顯示具有 FreeRadius 標籤的文章。顯示所有文章

2013年9月23日星期一

[Radius] Installation of FreeRADIUS

Posted by Computer Newbie on 清晨7:37 in FreeRadius, Linux, Ubuntu / No comments

[Radius] Installation of FreeRADIUS

#############################################

Installation of FreeRADIUS

Download first the latest source of Openssl (0.9.7f was used for this HOWTO).

Extract the source files from tarball

tar –zxvf openssl-1.0.1e.tar.gz

Install openssl in /usr/local/openssl/

./config --prefix=/usr/local/openssl shared

make

make install

Download the latest version of FreeRADIUS (freeradius-server-2.2.2.tar.gz) from www.freeradius.org.

This document refers to version 3.0.0 of FreeRADIUS.

Install FreeRADIUS with the following option

./configure --with-openssl-includes=/usr/local/openssl/include --with-openssl-libraries=/usr/local/openssl/lib

make

make install

In order to get FreeRADIUS working, the following files must be configured:

radiusd.conf

clients.conf

eap.conf

users

After install freeradius

Go to /usr/local/sbin/

Excute "radiusd -X" can work

#############################################

radiusd.conf

prefix = /usr/local

exec_prefix = ${prefix}

sysconfdir = ${prefix}/etc

localstatedir = ${prefix}/var

sbindir = ${exec_prefix}/sbin

logdir = ${localstatedir}/log/radius

raddbdir = ${sysconfdir}/raddb

radacctdir = ${logdir}/radacct

name = radiusd

confdir = ${raddbdir}

run_dir = ${localstatedir}/run/${name}

db_dir = ${raddbdir}

libdir = ${exec_prefix}/lib

pidfile = ${run_dir}/${name}.pid

max_request_time = 30

cleanup_delay = 5

max_requests = 1024

listen {

   type = auth

   ipaddr = *

   port = 0

}

listen {

   ipaddr = *

   port = 0

   type = acct

}

hostname_lookups = no

allow_core_dumps = no

regular_expressions   = yes

extended_expressions   = yes

log {

   destination = files

   file = ${logdir}/radius.log

   syslog_facility = daemon

   stripped_names = no

   auth = no

   auth_badpass = no

   auth_goodpass = no

}

checkrad = ${sbindir}/checkrad

security {

   max_attributes = 200

   reject_delay = 1

   status_server = yes

}

proxy_requests = yes

$INCLUDE proxy.conf

$INCLUDE clients.conf

thread pool {

   start_servers = 5

   max_servers = 32

   min_spare_servers = 3

   max_spare_servers = 10

   max_requests_per_server = 0

}

modules {

   $INCLUDE ${confdir}/modules/

   $INCLUDE eap.conf

}

instantiate {

   exec

   expr

   expiration

   logintime

}

$INCLUDE policy.conf

$INCLUDE sites-enabled/

## Add following string ##

mschap {

        use_mppe = yes

        require_encryption = yes

        require_strong = yes

}

authorize {

        preprocess



        chap

        mschap

        suffix

        eap{

            ok = return

        }

        files

}

authenticate {

        Auth-Type PAP {

                pap

        }

        Auth-Type CHAP {

                chap

        }

        Auth-Type MS-CHAP {

                mschap

        }

        unix

        eap

}

#############################################

clients.conf

client localhost {

   ipaddr = 127.0.0.1

   secret       = testing123

   require_message_authenticator = no

}

## Add which Domain will allow to authorize

client 192.168.0.0/24 {

        secret = secret

        shortname = authenticator

}

client 10.15.0.0/16 {

        secret = secret

        shortname = authenticator

}

#############################################

Before modify this conf.

Please go to /usr/local/etc/raddb/certs.

Edit ca.cnf , client.cnf , server.cnf.

Each file have the string was called "whatever".

Change whatever to what you like.

input_password       = whatever

output_password       = whatever

Type make to create key

#############################################

eap.conf

eap {

        default_eap_type = peap

        timer_expire     = 60

        ignore_unknown_eap_types = no

        cisco_accounting_username_bug = no

        md5 {

        }

        leap {

        }

        gtc {

                auth_type = PAP

        }

        tls {

                private_key_file = ${raddbdir}/certs/server.key

                certificate_file = ${raddbdir}/certs/server.pem

                CA_file = ${raddbdir}/certs/ca.pem

                dh_file = ${raddbdir}/certs/dh

                random_file = ${raddbdir}/certs/random

        }

         peap {

                default_eap_type = mschapv2

        }

        mschapv2 {

        }

}

#############################################

users

user600 Cleartext-Password := user600

#############################################

Start radius server

/usr/local/sbin/radiusd -X

#############################################

cd /usr/local/bin

radtest test test 127.0.0.1 1812 testing123

./radtest test test 127.0.0.1 1812 testing123

Sending Access-Request of id 2 to 127.0.0.1 port 1812

   User-Name = "test"

   User-Password = "test"

   NAS-IP-Address = 127.0.1.1

   NAS-Port = 1812

   Message-Authenticator = 0x00000000000000000000000000000000

rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=2, length=20

#############################################

Q:

./radiusd: error while loading shared libraries: libfreeradius-radius-020201.so: cannot open shared object file: No such file or directory

A:

vim /etc/ld.so.conf.d/openssl.conf

/usr/local/openssl/lib/

save it.

Type

sudo ldconfig


#############################################
Q:
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x6097435463935ad2 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

A:

Reset all your connection.

#############################################

Client :

Wireless security : WPA & WPA2 Enterprise

Authentication : Protected EAP (PEAP)

Anonymous identity : (Empty)

CA certificate : (None)

PEAP version : Automatic

Inner authentication : MSCHAPv2

Username : (Depend)

Password : (Depend)

Press Connect --> Go to next --> choose ignore

#############################################

Reference :

FreeRadius: How to set up PEAP

guide/FreeRADIUS Active Directory Integration HOWTO

Deploying RADIUS:The book

How To: Setting up FreeRADIUS for WPA & WPA2 Enterprise - Part 2

Linux ldconfig Command Examples

[compile issue][freeradius] Compile freeradius happen "unreferenced ssl_check version()"

Posted by Computer Newbie on 清晨7:23 in FreeRadius, Linux, Ubuntu / No comments

[compile issue][freeradius] Compile freeradius happen "unreferenced ssl_check version()"

Q : Compile Freeradius encounter the error

unreferenced ssl_check version()

Install ssh library


sudo apt-get install libssl-dev

Reference :

How do I install the OpenSSL C++ library on Ubuntu?

