ldapfreeradius.pdf

8/10/2019 ldapfreeradius.pdf

1/9

Home

NewsArticlesDownloadsPhotosShoutBreadcrumbs

Setting Up 802.1x Authentication with DebianLinux and FreeRadius Part 1

by Tobias RiceVersion 1.1 (5.4.2008 Simplified/corrected certificate creation)

Integrating wireless networking in todays security conscious environment hasits many challenges, but that doesnt mean it cant be done and done well. Withthe failure of early security schemes such as WEP, LEAP, etc many enterpriseshave opted to not deploy wireless or wait until the technology matured to thepoint where wireless networking was a safe, viable solution. As betterencryption standards such as WPA/TKIP and WPA2/AES have become available,the viability of adding secure wireless to the enterprise has once again becomean option. Another challenge of deploying wireless in the enterprise has beenthat of scalability. Pre shared keys are a bad idea in the enterprise since you cannot easily change a key if a laptop is stolen or a user is terminated withoutreconfiguring every device in the environment. Since most large enterpriseshave a centralized user database such as LDAP, Active Directory, or RADIUS, itis much better to have access to the wireless based on a users identity. If alaptop is stolen it will not be able to connect to the network without knowledgeof a valid account. Or if a user is terminated it doesnt affect any other usersaccess to the network. Enter 802.1x. Although not new, 802.1x bridges the gapbetween security and scalability for wireless in the enterprise. In this tutorialwe will be leveraging open source software to setup our authentication

infrastructure using Debian Linux and FreeRADIUS. With these components inplace we can access various user databases (and/or use the local users filewithin FreeRADIUS) securely via a variety of EAP protocols such as EAP-TLS,EAP-TTLS, PEAP, etc In Part 1 of this article we will compile, install, andconfigure FreeRADIUS with support for EAP-TLS and PEAP with FreeRADIUSlocal user database. We will initially use the example certificates that come withFreeRADIUS until we are sure that everything is working properly, then createour own certificate infrastructure for use with PEAP. In future parts of this

Setting Up 802.1x Authentication with Debian Lin... http://www.fatofthelan.com/technical/setting-up

sur 9 16/09/2014 21


2/9

article we will tie FreeRADIUS into other databases such as OpenLDAP, setupour own PKI, and use EAP-TLS for authentication.So lets get started!

Well assume youve already installed Debian Linux, which at the time of thisarticle is 4.0r2 (Etch) on your server. Typically installing software on Debian isas easy as apt-get install freeradius but since OpenSSLs license doesntcomply with Debians adherence to the GPL we must compile our own debpackages with support for EAP-TLS and PEAP. But fear not, it is extremely easyto make our own custom packages. For non-Debian users you can skip thissection.First well need a place to work, so I created a directory:

mkdir /usr/src/freeradius && cd /usr/src/freeradius

Next we need to fetch our source and get any dependencies, so update yoursources and enter the following commands:

apt-get updateapt-get build-dep freeradiusapt-get install libssl-dev fakerootapt-get source freeradius

This should have downloaded the FreeRADIUS source code for us, so now wellhave to make a few changes to tell our compiler to build it with the EAPmodules well be using. First edit /usr/src/freeradius/freeradius-1.1.3/debian/control and remove libssl-dev from Build-Conflicts: and add it to the end ofBuild-Depends: line. Your file should look like this:

Build-Depends: debhelper (>= 5), libltdl3-dev, libpam0g-dev,libmysqlclient15-dev | libmysqlclient-dev, libgdbm-dev, libldap2-dev, libsasl2-dev,libiodbc2-dev, libkrb5-dev, snmp, autotools-dev, dpatch (>= 2), libperl-dev,libtool, dpkg-dev (>= 1.13.19), libssl-devBuild-Conflicts:

Next youll need to add descriptions for your EAP modules, so enter thefollowing at the end of the file:

Package: freeradius-eaptlsArchitecture: any

Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}Description: eap-tls module for FreeRADIUS serverDebian will not provide a binary version of the rlm_eap_tls.so library. Thismodule is required if you want to use EAP/TLS authentication, commonly usedfor WiFi access points.

Package: freeradius-eappeapArchitecture: any


2 sur 9 16/09/2014 21


3/9

Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}Description: eap-peap module for FreeRADIUS serverDebian will not provide a binary version of the rlm_eap_peap.so library. Thismodule is required if you want to use EAP/PEAP authentication, commonly usedfor WiFi access points.

