Install FreeRadius 2.1.6 + ubuntu 10.04
1. Download and Install OpenSSL and FreeRADIUS
The first step is to download and install the latest snapshot versions of OpenSSL and FreeRADIUS.
a. OpenSSL -- Download the latest OpenSSL-0.9.7-stable snapshot. I downloaded the OpenSSL snapshot to my home directory. The snapshots are located at:
»ftp://ftp.openssl.org/snapshot/
Then I used the following nine steps:
mkdir -p /usr/src/802/openssl
cd /usr/src/802/openssl
cp /home/jbibe/openssl-0.9.7-stable-SNAP-20040202.tar.gz \
openssl-0.9.7-stable-SNAP-20040202.tar.gz
gunzip openssl-0.9.7-stable-SNAP-20040202.tar.gz
tar xvf openssl-0.9.7-stable-SNAP-20040202.tar
cd openssl-0.9.7-stable-SNAP-20040202
./config shared --prefix=/usr/local/openssl
make
make install
That completes the work with OpenSSL, except for building the required certificates.
When you perform the config, make, and make-install here and in the FreeRADIUS install described below, I recommend that you log the information. For example, instead of using the simple "make" command, use:
make > mymake.log 2>&1
If you encounter problems, you can review mymake.log (or myconfig.log, or myinstall.log) for errors.
b. FreeRadius -- Download the latest FreeRADIUS snapshot. Again, I downloaded the file to my home directory. The snapshot is located at:
»ftp://ftp.freeradius.org/pub/radius/CVS-snapshots/
Then I used the following nine steps:
mkdir -p /usr/src/802/radius
cd /usr/src/802/radius
cp /home/jbibe/freeradius-snapshot-20040203.tar.gz \
freeradius-snapshot-20040203.tar.gz
gunzip freeradius-snapshot-20040203.tar.gz
tar xvf freeradius-snapshot-20040203.tar
cd freeradius-snapshot-20040203
./configure --with-openssl-includes=/usr/local/openssl/include \
--with-openssl-libraries=/usr/local/openssl/lib \
--prefix=/usr/local/radius
make
make install
That completes the work with FreeRADIUS, except for building certificates, making the changes to the FreeRADIUS configuration files,
moving the server certificates to their final location, and building a wrapper for radiusd.
------------------------------------------------------------------------------------------------------------------
FreeRadius Configuration Step
1. Check permission of radius directory and then modify parameter in radiusd.conf
#cd /etc/raddb/
#sudo gedit radiusd.conf
The port for radius server to listen for authentication request is 1812
Port for accounting is 1813
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
port = 1812
# This second "listen" section is for listening on the accounting
# port, too.
#
listen {
ipaddr = *
# ipv6addr = ::
port = 1813
type = acct
# interface = eth0
# clients = per_socket_clients
}
# Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
#
stripped_names = yes
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
auth = yes
# Log passwords with the authentication requests.
# auth_badpass - logs password if it's rejected
# auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
auth_badpass = yes
auth_goodpass = no
2. Changes in eap.conf
eap {
# There are several generic EAP parameters you can
# set here, but the important one for our purposes
# is default_eap_type:
default_eap_type = tls
# Next come parameters for specific EAP types. Since
# we’re going to use EAP-TLS, the tls{} section is
# the one we care about:
tls {
# The following parameters tell radiusd where to
# find its certs and keys, plus dh & random files:
private_key_password = 12345
private_key_file = /etc/ssl/server_keycert.pem # /usr/lib/ssl/misc/server_keycert.pem
certificate_file = /etc/ssl/server_keycert.pem # /usr/lib/ssl/misc/server_keycert.pem
CA_file = /etc/ssl/CA/cacert.pem # /usr/lib/ssl/misc/demoCA/cacert.pem
dh_file = /etc/ssl/dh # /usr/lib/ssl/misc/dh
random_file = /etc/ssl/random # /usr/lib/ssl/misc/random
}
}
3. Access Point Entry in clients.conf
# You can now specify one secret for a network of clients.
# When a client request comes in, the BEST match is chosen.
# i.e. The entry from the smallest possible network.
client 192.168.1.1/32 {
secret = 12345678
shortname = wiremonkeys_AP
}
----------------------------------------------------------------------------------------------------------------------------------------------
Configuring Windows XP Clients Step
And that brings us to configuring a Windows XP wireless client to use your newly WPA-enabled access point. This being a Linux magazine, I’m not going to describe this process in painstaking detail-for that you can see section 4.3 of Ken Roser’s HOWTO, listed in the on-line Resources. In summary, you need to:
1. Run the command mmc from Start –> Run
2. In Microsoft Management Console, select File?Add/Remove Snap-in, add the Certificates snap-in and set it to manage certificates for My user account and,
on the next screen, only for the Local computer.
3. Copy your CA (cacert.pem) certificate to your Windows system’s hard drive, for example, to C:\cacert.pem.
4. From within MMC, expand Console Root and Certificates – Current User and right-click on Trusted Root Certification Authorities.
In the pop-up menu, select All Tasks–>Import. Tell the subsequent wizard to import the file C:\cacert.pem and to store it in Trusted Root Certification Authorities.
5. Copy your client certificate/key file to your Windows system, for example, to C:\client_cert.p12.
6. From within MMC?Console Root?Certificates, expand Personal and right-click on Certificates. In the pop-up menu,
select All Tasks–>Import. Tell the subsequent wizard to import the file C:\client_cert.p12.
7. The certificate-import wizard then prompts you for the certificate’s passphrase.
In the same dialog, it offers the option to enable strong private key protection.
Unfortunately, enabling this breaks WPA, so be sure to leave this option unchecked.
Also, leave the option to mark this key as exportable unchecked–you’re better off backing up the password-protected file
you just imported rather than allowing the imported nonprotected version to be exportable.
