作者 主題: Freeradius with TLS on Opensuse 10.3  (閱讀 11040 次)

0 會員 與 1 訪客 正在閱讀本文。

makinen

  • 懷疑的國中生
  • **
  • 文章數: 77
  • 性別: 男
    • 檢視個人資料
    • Bryan手札 -- 生活記趣
Freeradius with TLS on Opensuse 10.3
« 於: 2008-07-03 23:24 »
最近花了些時間研究 Freeradius 才知道牽扯到很多技術,最麻煩的部分就是包含 openssl
網路上其實也可以搜尋的到很多資料跟 Freeradius 有關,不過由於我想試出來大部分的 EAP 加密,
所以搞了超久尤其又需要 openssl 的 CA, Server, User Certification 建立及設定
網路上的資料其實大部分都寫的~~ 哩哩落落
很難找全完整的建置及設定過程,後來好不容易到了國外的網站上找到了連 openssl 都有的相關資料,
才幾乎搞定大部分的 EAP 加密設定,以下是我整理過的資料,希望對有要架設 Freeradius Server 的人有所幫助
畢竟網路上真的滿難找到一份資料照著從頭做到尾就能架設成功的...
不過由於有些部分的內容是直接從那幾個網站上 copy 下來,所以請勿任意轉貼
以下資料本人只單純作為技術文件備忘用途

Openssl Ceritification Step

1. Create ca certification by openssl
#cd /etc/ssl/
#/usr/lib/ssl/misc/CA.pl -newca -- ubuntu directory

or
#/usr/share/ssl/misc/CA.pl -newca -- opensuse directory

CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
..........................++++++
..........++++++
writing new private key to './CA/private/cakey.pem'
Enter PEM pass phrase: 12345
Verifying - Enter PEM pass phrase: 12345
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taipei
Locality Name (eg, city) []:Taipei
Organization Name (eg, company) [Internet Widgits Pty Ltd]:QMI
Organizational Unit Name (eg, section) []:DQA
Common Name (eg, YOUR name) []:rootca
Email Address []:bryan.yu@qmitw.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: don't need to input
An optional company name []: don't need to input
Using configuration from /usr/lib/ssl/openssl.cnf
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: 12345

Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            91:23:c3:97:8a:c5:d8:e5
        Validity
            Not Before: Mar 17 14:38:09 2008 GMT
            Not After : Mar 17 14:38:09 2011 GMT
        Subject:
            countryName               = TW
            stateOrProvinceName       = LinKou
            organizationName          = QMI
            organizationalUnitName    = DQA
            commonName                = rootca
            emailAddress              = bryan.yu@qmitw.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                FF:DA:F6:63:4E:6F:20:16:85:BC:CE:E4:6E:EA:17:48:B5:DE:87:25
            X509v3 Authority Key Identifier:
                keyid:FF:DA:F6:63:4E:6F:20:16:85:BC:CE:E4:6E:EA:17:48:B5:DE:87:25
                DirName:/C=TW/ST=LinKou/O=QMI/OU=DQA/CN=rootca/emailAddress=
                bryan.yu@qmitw.com
                serial:91:23:C3:97:8A:C5:D8:E5

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Mar 17 14:38:09 2011 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated


2. Let's start to create a server certificate signing request using OpenSSL's req command:

#openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730 -config ./openssl.cnf

3. Next step, let's use our CA key to sign the request by using OpenSSL's ca command:

#openssl ca -config ./openssl.cnf -policy policy_anything -out server_cert.pem -infiles ./server_req.pem

4. Open your signed certificate with the text editor ( example: vi ) of your choice and delete everything before the line -----BEGIN CERTIFICATE-----. Concatenate it and your key into a single file, like this:

#cat server_key.pem server_cert.pem > server_keycert.pem

5. We need to create a client certificate signing request now. The OpenSSL command to do this is similar to that used to create server certificates:

#openssl req -new -keyout client_key.pem -out client_req.pem -days 730 -config ./openssl.cnf

6. Next step -- we sign the client certificate's signing request:

#openssl ca -config ./openssl.cnf -policy policy_anything -out client_cert.pem -infiles ./client_req.pem

7. If your certificate is to be used by Windows XP or Vista client, you need to do one more step.
You need to convert the certificate file(s) to a PKCS12-format file, with this command:

#openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts

8. Before we dive into FreeRADIUS' configuration files, we need to create two files that FreeRADIUS must have in order to use TLS. The first is a Diffie-Hellman parameters file, or dh file, which is used for negotiating TLS session keys. To create a dh file, issue this command:

#openssl dhparam -check -text -5 512 -out dh

9. The second file you need is a data file that contains a random bitstream that also is used in TLS operations. Do not simply stick the current timestamp or any other similarly nonrandom string into a file called random, as is suggested in at least one WPA procedure I've seen on the Internet. Rather, use the kernel's high-quality random number generator. Run this command:

#dd if=/dev/urandom of=random count=2


FreeRadius Configuration Step

1. Check permission of radius directory and then modify parameter what you need in radiusd.conf
#cd /etc/raddb/
#vi radiusd.conf


2. Changes in eap.conf

eap {
  default_eap_type = tls
  tls {
    # The following parameters tell radiusd where to
    # find its certs and keys, plus dh & random files:
    private_key_password = 12345
    private_key_file = /etc/ssl/server_keycert.pem
    certificate_file = /etc/ssl/server_keycert.pem
    CA_file = /etc/ssl/CA/cacert.pem
    dh_file = /etc/ssl/dh
    random_file = /etc/ssl/random
    }
  }

3. Access Point Entry in clients.conf

client 192.168.1.1/32 {
      secret          = 12345678
      shortname       = test ap
}


Configuring Windows XP Clients Step

And that brings us to configuring a Windows XP wireless client to use your newly WPA-enabled access point. This being a Linux magazine, I'm not going to describe this process in painstaking detail-for that you can see section 4.3 of Ken Roser's HOWTO, listed in the on-line Resources. In summary, you need to:

1. Run the command mmc from Start --> Run

2. In Microsoft Management Console, select File?Add/Remove Snap-in, add the Certificates snap-in and set it to manage certificates for My user account and, on the next screen, only for the Local computer.
   
3. Copy your CA (cacert.pem) certificate to your Windows system's hard drive, for example, to C:\cacert.pem.
   
4. From within MMC, expand Console Root and Certificates - Current User and right-click on Trusted Root Certification Authorities. In the pop-up menu, select All Tasks-->Import. Tell the subsequent wizard to import the file C:\cacert.pem and to store it in Trusted Root Certification Authorities.
   
5. Copy your client certificate/key file to your Windows system, for example, to C:\client_cert.p12.
   
6. From within MMC?Console Root?Certificates, expand Personal and right-click on Certificates. In the pop-up menu, select All Tasks-->Import. Tell the subsequent wizard to import the file C:\client_cert.p12.
   
7. The certificate-import wizard then prompts you for the certificate's passphrase. In the same dialog, it offers the option to enable strong private key protection. Unfortunately, enabling this breaks WPA, so be sure to leave this option unchecked. Also, leave the option to mark this key as exportable unchecked--you're better off backing up the password-protected file you just imported rather than allowing the imported nonprotected version to be exportable.
   
PS:基本上呢應該是照著做就可以架好您的 freeradius server in opensuse 10.3 or 11.0 ,比較需要注意的地方只有目錄位置而已...

Bryan Yu
http://lifestory.moqin.com/