Fedora Core 6, FreeRADIUS, Linksys Wireless Routers, and WPA2-Enterprise Working Together
After endless hours of research, I determined that there was not a one stop resource for configuring a RADIUS server on Fedora Core 6 for the purpose of WPA2 wireless authentication. This blog will detail the steps involved with this configuration and provide you with some configuration files you can download and install.
Setting Up Your Fedora Core 6 System
The first step in this configuration is to install Fedora Core 6 (FC6). In this example, I was installing FC6 into a VMWare session that I was running inside VMWare Server on top of Windows XP Pro SP2. Once FC6 has been installed, be sure to update Fedora with the latest patches and updates with the following command at the console:
# yum upgrade
Next, you will want to install the latest FreeRADIUS server on your FC6 machine. You can do this by typing the following command at the console:
# yum install freeradius
FreeRADIUS will create a directory named /etc/raddb that holds the configuration files you will need to edit. The file named /etc/raddb/radiusd.conf contains the configuration variables for FreeRADIUS. For example, you can change authentication types, where FreeRADIUS will lookup the authentication information (i.e. in a MySQL server versus a flat text file), and other attributes. The attributes for the FreeRADIUS files are documented on the FreeRADIUS Wiki and are a bit, even "very" confusing. I will attempt to relieve some of the confusing here.
At this point, you should decide what type of authentication protocol and encryption you want to use to authenticate your wireless users into your wireless network. I ran into a great article written by George Ou that explains all of the modern authentication protocols with some of the benefits and drawbacks to each. In my case, I chose to use WPA2-Enterprise with PEAP/EAP-MSCHAPv2 so that our Windows XP computers can easily authenticate to the wireless access point. I also chose this protocol so that I only had to install a TLS certificate on the RADIUS server and not install any TLS certificates on the client computer.
Creating Server Side Certificates
The first task is to create the TLS certificate for your RADIUS server. This is a potential pitfall spot unless you know where to look and what to install. I found that I had to install a package called openssl-perl in order to have a Perl script named CA.pl on my server. This Perl script is critical when generating the server side TLS certificates. You can install the script with the following command:
# yum install openssl-perl
To generate the server side certificates are generated using a series of scripts in the FreeRADIUS and OpenSSL-Perl packages. The following scripts are used to generate the certificates:
|
Script Name |
Script Purpose |
Script Location |
|
CA.all |
Automatically creates the server certificates from the information in /etc/pki/tls/openssl.cnf |
FreeRADIUS Tar Package, the "scripts" directory |
|
CA.certs |
Interactively creates the server certificates |
FreeRADIUS Tar Package, the "scripts" directory |
|
certs.sh |
Creates the parameter files needed for the certificate creation process |
FreeRADIUS Tar Package, the "scripts" directory |
|
CA.pl |
A wrapper to for the "CA" program within OpenSSL to generate the certificates |
OpenSSL/OpenSSL-Perl Package |
At this point, you should have all of the scripts installed. Next, we will have to modify the scripts in order to generate the needed certificates. The scripts are not useful straight out of the box and we will change the parameters to make them useful for your setup. The first file we will need to change is /etc/pki/tls/openssl.cnf file. Navigate to the section that is labeled "[ req_ditinguished_name ]" and change the variables so that they represent your location and company identification.
Next, you will need to modify the certs.sh file distributed in the FreeRADIUS package. This file creates the parameter files needed for the certificate creation process. Copy this file along with CA.all, CA.certs, and xpextensions to /etc/pki/tls/misc. Edit the certs.sh file on line 47, near the line that says "Generate DH stuff...", from the following line:
$(SSL)/bin/openssl gendh > dh
to the following:
/usr/bin/openssl gendh > dh
Execute the certs.sh file with the following command:
# ./certs.sh
You may get an error that the CA.all file could not run. This is not a problem because we will be running this script by hand. Now, copy two files that were created by the certs.sh script to the system tls directory with the following command:
# cp certs/dh certs/random /etc/pki/
Build the serial file and delete any certificate you may have by default so that the next script will run correctly:
# rm -rf /etc/pki/CA/*
# echo 00 > ../../CA/serial
Next, add the current directory to your path so that you do not have to edit the CA.certs file:
# export PATH=$PATH:.
Lastly, edit the CA.all script and change any instance of the phrase "whatever" to a password you would like to use for the server certificate. Use the editor that you are most familiar with to do this task. In our example, we will change "whatever" to "jrdcorp". Run the CA.all script to provide interactive input in order to create your certificate:
# ./CA.all
If you do not like the interactive script, you can use the automatic script named CA.certs. Be sure to change "whatever" to your password before you execute the script.
