Setup Openssl + freeRADIUS

Openssl Ceritification Step

1. Create ca certification by openssl
#cd /etc/ssl/
#/usr/lib/ssl/misc/CA.pl -newca -- ubuntu directory
or
#/usr/share/ssl/misc/CA.pl -newca -- opensuse directory

CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
..........................++++++
..........++++++
writing new private key to './CA/private/cakey.pem'
Enter PEM pass phrase: 12345
Verifying - Enter PEM pass phrase: 12345
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taipei
Locality Name (eg, city) []:Taipei
Organization Name (eg, company) [Internet Widgits Pty Ltd]:QMI
Organizational Unit Name (eg, section) []:DQA
Common Name (eg, YOUR name) []:rootca
Email Address []:bryan.yu@qmitw.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: don't need to input
An optional company name []: don't need to input
Using configuration from /usr/lib/ssl/openssl.cnf
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: 12345

Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            91:23:c3:97:8a:c5:d8:e5
        Validity
            Not Before: Mar 17 14:38:09 2008 GMT
            Not After : Mar 17 14:38:09 2011 GMT
        Subject:
            countryName               = TW
            stateOrProvinceName       = LinKou
            organizationName          = QMI
            organizationalUnitName    = DQA
            commonName                = rootca
            emailAddress              = bryan.yu@qmitw.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                FF:DA:F6:63:4E:6F:20:16:85:BC:CE:E4:6E:EA:17:48:B5:DE:87:25
            X509v3 Authority Key Identifier:
                keyid:FF:DA:F6:63:4E:6F:20:16:85:BC:CE:E4:6E:EA:17:48:B5:DE:87:25
                DirName:/C=TW/ST=LinKou/O=QMI/OU=DQA/CN=rootca/emailAddress=
                bryan.yu@qmitw.com
                serial:91:23:C3:97:8A:C5:D8:E5

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Mar 17 14:38:09 2011 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

2. Let's start to create a server certificate signing request using OpenSSL's req command:

#openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730 -config ./openssl.cnf

3. Next step, let's use our CA key to sign the request by using OpenSSL's ca command:

#openssl ca -config ./openssl.cnf -policy policy_anything -out server_cert.pem -infiles ./server_req.pem

4. Open your signed certificate with the text editor ( example: vi ) of your choice and delete everything before the line -----BEGIN CERTIFICATE-----. Concatenate it and your key into a single file, like this:

#cat server_key.pem server_cert.pem > server_keycert.pem

5. We need to create a client certificate signing request now. The OpenSSL command to do this is similar to that used to create server certificates:

#openssl req -new -keyout client_key.pem -out client_req.pem -days 730 -config ./openssl.cnf

6. Next step -- we sign the client certificate's signing request:

#openssl ca -config ./openssl.cnf -policy policy_anything -out client_cert.pem -infiles ./client_req.pem

7. If your certificate is to be used by Windows XP or Vista client, you need to do one more step.
You need to convert the certificate file(s) to a PKCS12-format file, with this command:

#openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts

8. Before we dive into FreeRADIUS' configuration files, we need to create two files that FreeRADIUS must have in order to use TLS. The first is a Diffie-Hellman parameters file, or dh file, which is used for negotiating TLS session keys. To create a dh file, issue this command:

#openssl dhparam -check -text -5 512 -out dh

9. The second file you need is a data file that contains a random bitstream that also is used in TLS operations. Do not simply stick the current timestamp or any other similarly nonrandom string into a file called random, as is suggested in at least one WPA procedure I've seen on the Internet. Rather, use the kernel's high-quality random number generator. Run this command:

#dd if=/dev/urandom of=random count=2


FreeRadius Configuration Step

1. Check permission of radius directory and then modify parameter what you need in radiusd.conf
#cd /etc/raddb/
#vi radiusd.conf

2. Changes in eap.conf

eap {
  default_eap_type = tls
  tls {
    # The following parameters tell radiusd where to
    # find its certs and keys, plus dh & random files:
    private_key_password = 12345
    private_key_file = /etc/ssl/server_keycert.pem
    certificate_file = /etc/ssl/server_keycert.pem
    CA_file = /etc/ssl/CA/cacert.pem
    dh_file = /etc/ssl/dh
    random_file = /etc/ssl/random
    }
  }

3. Access Point Entry in clients.conf

client 192.168.1.1/32 {
      secret          = 12345678
      shortname       = test ap
}


Configuring Windows XP Clients Step

And that brings us to configuring a Windows XP wireless client to use your newly WPA-enabled access point. This being a Linux magazine, I'm not going to describe this process in painstaking detail-for that you can see section 4.3 of Ken Roser's HOWTO, listed in the on-line Resources. In summary, you need to:

1. Run the command mmc from Start --> Run

2. In Microsoft Management Console, select File?Add/Remove Snap-in, add the Certificates snap-in and set it to manage certificates for My user account and, on the next screen, only for the Local computer.
 
3. Copy your CA (cacert.pem) certificate to your Windows system's hard drive, for example, to C:\cacert.pem.
 
4. From within MMC, expand Console Root and Certificates - Current User and right-click on Trusted Root Certification Authorities. In the pop-up menu, select All Tasks-->Import. Tell the subsequent wizard to import the file C:\cacert.pem and to store it in Trusted Root Certification Authorities.
 
5. Copy your client certificate/key file to your Windows system, for example, to C:\client_cert.p12.
 
6. From within MMC?Console Root?Certificates, expand Personal and right-click on Certificates. In the pop-up menu, select All Tasks-->Import. Tell the subsequent wizard to import the file C:\client_cert.p12.
 
7. The certificate-import wizard then prompts you for the certificate's passphrase. In the same dialog, it offers the option to enable strong private key protection. Unfortunately, enabling this breaks WPA, so be sure to leave this option unchecked. Also, leave the option to mark this key as exportable unchecked--you're better off backing up the password-protected file you just imported rather than allowing the imported nonprotected version to be exportable.