Save and exit this file.

Next well edit /usr/src/freeradius/freeradius-1.1.3/debian/rules. Find andcomment our the buildssl= and moduleslist=- lines and add the followinglines:

buildssl=without-rlm_otp without-rlm_sql_postgresql without-snmpmodulelist=krb5 ldap sql_mysql sql_iodbc eap_peap eap_tls

Save and exit.

Now enter the following commands:

echo usr/lib/freeradius/rlm_eap_tls*.so >/usr/src/freeradius/freeradius-1.1.3/debian/freeradius-eaptls.installecho usr/lib/freeradius/rlm_eap_peap*.so > /usr/src/freeradius/freeradius-1.1.3/debian/freeradius-eappeap.install

Next lets create /usr/src/freeradius/freeradius-1.1.3/debian/freeradius-eaptls.postinst and enter the following:

#! /bin/sh

set -e

case "$1" inconfigure) if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then invoke-rc.d freeradius restart else /etc/init.d/freeradius restart fi ;;abort-upgrade) ;;abort-remove) ;;abort-deconfigure)

;;esac

#DEBHELPER#

Now well create /usr/src/freeradius/freeradius-1.1.3/debian/freeradius-eappeap.postinst and add the following to it:

#! /bin/sh


3 sur 9 16/09/2014 21


4/9

set -e

case "$1" inconfigure) if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then invoke-rc.d freeradius reload else /etc/init.d/freeradius reload fi ;;abort-upgrade) ;;abort-remove) ;;abort-deconfigure) ;;esac

#DEBHELPER#

Now that the hard part is finished lets compile our deb packages. Enter the

following command:

cd /usr/src/freeradius/freeradius-1.1.3/dpkg-buildpackage -rfakeroot -uc -us

If all went well you should now have several of .deb packages in /usr/src/freradius, so lets install them by entering the following:

dpkg -i freeradius_1.1.3-3_i386.debdpkg -i freeradius-eaptls_1.1.3-3_i386.debdpkg -i freeradius-eappeap_1.1.3-3_i386.deb

Check to see if FreeRADIUS compiled and installed correctly by issues thefollowing command:

ps aux | grep freeradius

And you should see something similar to this:

freerad 29998 0.0 0.8 44620 2224 ? Ssl 00:55 0:00 /usr/sbin/freeradius

If not start FreeRADIUS in debug mode as root and look for any clues to whythings are not working properly:

freeradius X

Also check /usr/lib/freeradius and ensure that the rlm_eap_peap-1.1.3.so andrlm_eap_tls-1.1.3.so modules exist.

Now to configure FreeRADIUS


4 sur 9 16/09/2014 21


5/9

First well edit /etc/freeradius/radiusd.confNOTE: When editing the configuration files be sure that every open bracket ({)has a corresponding ending bracket (}) or you will break FreeRADIUS!

Find the mschap stanza under MODULES and configure it with the followingparameters:

mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes}

Next verify the authorize stanza includes these parameters:

preprocessmschapsuffix

eapfiles

Now verify that the authenticate stanza is configured like this:

authenticate {# MSCHAP authentication.Auth-Type MS-CHAP {

mschap}# Allow EAP authentication. eap}

Now we have to add a client to the clients.conf. By client we mean anauthenticator such as an access point (AP) or a wireless controller. For thisexample well use my Juniper SSG5s address of 192.168.44.129. Add thefollowing stanza to the clients.conf:

client 192.168.44.129 {secret = test123shortname = Juniper

}

Next well configure our server to support PEAP by editing /etc/freeradius

/eap.conf.First change the default_eap_type in the eap stanza to look like this:

default_eap_type = peap

Because PEAP needs to support our example certificates uncomment the tlsstanza as well as the following parameters.


5 sur 9 16/09/2014 21


6/9


7/9

Now edit /etc/ssl/openssl.cnf and find this line:

dir =./demoCA

and change to:

dir =/etc/freeradius/eap/eapCA

This is the location were Ill be creating the new CA. You might want to lookthrough the rest of the file and edit the defaults to your environment. Here aresome of the changes that I made to my openssl.cnf.