At this point, you should have valid certificates for PEAP/EAP-MSCHAPv2. Next, you must configure your FreeRADIUS server.
Configuring Your FreeRADIUS Server
Your FreeRADIUS installation created a configuration directory under /etc/raddb that contains files named radiusd.conf, eap.conf, clients.conf, and users that you will use to configure your instance of FreeRADIUS. The file named clients.conf contains how you want your network access servers (NAS) to be configured when people use them to attach to your wireless networks. Our clients.conf contains the following information (assuming your wireless access point is 192.168.1.12):
client 192.168.1.12 {
secret = jrdcorpsecret
shortname = WAP
}
"jrdcorpsecret" is the secret or shared key the Wireless Access Point (WAP) must know in order to use this FreeRADIUS server for authentication. The name of the WAP, 192.168.1.12, is called "WAP". You can change "jrdcorpsecret" and "WAP" to be whatever works the best for you. Next, we must create users for the wireless network. You can add the following line to the top of your users file:
"jrdcorpuser" User-Password == "jrdcorppassword"
This line creates a user named "jrdcorpuser" with the associated password of "jrdcorppassword" on the FreeRADIUS server. Therefore, when a user wants to log into your wireless network that authenticates via your FreeRADIUS, they will supply the username of "jrdcorpuser" and password of "jrdcorppassword" to the WAP in order to gain access to the wireless network.
Next, you will want to configure your FreeRADIUS server with radiusd.conf and eap.conf. There are literally thousands of configuration options and combinations for this file, so I will just present the configuration that worked for us.
radiusd.conf
First, change line 296 from "log_auth = no" to "log_auth = yes" in order to log authentication attempts. Turn on logging of bad and good passwords right below this section if you would like to see them.
Around line 667, the mschap module is configured. Change the module such that "use_mppe = yes", "require_encryption = yes", and "require_strong = yes" exist and are uncommented.
Uncomment the "detail auth_log" module around line 1,128 as well in order to receive detailed logging. Next, uncomment the module immediately below on line 1,145 that begins with "detail reply_log" as well.
Around line 1,789, you will need to uncomment the "auth_log" line. Lastly, uncomment the "reply_log" line around line 2,038.
eap.conf
The first change is on line 307. You will need to change the following line:
default_eap_type = md5
to the following line:
default_eap_type = mschapv2
Next, uncomment the full EAP-TLS section that begins with the following line:
tls {
Change the private key password to the password you chose during the certificate generation process. In our example, we used the password "jrdcorp". Point the variables for each certificate file to the /etc/pki/tls directory since that is where the certificates we generated now exist. These lines must be contained in the tls section of the eap.conf file:
private_key_file = /etc/pki/tls/misc/cert-srv.pem
certificate_file = /etc/pki/tls/misc/cert-srv.pem
CA_file = /etc/pki/tls/CA/cakey.pem
dh_file = /etc/pki/dh
random_file = /etc/pki/random
Do not forget to uncomment the ending "}" for the tls section. Lastly, uncomment the following section that begins with:
peap {
Uncomment the following line:
default_eap_type = mschapv2
Be sure to uncomment the ending "}" for the peap section.
Configure Your Wireless Access Point (WAP)
Every WAP configures differently, so we cannot show how to configure your exact WAP. LinkSys WAPs generally have their configuration parameters in the Security section of the Wireless pane. As you can see in the following image, the information you enter is relatively straight forward:
Place the FreeRADIUS server IP address in the IP address field. Place the secret (jrdcorpsecret) you setup on the FreeRADIUS server in the Shared Key field and then click "Save Settings".
That is all that is required to set up FreeRADIUS on Fedora Core 6 in order to authenticate WPA2-Enterprise wireless clients!