[Radius] How to set radiusd server in the IPv6 enviroment

Posted by Computer Newbie on 凌晨3:09 in FreeRadius / No comments

[Radius] How to set radiusd server in the IPv6 enviroment

Create a script to change IPv4 and IPv6 mode

#!/bin/bash

PWD=$(pwd)

echo $PWD

source $PWD/Utility.sh

FileName_radiusd_conf='radiusd.conf'

IPV4_Enable_r='ipaddr = 192.168.50.60'

IPV4_Disable_r='# ipaddr = 192.168.50.60'

IPV6_Enable='ipv6addr = ::'

IPV6_Disable='#   ipv6addr = ::'

FileName_clients_conf='clients.conf'

IPV4_Enable_c='ipaddr = 127.0.0.1'

IPV4_Disable_c='# ipaddr = 127.0.0.1'

echo " "

echo " "

echo "************************************************"

echo "** Please select IPv4 or IPv6 mode you want ()**"

echo "** 1.Enable IPv6 mode                         **"

echo "** 2.Enable IPv4 mode                         **"

echo "************************************************"

echo "Please input download folder : "

read Choose                  # read character input

case $Choose in

    1)

            sed -n -e '/'"$IPV6_Disable"'/p' $PWD/$FileName_radiusd_conf > output

            FILE='output'

            if [ -s $FILE ] ; then

                    rm $FILE

                    # Radiusd Conf

                    # Disable IPV4

                    Replace_String "$IPV4_Enable_r" "$IPV4_Disable_r" "$FileName_radiusd_conf"

                    # Enable IPV6

                    Replace_String "$IPV6_Disable" "$IPV6_Enable" "$FileName_radiusd_conf"

                    # clients Conf

                    # Disable IPV4

                    Replace_String "$IPV4_Enable_c" "$IPV4_Disable_c" "$FileName_clients_conf"

                    # Enable IPV6

                    Replace_String "$IPV6_Disable" "$IPV6_Enable" "$FileName_clients_conf"

                    echo "Please change following config at Clients.conf "

                    echo "# All IPv6 Site-local clients"

                    echo "#client fe80::/16 {"

                    echo "#   secret       = testing123"

                    echo "#   shortname   = localhost"

            else

                rm $FILE

                echo "IPv6 mode now"

            fi

            ;;

    2)

            sed -n -e '/'"$IPV4_Disable_r"'/p' $PWD/$FileName_radiusd_conf > output

            FILE='output'

            if [ -s $FILE ] ; then

                    rm $FILE

                    # Radiusd Conf

                    # Enable IPV4

                    Replace_String "$IPV4_Disable_r" "$IPV4_Enable_r" "$FileName_radiusd_conf"

                    # Disable IPV6

                    Replace_String "$IPV6_Enable" "$IPV6_Disable" "$FileName_radiusd_conf"

                    # clients Conf

                    # Enable IPV4

                    Replace_String "$IPV4_Disable_c" "$IPV4_Enable_c" "$FileName_clients_conf"

                    # Disable IPV6

                    Replace_String "$IPV6_Enable" "$IPV6_Disable" "$FileName_clients_conf"

                    echo "Please change following config at Clients.conf "

                    echo "# All IPv6 Site-local clients"

                    echo "#client fe80::/16 {"

                    echo "#   secret       = testing123"

                    echo "#   shortname   = localhost"

            else

                rm $FILE

                echo "IPv4 mode now"

            fi

            ;;

    *)