-countryName_default = AU+countryName_default = US

-stateOrProvinceName_default = Some-State+stateOrProvinceName_default = Oregon

+localityName_default = Portland-0.organizationName_default = Widget ltd+0.organizationName_default = Fat of the LAN

Now create and change to the directory that all of our certificates and CA willexist:

mkdir /etc/freeradius/eap && cd /etc/freeradius/eap

We will use one of OpenSSLs included scripts to generate our CA, but youllwant to customize it a bit before we use it so well make a copy of it in our

certificate directory.

cp /usr/lib/ssl/misc/CA.pl /etc/freeradius/eap

Next we have to edit CA.pl to tell it where to create our CA. Open it and changethe following line:

CATOP=./demoCA

to:

CATOP=/etc/freeradius/eap/eapCA

Your CA is at the heart of your certificate infrastructure so it is important toprotect it once youve generated it as well as use a strong password for it. Illgenerate a nice random 25 character password with pwgen. Be sure to recordthis password as youll need it each time you sign a certificate.

pwgen 25 1


7 sur 9 16/09/2014 21


8/9

aem5xahheethohP5Woh5Eb3ph

Now lets run the script from within the /etc/freeradius/eap directory.

cd /etc/freeradius/eap./CA.pl newca

Answer all of the questions based on your environment and use the passwordyou just created when prompted. When the script finishes youll have your ownCA in /etc/freeradius/eap/eapCA. The next thing we need to do is create a servercertificate for FreeRADIUS and sign it with our new CA.

./CA.pl newreq-nodes

We should now have a new key pair as well as a signing request ready to sendto our CA.A quick note on compatibility. If you plan to use any of these certificates onWindows clients youll need to add XP extensions to the certificates you

generate. The xpextensions file is included with Debians FreeRADIUS packagesand Ill include it in the appendix for our non-Debian readers. Just make a copyof it in our certificate directory.

cp /usr/share/doc/freeradius/examples/xpextensions /etc/freeradius/eap

Now lets use our CA key to sign the FreeRADIUS certificate request, enteringthe CAs password when prompted:

./CA.pl sign (Optionally add -extensions xpserver_ext -extfile /etc/freeradius/eap/xpextensions)

Now that all of the certificates we need are generated, we need to create acouple of files needed for keying material and tell FreeRADIUS to use the newcerts. To create the dh and random files, issue the following command:

openssl dhparam -check -text -5 512 -out dhdd if=/dev/urandom of=random count=2chmod 640 random newcert.pem newkey.pem newreq.pem dh

Now open your /etc/freeradius/eap.conf file, find the tls stanza, and change toreflect the new certificates we created.

private_key_file = /etc/freeradius/eap/newkey.pemcertificate_file = /etc/freeradius/eap/newcert.pemCA_file = /etc/freeradius/eap/eapCA/cacert.pemdh_file = /etc/freeradius/eap/dhrandom_file = /etc/freeradius/eap/random

And while were at it, uncomment the following lines:


8 sur 9 16/09/2014 21


9/9

fragment_size = 1024include_length = yes

Restart FreeRADIUS and copy your CAs certificate (/etc/freeradius/eap/eapCA/cacert.pem) to your clients. Configure your clients supplicant for your newPEAP enabled SSID, configure your AP to use 802.1x and your new FreeRADIUSserver and youre good to go!

(Visited 25,425 times, 1 visits today)

Search

Most Downloaded

(5704) LDAPUser Tools(4505) IP Subnet Calculator(4275) LDAP Browser(3629)Anti-ad host file(3061) MyContacts(2898) MKSADPlugin(2730)Window CD Boot Image

This Weeks Popular Articles

Using Windows 2008 For RADIUS Authentication (234)How To Install Postfix, Amavis, ClamAV, and Spamassassin on (167)Using the Apple iPad/iPhone Configuration Utility for VPN (70)Using LDAP for single authentication (53)

How to Authenticate Mac OSX Against Active Directory (43)Setting Up 802.1x Authentication with Debian Linux and (39)How To Install Asterisk VOIP PBX on Debian Linux (36)How To Install Postfix, Dovecot, Amavis, ClamAV, and (35)How to fix the EOS 5/A2 Command Dial (12)Articles (8)

HomeNewsArticlesDownloads

PhotosShoutBreadcrumbs

2009 Fat of the LAN. All rights reserved.


9 sur 9 16/09/2014 21

ldapfreeradius.pdf

Documents