• entries
  • comments
  • views

RADIUS Project Post-Mortem

Sign in to follow this  
Followers 0


Before the fresh info in my brain fades into the realm of "that was cool a while ago", I wanted to be sure I posted copies of all the working config files here for the RADIUS/WiFi setup. I will add some commentary where applicable, but this is basically just going to be a laundry list. (If anyone actually reads this and has any questions, I'll be happy to add more descriptiveness.)The Equipment:

  • ZyXEL P-330W Wireless Router (firmware v1.8)
  • Pentium III server: OpenBSD 4.2, FreeRADIUS 1.1.6, OpenSSL 0.9.7j
  • Laptop (WiFi client): Windows XP SP2
  • Laptop (WiFi client): Debian GNU/Linux 4.1 (etch), wpa_supplicant 0.5.5

So let's begin. The wireless router "Wireless Security Setup" page looks like this:pajkeaabj.jpgThe "password" field on the bottom is where the shared secret from the RADIUS server goes.Next up, the RADIUS server. First, the OpenSSL config file (/etc/ssl/openssl.cnf):

## OpenSSL example configuration file.# This is mostly being used for generation of certificate requests.#RANDFILE                = /dev/arandom####################################################################[ ca ]default_ca      = CA_default            # The default ca section[ CA_default ]dir            = ./masterCA              # top dirdatabase       = $dir/index.txt        # index file.new_certs_dir  = $dir/newcerts         # new certs dircertificate    = $dir/cacert.pem       # The CA certserial         = $dir/serial           # serial no fileprivate_key    = $dir/private/cakey.pem# CA private keyRANDFILE       = $dir/private/.rand    # random number filedefault_days   = 365                   # how long to certify fordefault_crl_days= 30                   # how long before next CRLdefault_md     = md5                   # md to usepolicy         = policy_anything       # default policyemail_in_dn    = no                    # Don't add the email into cert DNname_opt       = ca_default            # Subject name display optioncert_opt       = ca_default            # Certificate display optioncopy_extensions = none                 # Don't copy extensions from request# For the CA policy[ policy_anything ]countryName             = matchstateOrProvinceName     = matchorganizationName        = matchorganizationalUnitName  = optionalcommonName              = suppliedemailAddress            = optional[ req ]default_bits            = 1024default_keyfile         = privkey.pemdistinguished_name      = req_distinguished_nameattributes              = req_attributes[ req_distinguished_name ]countryName                     = Country Name (2 letter code)countryName_default             = UScountryName_min                 = 2countryName_max                 = 2stateOrProvinceName             = State or Province Name#stateOrProvinceName_default    = Some-StatestateOrProvinceName_default     = PennsylvanialocalityName                    = LocalitylocalityName_default            = Pittsburgh0.organizationName              = Organization Name ("Issued By")#0.organizationName_default     = Internet Widgits Pty Ltd0.organizationName_default      = Bit Bucket# we can do this but it is not needed normally :-)#1.organizationName             = Second Organization Name (eg, company)#1.organizationName_default     = CryptSoft Pty LtdorganizationalUnitName          = OU Name#organizationalUnitName_default =commonName                      = Common Name (Fully-qualified Hostname)commonName_max                  = 64emailAddress                    = Email AddressemailAddress_default            = dev@null.comemailAddress_max                = 64[ req_attributes ]challengePassword               = A challenge passwordchallengePassword_min           = 4challengePassword_max           = 20unstructuredName                = An optional company name[ x509v3_extensions ]nsCaRevocationUrl               = http://www.cryptsoft.com/ca-crl.pemnsComment                       = "This is a comment"# under ASN.1, the 0 bit would be encoded as 80nsCertType                      = 0x40#nsBaseUrl#nsRevocationUrl#nsRenewalUrl#nsCaPolicyUrl#nsSslServerName#nsCertSequence#nsCertExt#nsDataType

Most of the significant stuff there is near the top, from the [ ca ] sections through the [ policy_anything ] sections. Note that if you already have a valid CA somewhere, you can just use that instead.OpenSSL also needs a file with some tweaks for any certificates to be created for Windows XP clients. Here is the contents of this file (/etc/ssl/xpextensions):

[ xpclient_ext]extendedKeyUsage =[ xpserver_ext ]extendedKeyUsage =

I don't know what any of that means yet, either.Here are the commands needed to generate client certificates:

# create signing request for clientopenssl req -new -keyout client_key.pem -out client_req.pem -days 730 -config ./openssl.cnf# sign the request (cert can be used with *nix)openssl ca -config ./openssl.cnf -policy policy_anything -out [certificate-name].pem -extensions xpclient_ext -extfile ./xpextensions -infiles ./client_req.pem# convert to PKCS12 (for WinXP)openssl pkcs12 -export -in [certificate-name].pem -inkey client_key.pem -out [certificate-name].p12 -clcerts