          clear

          sleep 1;;           # leave the message on the screen for 5 seconds

esac

radiusd.conf

# -*- text -*-

##

## radiusd.conf   -- FreeRADIUS server configuration file.

##

##   http://www.freeradius.org/

##   $Id$

##

######################################################################

#

#   Read "man radiusd" before editing this file. See the section

#   titled DEBUGGING. It outlines a method where you can quickly

#   obtain the configuration you want, without running into

#   trouble.

#

#   Run the server in debugging mode, and READ the output.

#

#       $ radiusd -X

#

#   We cannot emphasize this point strongly enough. The vast

#   majority of problems can be solved by carefully reading the

#   debugging output, which includes warnings about common issues,

#   and suggestions for how they may be fixed.

#

#   There may be a lot of output, but look carefully for words like:

#   "warning", "error", "reject", or "failure". The messages there

#   will usually be enough to guide you to a solution.

#

#   If you are going to ask a question on the mailing list, then

#   explain what you are trying to do, and include the output from

#   debugging mode (radiusd -X). Failure to do so means that all

#   of the responses to your question will be people telling you

#   to "post the output of radiusd -X".

######################################################################

#

#     The location of other config files and logfiles are declared

#     in this file.

#

#     Also general configuration for modules can be done in this

#     file, it is exported through the API to modules that ask for

#     it.

#

#   See "man radiusd.conf" for documentation on the format of this

#   file. Note that the individual configuration items are NOT

#   documented in that "man" page. They are only documented here,

#   in the comments.

#

#   As of 2.0.0, FreeRADIUS supports a simple processing language

#   in the "authorize", "authenticate", "accounting", etc. sections.

#   See "man unlang" for details.

#

prefix = /usr/local/radius

exec_prefix = ${prefix}

sysconfdir = ${prefix}/etc

localstatedir = ${prefix}/var

sbindir = ${exec_prefix}/sbin

logdir = ${localstatedir}/log/radius

raddbdir = ${sysconfdir}/raddb

radacctdir = ${logdir}/radacct

#

# name of the running server. See also the "-n" command-line option.

name = radiusd

# Location of config and logfiles.

confdir = ${raddbdir}

run_dir = ${localstatedir}/run/${name}

# Should likely be ${localstatedir}/lib/radiusd

db_dir = ${raddbdir}

#

# libdir: Where to find the rlm_* modules.

#

#   This should be automatically set at configuration time.

#

#   If the server builds and installs, but fails at execution time

#   with an 'undefined symbol' error, then you can use the libdir

#   directive to work around the problem.

#

#   The cause is usually that a library has been installed on your

#   system in a place where the dynamic linker CANNOT find it. When

#   executing as root (or another user), your personal environment MAY

#   be set up to allow the dynamic linker to find the library. When

#   executing as a daemon, FreeRADIUS MAY NOT have the same

#   personalized configuration.

#

#   To work around the problem, find out which library contains that symbol,

#   and add the directory containing that library to the end of 'libdir',

#   with a colon separating the directory names. NO spaces are allowed.

#

#   e.g. libdir = /usr/local/lib:/opt/package/lib

#

#   You can also try setting the LD_LIBRARY_PATH environment variable

#   in a script which starts the server.

#

#   If that does not work, then you can re-configure and re-build the

#   server to NOT use shared libraries, via:

#

#   ./configure --disable-shared

#   make

#   make install

#

libdir = ${exec_prefix}/lib

# pidfile: Where to place the PID of the RADIUS server.

#

# The server may be signalled while it's running by using this

# file.

#

# This file is written when ONLY running in daemon mode.

#

# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`

#

pidfile = ${run_dir}/${name}.pid

# chroot: directory where the server does "chroot".

#

# The chroot is done very early in the process of starting the server.

# After the chroot has been performed it switches to the "user" listed

# below (which MUST be specified). If "group" is specified, it switchs

# to that group, too. Any other groups listed for the specified "user"

# in "/etc/group" are also added as part of this process.

#

# The current working directory (chdir / cd) is left *outside* of the

# chroot until all of the modules have been initialized. This allows

# the "raddb" directory to be left outside of the chroot. Once the

# modules have been initialized, it does a "chdir" to ${logdir}. This

# means that it should be impossible to break out of the chroot.

#

# If you are worried about security issues related to this use of chdir,

# then simply ensure that the "raddb" directory is inside of the chroot,

# end be sure to do "cd raddb" BEFORE starting the server.

#

# If the server is statically linked, then the only files that have

# to exist in the chroot are ${run_dir} and ${logdir}. If you do the

# "cd raddb" as discussed above, then the "raddb" directory has to be

# inside of the chroot directory, too.

#

#chroot = /path/to/chroot/directory

# user/group: The name (or #number) of the user/group to run radiusd as.

#

#   If these are commented out, the server will run as the user/group

#   that started it. In order to change to a different user/group, you

#   MUST be root ( or have root privleges ) to start the server.

#

#   We STRONGLY recommend that you run the server with as few permissions

#   as possible. That is, if you're not using shadow passwords, the

#   user and group items below should be set to radius'.

#

# NOTE that some kernels refuse to setgid(group) when the value of

# (unsigned)group is above 60000; don't use group nobody on these systems!

#

# On systems with shadow passwords, you might have to set 'group = shadow'

# for the server to be able to read the shadow password file. If you can

# authenticate users while in debug mode, but not in daemon mode, it may be

# that the debugging mode server is running as a user that can read the

# shadow info, and the user listed below can not.

#

# The server will also try to use "initgroups" to read /etc/groups.

# It will join all groups where "user" is a member. This can allow

# for some finer-grained access controls.

#

#user = radius

#group = radius

# max_request_time: The maximum time (in seconds) to handle a request.

#

# Requests which take more time than this to process may be killed, and

# a REJECT message is returned.

#

# WARNING: If you notice that requests take a long time to be handled,

# then this MAY INDICATE a bug in the server, in one of the modules

# used to handle a request, OR in your local configuration.

#

# This problem is most often seen when using an SQL database. If it takes

# more than a second or two to receive an answer from the SQL database,

# then it probably means that you haven't indexed the database. See your

# SQL server documentation for more information.

#

# Useful range of values: 5 to 120

#

max_request_time = 30

# cleanup_delay: The time to wait (in seconds) before cleaning up

# a reply which was sent to the NAS.

#

# The RADIUS request is normally cached internally for a short period

# of time, after the reply is sent to the NAS. The reply packet may be

# lost in the network, and the NAS will not see it. The NAS will then

# re-send the request, and the server will respond quickly with the

# cached reply.

#

# If this value is set too low, then duplicate requests from the NAS

# MAY NOT be detected, and will instead be handled as seperate requests.

#

# If this value is set too high, then the server will cache too many

# requests, and some new requests may get blocked. (See 'max_requests'.)

#

# Useful range of values: 2 to 10

#

cleanup_delay = 5

# max_requests: The maximum number of requests which the server keeps

# track of. This should be 256 multiplied by the number of clients.

# e.g. With 4 clients, this number should be 1024.

#

# If this number is too low, then when the server becomes busy,

# it will not respond to any new requests, until the 'cleanup_delay'

# time has passed, and it has removed the old requests.

#

# If this number is set too high, then the server will use a bit more

# memory for no real benefit.

#

# If you aren't sure what it should be set to, it's better to set it

# too high than too low. Setting it to 1000 per client is probably

# the highest it should be.

#

# Useful range of values: 256 to infinity

#

max_requests = 1024