8. In the subsequent screen, let the wizard Automatically select the certificate store.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
How to start radiusd :
1.execute radiusd -X to determind where have problem and fix it.
2.go to /usr/local/sbin/
execute "sh ./rc.radiusd restart"
3.ps -aux
After this command, see the line as below that mean successfully.
root 29082 0.0 0.2 44984 2264 ? Ssl 20:50 0:00 /usr/local/sbin/radiusd
sh -x /usr/local/sbin/rc.radiusd restart
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Openssl Ceritification Step from Internet
1. Create ca certification by openssl
#cd /etc/ssl/
#/usr/lib/ssl/misc/CA.pl -newca — ubuntu directory
or
#/usr/share/ssl/misc/CA.pl -newca — opensuse directory
CA certificate filename (or enter to create)
Making CA certificate …
Generating a 1024 bit RSA private key
……………………..++++++
……….++++++
writing new private key to ‘./CA/private/cakey.pem’
Enter PEM pass phrase: 12345
Verifying – Enter PEM pass phrase: 12345
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taipei
Locality Name (eg, city) []:Taipei
Organization Name (eg, company) [Internet Widgits Pty Ltd]:QMI
Organizational Unit Name (eg, section) []:DQA
Common Name (eg, YOUR name) []:rootca
Email Address []:bryan.yu@qmitw.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: don’t need to input
An optional company name []: don’t need to input
Using configuration from /usr/lib/ssl/openssl.cnf
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: 12345
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
91:23:c3:97:8a:c5:d8:e5
Validity
Not Before: Mar 17 14:38:09 2008 GMT
Not After : Mar 17 14:38:09 2011 GMT
Subject:
countryName = TW
stateOrProvinceName = LinKou
organizationName = QMI
organizationalUnitName = DQA
commonName = rootca
emailAddress = bryan.yu@qmitw.com
X509v3 extensions:
X509v3 Subject Key Identifier:
FF:DA:F6:63:4E:6F:20:16:85:BC:CE:E4:6E:EA:17:48:B5:DE:87:25
X509v3 Authority Key Identifier:
keyid:FF:DA:F6:63:4E:6F:20:16:85:BC:CE:E4:6E:EA:17:48:B5:DE:87:25
DirName:/C=TW/ST=LinKou/O=QMI/OU=DQA/CN=rootca/emailAddress=
bryan.yu@qmitw.com
serial:91:23:C3:97:8A:C5:D8:E5
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Mar 17 14:38:09 2011 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
2. Let’s start to create a server certificate signing request using OpenSSL’s req command:
openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730 -config ./openssl.cnf
3. Next step, let’s use our CA key to sign the request by using OpenSSL’s ca command:
openssl ca -config ./openssl.cnf -policy policy_anything -out server_cert.pem -infiles ./server_req.pem
4. Open your signed certificate (server_cert.pem) with the text editor ( example: vi ) of your choice and delete everything before the line —–BEGIN CERTIFICATE—–.
Concatenate it and your key into a single file, like this:
cat server_key.pem server_cert.pem > server_keycert.pem
-------------------------------------------------------------------------------------------------
* openssl can'tt creat the document of crt at the same time -- After build server.crt, when build client.crt have error message
[root@vm ssl]# openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config /usr/share/ssl/openssl.cnf
Using configuration from /usr/share/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Mar 17 00:40:06 2009 GMT
Not After : Mar 17 00:40:06 2010 GMT
Subject:
countryName = GB
stateOrProvinceName = Berkshire
organizationName = My Company Ltd
。。。
Certificate is to be certified until Mar 17 00:40:06 2010 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
Solution :After build server.crt, delete the product of demoCA/index.txt and touch a new one
[root@vm ssl]# cd demoCA/
[root@vm demoCA]# ls
certs/ crl/ index.txt index.txt.old newcerts/ private/ serial serial.old
[root@vm demoCA]# cat index.txt
V 100317003901Z 01 unknown /C=GB/ST=Berkshire/O=My Company Ltd/OU=section/CN=vm/emailAddress=macguan@otas.cn
[root@vm demoCA]# rm index.txt
rm: remove regular file `index.txt'? y
[root@vm demoCA]# touch index.txt
[root@vm demoCA]# cd ..
-------------------------------------------------------------------------------------------------
Client :
5. We need to create a client certificate signing request now. The OpenSSL command to do this is similar to that used to create server certificates:
openssl req -new -keyout client_key.pem -out client_req.pem -days 730 -config ../openssl.cnf
6. Next step — we sign the client certificate’s signing request:
openssl ca -config ../openssl.cnf -policy policy_anything -out client_cert.pem -infiles ./client_req.pem
certificate is to be used by Windows XP or Vista client :
7. If your certificate is to be used by Windows XP or Vista client, you need to do one more step.
You need to convert the certificate file(s) to a PKCS12-format file, with this command:
openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts
Radius server :
8. Before we dive into FreeRADIUS’ configuration files, we need to create two files that FreeRADIUS must have in order to use TLS.
The first is a Diffie-Hellman parameters file, or dh file, which is used for negotiating TLS session keys. To create a dh file, issue this command:
sudo openssl dhparam -check -text -5 512 -out dh
9. The second file you need is a data file that contains a random bitstream that also is used in TLS operations.
Do not simply stick the current timestamp or any other similarly nonrandom string into a file called random,
as is suggested in at least one WPA procedure I’ve seen on the Internet. Rather, use the kernel’s high-quality random number generator. Run this command:
dd if=/dev/urandom of=random count=2
-------------------------------------------------------------------------------------------------
Radius test -- successful PIC
Windows setting like below
Ubuntu 10.04 Client setting
0 意見:
張貼留言