Next up, the FreeRADIUS stuff. The FreeRADIUS config file (/etc/raddb/raduisd.conf) points to a separate file for EAP configuration. Here is the portion of /etc/raddb/eap.conf that I had to modify:

tls {						private_key_password = "XXXXXXXX" [Not gonna share *that* with the world!]						private_key_file = ${raddbdir}/certs/server_keycert.pem						certificate_file = ${raddbdir}/certs/server_keycert.pem						CA_file = ${raddbdir}/certs/cacert.pem						dh_file = ${raddbdir}/certs/dh						random_file = ${raddbdir}/certs/random				}

The server_keycert.pem file is the file that contains both the certificate and key for the FreeRADIUS server. The cacert.pem file is the signing certificate from the CA I set up.Also need to modify the client configuration file (/etc/raddb/clients.conf), to specify which machines are allowed to use this server for authentication. Note that in the RADIUS world, "client" means "thing which asks the RADIUS server if someone is allowed in" -- in other words, our wireless router in this case. The term "supplicant" is used to represent the device (e.g. laptop) that is requesting access. Here is clients.conf:

client {		secret = XXXXXXXX [Again, secret stuff here.]		shortname = commo}client {		secret = XXXXXXXX		shortname = nato} is the IP address of the wireless router. Should go without saying that files with passwords in them should be readable only by root.Something else I learned, which may or may not be significant. FreeRADIUS will try to get an authentication match however it can using its config files. There is a file named users (/etc/raddb/users), which allows for basic username/password authentication. I had some users entered into this file for testing purposes (i.e. making sure the RADIUS server was working properly); what I found was that if the EAP-TLS authentication could not find a valid certificate on the laptop, it would revert to using the username/password combo found in this file. Removing the file generates an error and prevents FreeRADIUS from starting properly... so I just created an empty file named users.conf and all is well once again. This is another file to make sure that only root can view/edit. If someone were to sneak a username/password in there, they could bypass whatever other authentication you were using RADIUS for.Another note about FreeRADIUS. Apparently, the version of FreeRADIUS that comes as a Debian package does *not* include support for EAP-TLS authentication. I'm not 100% sure why, though I think it has something to do with a conflict between OpenSSL and the Debian Free Software Guidelines. If you are intending to use Debian GNU/Linux to run FreeRADIUS, you will need to either tweak the package or install from source. An Internet search for "Debian FreeRADIUS EAP-TLS" found me a page that provides a way to patch the default package; but I didn't try it out so I can't verify. (I had enough trouble with OpenBSD.) I'm sure there are numerous guides out there, given Debian's huge user-base.For the Windows XP laptops, you can use the MMC "Certificates" snap-in to add the certificate you create. I added the client ("supplicant") certificate I generated with OpenSSL, as well as the CA certificate from my OpenBSD server as a Trusted Root CA (so that the client certificate would have a valid path... I don't know if that makes a difference or not, but it doesn't hurt). There are various third-party applications you can use for WPA/EAP authentication, but I found that the built-in "Wireless Connection" network connection in XP worked fine. During the connection, I was prompted to select a certificate to use for authentication. I did not have to do any other configuration in XP.The linux laptop was more challenging. I had the madwifi drivers set to use the wpa_supplicant program already (for WPA-PSK authentication that I had been using), so it was just a matter of adjusting the wpa_supplicant.conf file to use EAP-TLS authentication instead. I have an entry or two about this process, so I will not go into great detail here. Instead, here is the syntax that allows it to work:

ctrl_interface=/var/run/wpa_supplicantnetwork={		ssid="l33t"		key_mgmt=WPA-EAP#	   proto=WPA#	   pairwise=TKIP#	   group=TKIP		eap=TLS		identity="/etc/ssl/certs/cert_19delta.pem"		ca_cert="/etc/ssl/certs/cacert.pem"		client_cert="/etc/ssl/certs/cert_19delta.pem"		private_key="/etc/ssl/certs/cert_19delta_key.pem"		private_key_passwd="XXXXXXXX"}

Items commented out are defaults; I just had them in there "just in case".There we go. Submitted for your approval.I have discovered a forum dedicated to the ZyXEL hardware, and found that this particular router's RADIUS implementation does not seem to be complete. While the details elude me, right now it is enough for me to know that it is working as I expected it to, and that my neighbors would have to be pretty slick in order to sneak onto my wireless network.Either that, or just read this blog.But another neighbor has an open AP onto his cable connection... so someone looking for an easy target could pass me by. :)

Sign in to follow this  
Followers 0


some day, i know this is going to be really really useful. and on that day, i will forget completely where I saw this post. : / good job, nevertheless.


Share this comment

Link to comment

Please sign in to comment

You will be able to leave a comment after signing in

Sign In Now