# listen: Make the server listen on a particular IP address, and send

# replies out from that address. This directive is most useful for

# hosts with multiple IP addresses on one interface.

#

# If you want the server to listen on additional addresses, or on

# additionnal ports, you can use multiple "listen" sections.

#

# Each section make the server listen for only one type of packet,

# therefore authentication and accounting have to be configured in

# different sections.

#

# The server ignore all "listen" section if you are using '-i' and '-p'

# on the command line.

#

listen {

   # Type of packets to listen for.

   # Allowed values are:

   #   auth   listen for authentication packets

   #   acct   listen for accounting packets

   #   proxy   IP to use for sending proxied packets

   #   detail Read from the detail file. For examples, see

   #               raddb/sites-available/copy-acct-to-home-server

   #   status listen for Status-Server packets. For examples,

   #       see raddb/sites-available/status

   #

   type = auth

   # Note: "type = proxy" lets you control the source IP used for

   #        proxying packets, with some limitations:

   #

   #    * Only ONE proxy listener can be defined.

   #    * A proxy listener CANNOT be used in a virtual server section.

   #    * You should probably set "port = 0".

   #    * Any "clients" configuration will be ignored.

   # IP address on which to listen.

   # Allowed values are:

   #   dotted quad (1.2.3.4)

   #       hostname    (radius.example.com)

   #       wildcard    (*)

   ipaddr = 192.168.50.60

   # OR, you can use an IPv6 address, but not both

   # at the same time.

#   ipv6addr = ::   # any. ::1 == localhost

   # Port on which to listen.

   # Allowed values are:

   #   integer port number (1812)

   #   0 means "use /etc/services for the proper port"

   port = 1812

   # Some systems support binding to an interface, in addition

   # to the IP address. This feature isn't strictly necessary,

   # but for sites with many IP addresses on one interface,

   # it's useful to say "listen on all addresses for eth0".

   #

   # If your system does not support this feature, you will

   # get an error if you try to use it.

   #

#   interface = eth0

   # Per-socket lists of clients. This is a very useful feature.

   #

   # The name here is a reference to a section elsewhere in

   # radiusd.conf, or clients.conf. Having the name as

   # a reference allows multiple sockets to use the same

   # set of clients.

   #

   # If this configuration is used, then the global list of clients

   # is IGNORED for this "listen" section. Take care configuring

   # this feature, to ensure you don't accidentally disable a

   # client you need.

   #

   # See clients.conf for the configuration of "per_socket_clients".

   #

#   clients = per_socket_clients

}

# This second "listen" section is for listening on the accounting

# port, too.

#

listen {

   ipaddr = 192.168.50.60

#   ipv6addr = ::

   port = 1813

   type = acct

#   interface = eth0

#   clients = per_socket_clients

}

# hostname_lookups: Log the names of clients or just their IP addresses

# e.g., www.freeradius.org (on) or 206.47.27.232 (off).

#

# The default is 'off' because it would be overall better for the net

# if people had to knowingly turn this feature on, since enabling it

# means that each client request will result in AT LEAST one lookup

# request to the nameserver.   Enabling hostname_lookups will also

# mean that your server may stop randomly for 30 seconds from time

# to time, if the DNS requests take too long.

#

# Turning hostname lookups off also means that the server won't block

# for 30 seconds, if it sees an IP address which has no name associated

# with it.

#

# allowed values: {no, yes}

#

hostname_lookups = no

# Core dumps are a bad thing. This should only be set to 'yes'

# if you're debugging a problem with the server.

#

# allowed values: {no, yes}

#

allow_core_dumps = no

# Regular expressions

#

# These items are set at configure time. If they're set to "yes",

# then setting them to "no" turns off regular expression support.

#

# If they're set to "no" at configure time, then setting them to "yes"

# WILL NOT WORK. It will give you an error.

#

regular_expressions   = yes

extended_expressions   = yes

#

# Logging section. The various "log_*" configuration items

# will eventually be moved here.

#

log {

   #

   # Destination for log messages. This can be one of:

   #

   #   files - log to "file", as defined below.

   #   syslog - to syslog (see also the "syslog_facility", below.

   #   stdout - standard output

   #   stderr - standard error.

   #

   # The command-line option "-X" over-rides this option, and forces

   # logging to go to stdout.

   #

   destination = files

   #

   # The logging messages for the server are appended to the

   # tail of this file if destination == "files"

   #

   # If the server is running in debugging mode, this file is

   # NOT used.

   #

   file = ${logdir}/radius.log

   #

   # If this configuration parameter is set, then log messages for

   # a *request* go to this file, rather than to radius.log.

   #

   # i.e. This is a log file per request, once the server has accepted

   # the request as being from a valid client. Messages that are

   # not associated with a request still go to radius.log.

   #

   # Not all log messages in the server core have been updated to use

   # this new internal API. As a result, some messages will still

   # go to radius.log. Please submit patches to fix this behavior.

   #

   # The file name is expanded dynamically. You should ONLY user

   # server-side attributes for the filename (e.g. things you control).

   # Using this feature MAY also slow down the server substantially,

   # especially if you do thinks like SQL calls as part of the

   # expansion of the filename.

   #

   # The name of the log file should use attributes that don't change

   # over the lifetime of a request, such as User-Name,

   # Virtual-Server or Packet-Src-IP-Address. Otherwise, the log

   # messages will be distributed over multiple files.

   #

   # Logging can be enabled for an individual request by a special

   # dynamic expansion macro: %{debug: 1}, where the debug level

   # for this request is set to '1' (or 2, 3, etc.). e.g.

   #

   #   ...

   #   update control {

   #           Tmp-String-0 = "%{debug:1}"

   #   }

   #   ...

   #

   # The attribute that the value is assigned to is unimportant,

   # and should be a "throw-away" attribute with no side effects.

   #

   #requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log

   #

   # Which syslog facility to use, if ${destination} == "syslog"

   #

   # The exact values permitted here are OS-dependent. You probably

   # don't want to change this.

   #

   syslog_facility = daemon

   # Log the full User-Name attribute, as it was found in the request.

   #

   # allowed values: {no, yes}

   #

   stripped_names = no

   # Log authentication requests to the log file.

   #

   # allowed values: {no, yes}

   #

   auth = no

   # Log passwords with the authentication requests.

   # auth_badpass - logs password if it's rejected

   # auth_goodpass - logs password if it's correct

   #

   # allowed values: {no, yes}

   #

   auth_badpass = no

   auth_goodpass = no

}

# The program to execute to do concurrency checks.

checkrad = ${sbindir}/checkrad

# SECURITY CONFIGURATION

#

# There may be multiple methods of attacking on the server. This

# section holds the configuration items which minimize the impact

# of those attacks

#

security {

   #

   # max_attributes: The maximum number of attributes

   # permitted in a RADIUS packet. Packets which have MORE

   # than this number of attributes in them will be dropped.

   #

   # If this number is set too low, then no RADIUS packets

   # will be accepted.

   #

   # If this number is set too high, then an attacker may be

   # able to send a small number of packets which will cause

   # the server to use all available memory on the machine.

   #

   # Setting this number to 0 means "allow any number of attributes"

   max_attributes = 200

   #

   # reject_delay: When sending an Access-Reject, it can be

   # delayed for a few seconds. This may help slow down a DoS

   # attack. It also helps to slow down people trying to brute-force

   # crack a users password.

   #

   # Setting this number to 0 means "send rejects immediately"

   #

   # If this number is set higher than 'cleanup_delay', then the

   # rejects will be sent at 'cleanup_delay' time, when the request

   # is deleted from the internal cache of requests.

   #

   # Useful ranges: 1 to 5

   reject_delay = 1

