quick step by step to get this server up and running quickly. For a more comprehensive tutorial, I encourage the user to read the tutorial by Mike Bauer, who wrote this set of tutorials for Linux Journal:
PARANOID PENGUIN - Securing WLANs with WPA and Free RADIUS, Part I
PARANOID PENGUIN - Securing WLANs with WPA and Free RADIUS, Part II
PARANOID PENGUIN - Securing WLANs with WPA and Free RADIUS, Part III

Note: This tutorial is specific to setting up wireless authentication and encryption using TKIP and EAP-TLS. It has been successfully tested using freeradius on the server and creating certificates and keys with openssl for the server and clients. The operating system I used is Fedora Core 6. The wireless access point is a Linksys WRT54G.
Additional notes: I use vi for a text editor, but that is not required. If you need the fluff of a gui app like kwrite, go right ahead. So, when you see the command: vi /path/to/somefile, that just means that somefile is being opened in the vi text editor for , um, editing.

Edit the openssl.cnf file

	# vi /etc/pki/tls/openssl.cnf

	dir   = ./myCA

further down the file:

	countryName_default    = US
	stateOrProvinceName_default    = Yourstate
	localityName_default    = Yourcity

Save and close the file.

Edit the CA file

	# vi /etc/pki/tls/misc/CA

	CATOP=./myCA

Create a new Certificate Authority

	cd /etc/pki/tls/
	# misc/CA -newca

follow the instructions

Create xpextensions file

	# vi /etc/pki/tls/xpextensions

	[ xpclient_ext ]
	extendedKeyUsage = 1.3.6.1.5.5.7.3.2
	[ xpserver_ext ]
	extendedKeyUsage = 1.3.6.1.5.5.7.3.1

Save and close the file.


Create server certificate signing request

	# cd /etc/pki/tls

	# openssl req -new -nodes -keyout yourserver_key.pem -out yourserver_req.pem -days 730 -config ./openssl.cnf

follow the prompts and answer the questions

Sign the server request with the CA

	# cd /etc/pki/tls
	# openssl ca -config ./openssl.cnf -policy policy_anything -out yourserver_cert.pem -extensions xpserver_ext -extfile
	./xpextensions -infiles ./yourserver_req.pem

answer questions as prompted.

Edit yourserver_cert.pem file and delete unneeded text

	# vi yourserver_cert.pem

Delete all before ----------BEGIN CERTIFICATE----------

Create keycert file

	# cat yourserver_key.pem yourserver_cert.pem > yourserver_keycert.pem

Create client certificate signing request

	# openssl req -new -keyout yourclient_key.pem -out yourclient_req.pem -days 730 -config ./openssl.cnf

Sign the client request with the CA

	# openssl ca -config ./openssl.cnf -policy policy_anything -out yourclient_cert.pem -extensions xpclient_ext -extfile
	./xpextensions -infiles ./yourclient_req.pem

Make certificate for Windows clients

	# openssl pkcs12 -export -in yourclient_cert.pem -inkey yourclient_key.pem -out yourclient_cert.p12 -clcerts

Note: Leave export passphrase blank

Copy cacert and server keycert files to raddb for Freeradius

	# cp /etc/pki/tls/myCA/cacert.pem /etc/raddb/certs
	# cp /etc/pki/tls/myCA/yourserver_keycert.pem /etc/raddb/certs

Create Diffie-Kellman parameters file from within /etc/raddb/certs directory for use of negotiating TLS session keys

	# cd /etc/raddb/certs	
	# openssl dhparam -check -text -5 512 -out dh

Create data file containing random bitstream for TLS

	# dd if=/dev/urandom of=random count=2

Edit radiusd.conf file

	# vi /etc/raddb/radiusd.conf

Find and make changes to these lines

	user=nobody
	group=nobody

Edit eap.conf file

	# vi /etc/raddb/eap.conf

Look for and change the following lines:

Make sure to uncomment necesary lines

	default_eap_type = tls
	tls {
		private_key_password = somepassword
		private_key_file = ${raddbdir}/certs/server_keycert.pem

		certificate_file = ${raddbdir}/certs/server_keycert.pem

		CA_file = ${raddbdir}/certs/cacert.pem

		dh_file = ${raddbdir}/certs/dh
		random_file = ${raddbdir}/certs/random

Edit clients.conf file

	# vi /etc/raddb/clients.conf

	client 192.168.1.0/24 {
			secret		= somesecret
			shortname	= somename
		}

Freeradius is now configured. Time to start it up

	# /etc/init.d/radiusd start

If you find that clients cannot connect to wireless, the first step should be to check the logs at /var/log/radius/radius.log.

Please report any errors or give feedback to fedorafreak@fincelfamily.com

Back to the Linux Page
HOME