![[Valid RSS]](fileadmin/images/valid-rss.png "Validate my RSS feed")
How to setup a Secure Wlan with Freeradius
This is a short tutorial on how to setup a secure wlan based on a Freeradius server.
First, what we need to set it up:
1. An Accesspoint
2. At least more than one PC
3. A Wireless Network Card for at least one of the clients of the Network, which supports WPA TKIP authentification (most of todays wireless network cards should be able to do that).
4. A Linux, BSD or a Windows PC running cygwin.
Now, to understand, what we are about to do, i will give a short explanation about the Radius technology.
Radius Servers are Authentification Servers for some very common protocols, they are able to handle PAP, CHAP, LDAP, Shell, EAP, PEAP Authentifications, and there are even more protocols, which they are able to handle, but they are not of interrest for us with this tutorial.
The Radius basically takes the authentification information and offers, depending on the authorisation it gets from the client, the client access to other protocols and software running on the network.
For our setup, we will used the EAP protocol supported from the radius server, in combination with tls encryption, our base connection setup will look something like this:
Client [local copy of a TLS certificate & password] -> Accesspoint -> Freeradius Server [local copy of client and server TLS certificate & password]
When the client connects to the Freeradius server, and carries a valid certificate and password to the server, he gets authentificated, and the Freeradius server is setting up a secure encrypted vlan between the client and him.
That is basically it. now lets start the whole setup...
Step one, configuring Freeradius:
You may get Freeradius from
download and unpack it:
tar zxvf freeradius-*.tar.gz
this will copy all files into a subfolder, cd into that folder, and start compiling it, no extra parameters needed here:
./configure
make
make install
This will install Freeradius into /usr/local directory on Gnu boxes.
For the base structure:
/usr/local/etc/raddb
Here are the config files for the radius server, there are quite a few,
but dont worry, only 3-4 are of interrest for us.
/usr/local/etc/raddb/certs
This is the local authentification certificate storage of our radius server, it may be changed to wherever you want to hold them, just be sure to not have them laying around in some public accessable directory.
/usr/local/var/log/radius
Here are the logfiles, theyll get important later on...
/usr/local/sbin
Here goes the Radius daemon and other executables of interrest...
/usr/local/bin
There are some more files, which will get of interrest for us later on...
/usr/local/man
There are the man pages installed by Freeradius, worth a look...
/usr/local/lib
There are the modules, that help Freeradius to support the different types of authentifications.
/usr/local/share/freeradius
This directory holds the files with the base protocol values, not of interrest for us within this tutorial, but definitely worth a look.
After that base description of the folder structure, we are going to produce our certificates, this is done with the help of a script that is being delivered with the freeradius sourcecode, you may find this one and other interresting scripts under your unpacked radius sourcedir within the folder "scripts".
The file is called "CA.certs", its a simple bash script, which we need to open first, and change the first few values:
[ "$SSL" = "" ] && SSL=/usr/lib/ssl
export SSL
...
COUNTRY="AT"
PROVINCE="Province"
CITY="Salzburg"
ORGANIZATION="some"
ORG_UNIT=`hostname`
PASSWORD="somepass"
...
COMMON_NAME_CLIENT="Client certificate"
EMAIL_CLIENT="some@email.com"
...
COMMON_NAME_SERVER="Server certificate"
EMAIL_SERVER="other@email.com"
...
COMMON_NAME_ROOT="Root certificate"
EMAIL_ROOT="thirdother@email.com"
...
After we have changed the above entries to our concern, we may run the script by simply calling it, no further interaction needed:
sh CA.certs
It will produce A few files, let me now explain the base about certifications, and then i will explain what these files are:
For our authentification task, we need two central certificates, one is the client certificate, the other is the server certificate, both parties have to know each others certificate and their own, to be able to compare their content and validate them.
There is a third certificate needed, which "holds" the other certification information valid with the system itself, this certificate does not need to be exchanged between the client and the server, it will just validate both certificates as not fake ones on the server, this certificate is named a "root certificate".
Another thing you might have realised out of the above code is, that there are three different email Adresses listed, this simply tells the certicate readout program (in our case the radius server, or better said the openssl client, that the radius server is calling for), that these are three different certificates.
The password mentoined above is the password, that the certificates will be signed with, so the client will not only have to know the cert, the client will also have to enter a password the first time, the certificate gets implented into his machine, thus giving us some extra security.
The call of the script will produce these files and folders inside of the directory it got called from:
demoCA/....
This directory holds the base information needed for an ssl certification tree, it wont be of interrest for us right now, just be sure to have it at the same place, you keep your other certificates in.
newcert.pem
Temporarely file, produced by the script while creating our certificates you may delete that one.
newreq.pem
Same as above.
cert-clt.pem
cert-srv.pem
root.pem
The local certificate copies, no need to copy these, but keep them in place where they are.
cert-clt.der
cert-srv.der
root.der
The base export certificates, with the hashes in it.
cert-clt.p12
cert-srv.p12
root.p12
pkcs#12 certificates for export, which contain information about the encryption method, hashes, and about the password.
Now copy those files to the directory, you want the server later on to read them from, and offer the certificates needed for the client on to a media that you may put into the client (usb stick, floppy...).
Note: a better overview about those types of certificates, you may find at the following address:
Now we take a look at the configuration files, which are of interrest for us:
radiusd.conf
The very base config file, containing most of the important informations.
eap.conf
Interresting for our tutorial, here you may find the base configuration of the EAP authentification.
clients.conf
Like the name says, this file holds client informations, compareable to a dhcpd.conf file.
users
User informations file, here are the users listed, with their informations which will be able to access our network, or wont, depending on the setup.