   #

   # status_server: Whether or not the server will respond

   # to Status-Server requests.

   #

   # When sent a Status-Server message, the server responds with

   # an Access-Accept or Accounting-Response packet.

   #

   # This is mainly useful for administrators who want to "ping"

   # the server, without adding test users, or creating fake

   # accounting packets.

   #

   # It's also useful when a NAS marks a RADIUS server "dead".

   # The NAS can periodically "ping" the server with a Status-Server

   # packet. If the server responds, it must be alive, and the

   # NAS can start using it for real requests.

   #

   # See also raddb/sites-available/status

   #

   status_server = yes

}

# PROXY CONFIGURATION

#

# proxy_requests: Turns proxying of RADIUS requests on or off.

#

# The server has proxying turned on by default. If your system is NOT

# set up to proxy requests to another server, then you can turn proxying

# off here. This will save a small amount of resources on the server.

#

# If you have proxying turned off, and your configuration files say

# to proxy a request, then an error message will be logged.

#

# To disable proxying, change the "yes" to "no", and comment the

# $INCLUDE line.

#

# allowed values: {no, yes}

#

proxy_requests = no

$INCLUDE proxy.conf

# CLIENTS CONFIGURATION

#

# Client configuration is defined in "clients.conf".

#

# The 'clients.conf' file contains all of the information from the old

# 'clients' and 'naslist' configuration files. We recommend that you

# do NOT use 'client's or 'naslist', although they are still

# supported.

#

# Anything listed in 'clients.conf' will take precedence over the

# information from the old-style configuration files.

#

$INCLUDE clients.conf

# THREAD POOL CONFIGURATION

#

# The thread pool is a long-lived group of threads which

# take turns (round-robin) handling any incoming requests.

#

# You probably want to have a few spare threads around,

# so that high-load situations can be handled immediately. If you

# don't have any spare threads, then the request handling will

# be delayed while a new thread is created, and added to the pool.

#

# You probably don't want too many spare threads around,

# otherwise they'll be sitting there taking up resources, and

# not doing anything productive.

#

# The numbers given below should be adequate for most situations.

#

thread pool {

   # Number of servers to start initially --- should be a reasonable

   # ballpark figure.

   start_servers = 5

   # Limit on the total number of servers running.

   #

   # If this limit is ever reached, clients will be LOCKED OUT, so it

   # should NOT BE SET TOO LOW. It is intended mainly as a brake to

   # keep a runaway server from taking the system with it as it spirals

   # down...

   #

   # You may find that the server is regularly reaching the

   # 'max_servers' number of threads, and that increasing

   # 'max_servers' doesn't seem to make much difference.

   #

   # If this is the case, then the problem is MOST LIKELY that

   # your back-end databases are taking too long to respond, and

   # are preventing the server from responding in a timely manner.

   #

   # The solution is NOT do keep increasing the 'max_servers'

   # value, but instead to fix the underlying cause of the

   # problem: slow database, or 'hostname_lookups=yes'.

   #

   # For more information, see 'max_request_time', above.

   #

   max_servers = 32

   # Server-pool size regulation. Rather than making you guess

   # how many servers you need, FreeRADIUS dynamically adapts to

   # the load it sees, that is, it tries to maintain enough

   # servers to handle the current load, plus a few spare

   # servers to handle transient load spikes.

   #

   # It does this by periodically checking how many servers are

   # waiting for a request. If there are fewer than

   # min_spare_servers, it creates a new spare. If there are

   # more than max_spare_servers, some of the spares die off.

   # The default values are probably OK for most sites.

   #

   min_spare_servers = 3

   max_spare_servers = 10

   # There may be memory leaks or resource allocation problems with

   # the server. If so, set this value to 300 or so, so that the

   # resources will be cleaned up periodically.

   #

   # This should only be necessary if there are serious bugs in the

   # server which have not yet been fixed.

   #

   # '0' is a special value meaning 'infinity', or 'the servers never

   # exit'

   max_requests_per_server = 0

}

# MODULE CONFIGURATION

#

# The names and configuration of each module is located in this section.

#

# After the modules are defined here, they may be referred to by name,

# in other sections of this configuration file.

#

modules {

   #

   # Each module has a configuration as follows:

   #

   #   name [ instance ] {

   #       config_item = value

   #       ...

   #   }

   #

   # The 'name' is used to load the 'rlm_name' library

   # which implements the functionality of the module.

   #

   # The 'instance' is optional. To have two different instances

   # of a module, it first must be referred to by 'name'.

   # The different copies of the module are then created by

   # inventing two 'instance' names, e.g. 'instance1' and 'instance2'

   #

   # The instance names can then be used in later configuration

   # INSTEAD of the original 'name'. See the 'radutmp' configuration

   # for an example.

   #

   #

   # As of 2.0.5, most of the module configurations are in a

   # sub-directory. Files matching the regex /[a-zA-Z0-9_.]+/

   # are loaded. The modules are initialized ONLY if they are

   # referenced in a processing section, such as authorize,

   # authenticate, accounting, pre/post-proxy, etc.

   #

   $INCLUDE ${confdir}/modules/

   # Extensible Authentication Protocol

   #

   # For all EAP related authentications.

   # Now in another file, because it is very large.

   #

   $INCLUDE eap.conf

   # Include another file that has the SQL-related configuration.

   # This is another file only because it tends to be big.

   #

   $INCLUDE sql.conf

   #

   # This module is an SQL enabled version of the counter module.

   #

   # Rather than maintaining seperate (GDBM) databases of

   # accounting info for each counter, this module uses the data

   # stored in the raddacct table by the sql modules. This

   # module NEVER does any database INSERTs or UPDATEs. It is

   # totally dependent on the SQL module to process Accounting

   # packets.

   #

#   $INCLUDE sql/mysql/counter.conf

   #

   # IP addresses managed in an SQL table.

   #

#   $INCLUDE sqlippool.conf

}

# Instantiation

#

# This section orders the loading of the modules. Modules

# listed here will get loaded BEFORE the later sections like

# authorize, authenticate, etc. get examined.

#

# This section is not strictly needed. When a section like

# authorize refers to a module, it's automatically loaded and

# initialized. However, some modules may not be listed in any

# of the following sections, so they can be listed here.

#

# Also, listing modules here ensures that you have control over

# the order in which they are initalized. If one module needs

# something defined by another module, you can list them in order

# here, and ensure that the configuration will be OK.

#

instantiate {

   #

   # Allows the execution of external scripts.

   # The entire command line (and output) must fit into 253 bytes.

   #

   # e.g. Framed-Pool = `%{exec:/bin/echo foo}`

   exec

   #

   # The expression module doesn't do authorization,

   # authentication, or accounting. It only does dynamic

   # translation, of the form:

   #

   #   Session-Timeout = `%{expr:2 + 3}`

   #

   # So the module needs to be instantiated, but CANNOT be

   # listed in any other section. See 'doc/rlm_expr' for

   # more information.

   #

   expr

   #

   # We add the counter module here so that it registers

   # the check-name attribute before any module which sets

   # it

#   daily

   expiration

   logintime

   # subsections here can be thought of as "virtual" modules.

   #

   # e.g. If you have two redundant SQL servers, and you want to

   # use them in the authorize and accounting sections, you could

   # place a "redundant" block in each section, containing the

   # exact same text. Or, you could uncomment the following

   # lines, and list "redundant_sql" in the authorize and

   # accounting sections.

   #

   #redundant redundant_sql {