First we may take care about the settings inside of radiusd.conf, there are only a few lines
of interrest for us:
#user = nobody
#group = nobody
This sets the user that the daemon is going to use as soon as it has been initiated, set it to a low powered user, that wont be able to do much, so there is no chance of overtaking the machine from that account.
bind_address = *
This tells us which ip the radius server will be listening on, that way we may limit the accessibility of the radius to the ip or ips we want peoples to connect through.
log_auth = yes
we want logs, dont we, to be able to have logs though we will also need to change the following entries:
log_auth_badpass = yes
log_auth_goodpass = yes
detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
detailperm = 0600
}
detail reply_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
detailperm = 0600
}
authorize {
.....
auth_log
.....
}
That will enable us to have everything, that is of concern to our tutorial, being logged into text files.
just change the lines to fit your needs.
The rest of the file we may leave untouched, the default settings are apropriate in most cases.
in case you want to modify the behaviour of the server, there are lots of possibilities though.
Now lets have a look at the file, which is handling the protocol we are going to use for our
setup, the files name is eap.conf, there are a few lines of interrest here, that need to be
changed from the defaults...
default_eap_type = tls
this tells the server that we will use tls encryption as the default "tunnel" for our eap.
next we need to enable the tls section, this is done by uncommenting these few lines and change them to our needs:
tls {
private_key_password = thekeypass
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
}
private_key_password = thekeypass
Set this to the password, that you used earlier with CA.certs.
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file=${raddbdir}/certs/demoCA/cacert.pem
These three lines tell radius, where to look for certification information, so the basic authentification may happen.
After we have taken care of that things, we may now continue with building the base connection
together, once again look inside of the eap.conf file, and look at these lines:
peap {
default_eap_type = mschapv2
This tells our setup, that we want our eap requests tunneled through mschapv2, thus extending that protocol to eap-mschapv2. mschapv2 is a common protocol for tunneling communication.
copy_request_to_tunnel = yes
use_tunneled_reply = yes
Those both lines tell our radius, that we want every packet of the communication to go through that tunnel, so no outside listening will be possible.
proxy_tunneled_request_as_eap = yes
This is a compatibility setting, as some clients dont understand the above communication tunnel, this will pack the communication into a default mschapv2 tunnel.
}
The rest of the file may stay default.
Now we will have a look into the part of radius, where we define the base client rules, let us start with the file clients.conf, inside of that file we find information about ip ranges, that are able to access our radius server, e.g. a range of access points, which forward users authentifications to the radius.
an example config for just one ap will look like this:
client 192.168.2.20 {
secret = secretpassforap
shortname = accesspointhost
}
the first line is pretty self explanatory, after all its the ip of our accesspoint.
the line:
secret = secretpassforap
Is defining a password hash we need in order to have the accesspoint securely "connected" to the radius server, choose something long and not too easy to find out...
shortname = accesspointhost
shortname is basically the internal hostname of our accesspoint, as set in /etc/hosts for example.
So, thats it for clients.conf, now we are at the final config file, the users file, inside of this file we define the user data, and the default fallback, if a user does or doesnt fit certain requirements.
for a test, we may setup one user:
Auth-Type := Local, User-Password = "yourusercertificatepassword"
The line, once again, is pretty self explanatory, the Auth-Type tells our server what level the user is applying for, the "Local" attribute tells the radius, that the client will become a local network user, as soon as he has authentificated, the User-Password attribute applies the password to the user, in our case, this is once again the password, that we used with CA.certs.
So, that is it for the server side, now just boot your radiusd in diagnostic mode, so we may see
everything that happens first hand on that shell.
/usr/local/sbin/radiusd -Xxxx -A
now, since the radius server is running, make sure that the firewall has the ports for the iprange open, so that the accesspoint will be able to authentificate to the radius server, the common ports of a freeradius are as follows:
udp 1812
udp 1813
Step two, the setup of the access point as client of the radius server
First, take the information needed from your radius server for your accesspoint, you will
need the following informations:
1. the port the radius server is running on, for our setup that is port 1812 udp.
2. the ip the radius server is running from.
3. the password hash we declared inside the clients.conf file.
so, thats it, open up your access points web interface, go to the wireless settings, and choose, depending on your accesspoint, something similar to "WPA" (this is the name on my d-link accesspoint i tested this with for example... dont mistake it with wpa-psk, which is also called wpa encryption...) or "Require EAP & Access Type: Open".
enter the ip, the port and the password hash of your radius server as requested by the accesspoint, and then accept or apply the new settings.
Step three, the configuration on the client side.
now this is the simplest part, just transfer the following certificates to the client:
cert-clt.der
cert-clt.p12
cert-srv.der
cert-srv.p12
root.der
root.p12
import them, (this is done by double clicking on them on a windows machine) and add them to your trusted certificates ring. you will be asked to enter the certificates password, just do so.
next, look at the network configuration tab, open it, and go to the wireless tab, in my case windows is handling the wireless network connection, if you use the network card producers client, you may need to configure your information there.
first you tell the client that you are going to use encryption, and that the key is applied to you, on the second tab you tell the client, that you use a certificate or smartcard, and then choose your newly imported certificates.
next you tell your client, to use mschapv2/peap as transfer protocol, and then disconnect and reconnect your client, thats it, you should now be connected to the network over a secured connection.
So, that was it, a base configuration of Freeradius, of course, i left a few ends open, but if you really look into Freeradius, you might ending up writing books about it.
I hope you enjoyed my little tutorial, and as always, feel free to contact me on any questions or tips, i appreciate any of them.