   #   sql1

   #   sql2

   #}

}

######################################################################

#

#   Policies that can be applied in multiple places are listed

#   globally. That way, they can be defined once, and referred

#   to multiple times.

#

######################################################################

$INCLUDE policy.conf

######################################################################

#

#   Load virtual servers.

#

#   This next $INCLUDE line loads files in the directory that

#   match the regular expression: /[a-zA-Z0-9_.]+/

#

#   It allows you to define new virtual servers simply by placing

#   a file into the raddb/sites-enabled/ directory.

#

$INCLUDE sites-enabled/

######################################################################

#

#   All of the other configuration sections like "authorize {}",

#   "authenticate {}", "accounting {}", have been moved to the

#   the file:

#

#       raddb/sites-available/default

#

#   This is the "default" virtual server that has the same

#   configuration as in version 1.0.x and 1.1.x. The default

#   installation enables this virtual server. You should

#   edit it to create policies for your local site.

#

#   For more documentation on virtual servers, see:

#

#       raddb/sites-available/README

#

######################################################################

clients.conf

# -*- text -*-

##

## clients.conf -- client configuration directives

##

##   $Id$

#######################################################################

#

# Define RADIUS clients (usually a NAS, Access Point, etc.).

#

# Defines a RADIUS client.

#

# '127.0.0.1' is another name for 'localhost'. It is enabled by default,

# to allow testing of the server after an initial installation. If you

# are not going to be permitting RADIUS queries from localhost, we suggest

# that you delete, or comment out, this entry.

#

#

#

# Each client has a "short name" that is used to distinguish it from

# other clients.

#

# In version 1.x, the string after the word "client" was the IP

# address of the client. In 2.0, the IP address is configured via

# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x

# format is still accepted.

#

client localhost {

   # Allowed values are:

   #   dotted quad (1.2.3.4)

   #       hostname    (radius.example.com)

   ipaddr = 127.0.0.1

   # OR, you can use an IPv6 address, but not both

   # at the same time.

#   ipv6addr = ::   # any. ::1 == localhost

   #

   # A note on DNS: We STRONGLY recommend using IP addresses

   # rather than host names. Using host names means that the

   # server will do DNS lookups when it starts, making it

   # dependent on DNS. i.e. If anything goes wrong with DNS,

   # the server won't start!

   #

   # The server also looks up the IP address from DNS once, and

   # only once, when it starts. If the DNS record is later

   # updated, the server WILL NOT see that update.

   #

   # One client definition can be applied to an entire network.

   # e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and

   # "netmask = 8"

   #

   # If not specified, the default netmask is 32 (i.e. /32)

   #

   # We do NOT recommend using anything other than 32. There

   # are usually other, better ways to acheive the same goal.

   # Using netmasks of other than 32 can cause security issues.

   #

   #client 192.168.0.0/24 {

#   secret       = testing123-1

#   shortname   = private-network-1

#}# You can specify overlapping networks (127/8 and 127.0/16)

   # In that case, the smallest possible network will be used

   # as the "best match" for the client.

   #

   # Clients can also be defined dynamically at run time, based

   # on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,

   # etc.

   # See raddb/sites-available/dynamic-clients for details.

   #

#   netmask = 32

   #

   # The shared secret use to "encrypt" and "sign" packets between

   # the NAS and FreeRADIUS. You MUST change this secret from the

   # default, otherwise it's not a secret any more!

   #

   # The secret can be any string, up to 8k characters in length.

   #

   # Control codes can be entered vi octal encoding,

   #   e.g. "\101\102" == "AB"

   # Quotation marks can be entered by escaping them,

   #   e.g. "foo\"bar"

   #

   # A note on security: The security of the RADIUS protocol

   # depends COMPLETELY on this secret! We recommend using a

   # shared secret that is composed of:

   #

   #   upper case letters

   #   lower case letters

   #   numbers

   #

   # And is at LEAST 8 characters long, preferably 16 characters in

   # length. The secret MUST be random, and should not be words,

   # phrase, or anything else that is recognizable.

   #

   # The default secret below is only for testing, and should

   # not be used in any real environment.

   #

   secret       = testing123

   #

   # Old-style clients do not send a Message-Authenticator

   # in an Access-Request. RFC 5080 suggests that all clients

   # SHOULD include it in an Access-Request. The configuration

   # item below allows the server to require it. If a client

   # is required to include a Message-Authenticator and it does

   # not, then the packet will be silently discarded.

   #

   # allowed values: yes, no

   require_message_authenticator = no

   #

   # The short name is used as an alias for the fully qualified

   # domain name, or the IP address.

   #

   # It is accepted for compatibility with 1.x, but it is no

   # longer necessary in 2.0

   #

#   shortname   = localhost

   #

   # the following three fields are optional, but may be used by

   # checkrad.pl for simultaneous use checks

   #

   #

   # The nastype tells 'checkrad.pl' which NAS-specific method to

   # use to query the NAS for simultaneous use.

   #

   # Permitted NAS types are:

   #

   #   cisco

   #   computone

   #   livingston

   #   max40xx

   #   multitech

   #   netserver

   #   pathras

   #   patton

   #   portslave

   #   tc

   #   usrhiper

   #   other       # for all other types

   #

   nastype     = other   # localhost isn't usually a NAS...

   #

   # The following two configurations are for future use.

   # The 'naspasswd' file is currently used to store the NAS

   # login name and password, which is used by checkrad.pl

   # when querying the NAS for simultaneous use.

   #

#   login       = !root

#   password    = someadminpas

   #

   # As of 2.0, clients can also be tied to a virtual server.

   # This is done by setting the "virtual_server" configuration

   # item, as in the example below.

   #

#   virtual_server = home1

}

# IPv6 Client

#client ::1 {

#   secret       = testing123

#   shortname   = localhost

#}

#

# All IPv6 Site-local clients

#client fe80::/16 {

#   secret       = testing123

#   shortname   = localhost

#}

#client some.host.org {

#   secret       = testing123

#   shortname   = localhost

#}

#

# You can now specify one secret for a network of clients.

# When a client request comes in, the BEST match is chosen.

# i.e. The entry from the smallest possible network.

#

#client 192.168.0.0/24 {

#   secret       = testing123-1

#   shortname   = private-network-1

#}

#

#client 192.168.0.0/16 {

#   secret       = testing123-2

#   shortname   = private-network-2

#}

client 192.168.1.0/24 {

   secret       = testing123

   shortname   = private-network-1

}

client 111.5.0.0/16 {

   secret       = testing123

   shortname   = private-network-2

}

#client 10.10.10.10 {

#   # secret and password are mapped through the "secrets" file.

#   secret      = testing123

#   shortname   = liv1

#       # the following three fields are optional, but may be used by

#       # checkrad.pl for simultaneous usage checks

#   nastype     = livingston

#   login       = !root

#   password    = someadminpas

#}

#client 192.168.0.0/24 {

#   secret       = testing123-1

#   shortname   = private-network-1

#}

#######################################################################

#

# Per-socket client lists. The configuration entries are exactly

# the same as above, but they are nested inside of a section.

#

# You can have as many per-socket client lists as you have "listen"

# sections, or you can re-use a list among multiple "listen" sections.

#

# Un-comment this section, and edit a "listen" section to add:

# "clients = per_socket_clients". That IP address/port combination

# will then accept ONLY the clients listed in this section.

#

#clients per_socket_clients {

#   client 192.168.3.4 {

#       secret = testing123

#        }

#}

Reference :

支持IPv6的Radius服务器的配置过程

[Ubuntu][FreeRadius] How to install and setting FreeRadius

Posted by Computer Newbie on 上午8:16 in FreeRadius, Ubuntu / No comments

[Ubuntu][FreeRadius] How to install and setting FreeRadius

Install FreeRadius 2.1.6 + ubuntu 10.04

1. Download and Install OpenSSL and FreeRADIUS

The first step is to download and install the latest snapshot versions of OpenSSL and FreeRADIUS.

a. OpenSSL -- Download the latest OpenSSL-0.9.7-stable snapshot. I downloaded the OpenSSL snapshot to my home directory. The snapshots are located at:

»ftp://ftp.openssl.org/snapshot/

Then I used the following nine steps:

mkdir -p /usr/src/802/openssl

cd /usr/src/802/openssl

cp /home/jbibe/openssl-0.9.7-stable-SNAP-20040202.tar.gz \

openssl-0.9.7-stable-SNAP-20040202.tar.gz

gunzip openssl-0.9.7-stable-SNAP-20040202.tar.gz

tar xvf openssl-0.9.7-stable-SNAP-20040202.tar

cd openssl-0.9.7-stable-SNAP-20040202

./config shared --prefix=/usr/local/openssl

make

make install

That completes the work with OpenSSL, except for building the required certificates.

When you perform the config, make, and make-install here and in the FreeRADIUS install described below, I recommend that you log the information. For example, instead of using the simple "make" command, use:

make > mymake.log 2>&1

If you encounter problems, you can review mymake.log (or myconfig.log, or myinstall.log) for errors.

b. FreeRadius -- Download the latest FreeRADIUS snapshot. Again, I downloaded the file to my home directory. The snapshot is located at:

»ftp://ftp.freeradius.org/pub/radius/CVS-snapshots/

Then I used the following nine steps:

mkdir -p /usr/src/802/radius

cd /usr/src/802/radius

cp /home/jbibe/freeradius-snapshot-20040203.tar.gz \

freeradius-snapshot-20040203.tar.gz

gunzip freeradius-snapshot-20040203.tar.gz

tar xvf freeradius-snapshot-20040203.tar

cd freeradius-snapshot-20040203

./configure --with-openssl-includes=/usr/local/openssl/include \

--with-openssl-libraries=/usr/local/openssl/lib \

--prefix=/usr/local/radius

make

make install

That completes the work with FreeRADIUS, except for building certificates, making the changes to the FreeRADIUS configuration files,

moving the server certificates to their final location, and building a wrapper for radiusd.

------------------------------------------------------------------------------------------------------------------

FreeRadius Configuration Step

1. Check permission of radius directory and then modify parameter in radiusd.conf

#cd /etc/raddb/

#sudo gedit radiusd.conf

The port for radius server to listen for authentication request is 1812

Port for accounting is 1813

   # Port on which to listen.

   # Allowed values are:

   #   integer port number (1812)

   #   0 means "use /etc/services for the proper port"

   port = 1812





# This second "listen" section is for listening on the accounting

# port, too.

#

listen {

   ipaddr = *

#   ipv6addr = ::

   port = 1813

   type = acct

#   interface = eth0

#   clients = per_socket_clients

}

   # Log the full User-Name attribute, as it was found in the request.

   #

   # allowed values: {no, yes}

   #

   stripped_names = yes

   # Log authentication requests to the log file.

   #

   # allowed values: {no, yes}

   #

   auth = yes

   # Log passwords with the authentication requests.

   # auth_badpass - logs password if it's rejected

   # auth_goodpass - logs password if it's correct

   #

   # allowed values: {no, yes}

   #

   auth_badpass = yes

   auth_goodpass = no

2. Changes in eap.conf

eap {

# There are several generic EAP parameters you can

# set here, but the important one for our purposes

# is default_eap_type:

default_eap_type = tls

# Next come parameters for specific EAP types. Since

# we’re going to use EAP-TLS, the tls{} section is

# the one we care about:

tls {

# The following parameters tell radiusd where to

# find its certs and keys, plus dh & random files:

private_key_password = 12345

private_key_file = /etc/ssl/server_keycert.pem   # /usr/lib/ssl/misc/server_keycert.pem

certificate_file = /etc/ssl/server_keycert.pem   # /usr/lib/ssl/misc/server_keycert.pem

CA_file = /etc/ssl/CA/cacert.pem                 # /usr/lib/ssl/misc/demoCA/cacert.pem

dh_file = /etc/ssl/dh                            # /usr/lib/ssl/misc/dh

random_file = /etc/ssl/random                    # /usr/lib/ssl/misc/random

}

}

3. Access Point Entry in clients.conf

# You can now specify one secret for a network of clients.

# When a client request comes in, the BEST match is chosen.

# i.e. The entry from the smallest possible network.

client 192.168.1.1/32 {

secret = 12345678

shortname = wiremonkeys_AP

}

----------------------------------------------------------------------------------------------------------------------------------------------

Configuring Windows XP Clients Step

And that brings us to configuring a Windows XP wireless client to use your newly WPA-enabled access point. This being a Linux magazine, I’m not going to describe this process in painstaking detail-for that you can see section 4.3 of Ken Roser’s HOWTO, listed in the on-line Resources. In summary, you need to:

1. Run the command mmc from Start –> Run

2. In Microsoft Management Console, select File?Add/Remove Snap-in, add the Certificates snap-in and set it to manage certificates for My user account and,

on the next screen, only for the Local computer.

3. Copy your CA (cacert.pem) certificate to your Windows system’s hard drive, for example, to C:\cacert.pem.

4. From within MMC, expand Console Root and Certificates – Current User and right-click on Trusted Root Certification Authorities.

In the pop-up menu, select All Tasks–>Import. Tell the subsequent wizard to import the file C:\cacert.pem and to store it in Trusted Root Certification Authorities.

5. Copy your client certificate/key file to your Windows system, for example, to C:\client_cert.p12.

6. From within MMC?Console Root?Certificates, expand Personal and right-click on Certificates. In the pop-up menu,

select All Tasks–>Import. Tell the subsequent wizard to import the file C:\client_cert.p12.

7. The certificate-import wizard then prompts you for the certificate’s passphrase.

In the same dialog, it offers the option to enable strong private key protection.

Unfortunately, enabling this breaks WPA, so be sure to leave this option unchecked.

Also, leave the option to mark this key as exportable unchecked–you’re better off backing up the password-protected file

you just imported rather than allowing the imported nonprotected version to be exportable.

8. In the subsequent screen, let the wizard Automatically select the certificate store.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

How to start radiusd :

1.execute radiusd -X to determind where have problem and fix it.

2.go to /usr/local/sbin/

execute "sh ./rc.radiusd restart"

3.ps -aux

After this command, see the line as below that mean successfully.

root     29082 0.0 0.2 44984 2264 ?        Ssl 20:50   0:00 /usr/local/sbin/radiusd

sh -x /usr/local/sbin/rc.radiusd restart

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Openssl Ceritification Step from Internet

1. Create ca certification by openssl

#cd /etc/ssl/

#/usr/lib/ssl/misc/CA.pl -newca — ubuntu directory

or

#/usr/share/ssl/misc/CA.pl -newca — opensuse directory

CA certificate filename (or enter to create)

Making CA certificate …

Generating a 1024 bit RSA private key

……………………..++++++

……….++++++

writing new private key to ‘./CA/private/cakey.pem’

Enter PEM pass phrase: 12345

Verifying – Enter PEM pass phrase: 12345

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [AU]:TW

State or Province Name (full name) [Some-State]:Taipei

Locality Name (eg, city) []:Taipei

Organization Name (eg, company) [Internet Widgits Pty Ltd]:QMI

Organizational Unit Name (eg, section) []:DQA

Common Name (eg, YOUR name) []:rootca

Email Address []:bryan.yu@qmitw.com

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []: don’t need to input

An optional company name []: don’t need to input

Using configuration from /usr/lib/ssl/openssl.cnf

Using configuration from /usr/share/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem: 12345

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number:

91:23:c3:97:8a:c5:d8:e5

Validity

Not Before: Mar 17 14:38:09 2008 GMT

Not After : Mar 17 14:38:09 2011 GMT

Subject:

countryName = TW

stateOrProvinceName = LinKou

organizationName = QMI

organizationalUnitName = DQA

commonName = rootca

emailAddress = bryan.yu@qmitw.com

X509v3 extensions:

X509v3 Subject Key Identifier:

FF:DA:F6:63:4E:6F:20:16:85:BC:CE:E4:6E:EA:17:48:B5:DE:87:25

X509v3 Authority Key Identifier:

keyid:FF:DA:F6:63:4E:6F:20:16:85:BC:CE:E4:6E:EA:17:48:B5:DE:87:25

DirName:/C=TW/ST=LinKou/O=QMI/OU=DQA/CN=rootca/emailAddress=

bryan.yu@qmitw.com

serial:91:23:C3:97:8A:C5:D8:E5

X509v3 Basic Constraints:

CA:TRUE

Certificate is to be certified until Mar 17 14:38:09 2011 GMT (1095 days)

Write out database with 1 new entries

Data Base Updated

2. Let’s start to create a server certificate signing request using OpenSSL’s req command:

openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730 -config ./openssl.cnf

3. Next step, let’s use our CA key to sign the request by using OpenSSL’s ca command:

openssl ca -config ./openssl.cnf -policy policy_anything -out server_cert.pem -infiles ./server_req.pem

4. Open your signed certificate (server_cert.pem) with the text editor ( example: vi ) of your choice and delete everything before the line —–BEGIN CERTIFICATE—–.

Concatenate it and your key into a single file, like this:

cat server_key.pem server_cert.pem > server_keycert.pem

-------------------------------------------------------------------------------------------------

* openssl can'tt creat the document of crt at the same time -- After build server.crt, when build client.crt have error message

[root@vm ssl]# openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config /usr/share/ssl/openssl.cnf

Using configuration from /usr/share/ssl/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 2 (0x2)

        Validity

            Not Before: Mar 17 00:40:06 2009 GMT

            Not After : Mar 17 00:40:06 2010 GMT

        Subject:

            countryName               = GB

            stateOrProvinceName       = Berkshire

            organizationName          = My Company Ltd

。。。

Certificate is to be certified until Mar 17 00:40:06 2010 GMT (365 days)

Sign the certificate? [y/n]:y

failed to update database

TXT_DB error number 2

Solution :After build server.crt, delete the product of demoCA/index.txt and touch a new one

[root@vm ssl]# cd demoCA/

[root@vm demoCA]# ls

certs/ crl/ index.txt index.txt.old newcerts/ private/ serial serial.old

[root@vm demoCA]# cat index.txt

V       100317003901Z           01      unknown /C=GB/ST=Berkshire/O=My Company Ltd/OU=section/CN=vm/emailAddress=macguan@otas.cn

[root@vm demoCA]# rm index.txt

rm: remove regular file `index.txt'? y

[root@vm demoCA]# touch index.txt

[root@vm demoCA]# cd ..

-------------------------------------------------------------------------------------------------

Client :

5. We need to create a client certificate signing request now. The OpenSSL command to do this is similar to that used to create server certificates:

openssl req -new -keyout client_key.pem -out client_req.pem -days 730 -config ../openssl.cnf

6. Next step — we sign the client certificate’s signing request:

openssl ca -config ../openssl.cnf -policy policy_anything -out client_cert.pem -infiles ./client_req.pem

certificate is to be used by Windows XP or Vista client :

7. If your certificate is to be used by Windows XP or Vista client, you need to do one more step.

You need to convert the certificate file(s) to a PKCS12-format file, with this command:

openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts

Radius server :

8. Before we dive into FreeRADIUS’ configuration files, we need to create two files that FreeRADIUS must have in order to use TLS.

The first is a Diffie-Hellman parameters file, or dh file, which is used for negotiating TLS session keys. To create a dh file, issue this command:

sudo openssl dhparam -check -text -5 512 -out dh

9. The second file you need is a data file that contains a random bitstream that also is used in TLS operations.

Do not simply stick the current timestamp or any other similarly nonrandom string into a file called random,

as is suggested in at least one WPA procedure I’ve seen on the Internet. Rather, use the kernel’s high-quality random number generator. Run this command:

dd if=/dev/urandom of=random count=2

-------------------------------------------------------------------------------------------------

Radius test -- successful PIC