Freeradius + EAP Certificates

seggerman

Folks,

I'm running the current 2.0-RC1 and am looking into Freeradius to use it to authenticate my WLAN clients. I was thinking about using WPA2-Enterprise with a certificated based authentication. Looking through the forums I found a few How-Tos to get the certificates into the freeradius configuration. these howtos were all based on the 1.2.x release of PFsense.

Now with 2.0 and the integrated certificatemanager will this change for the freeradius configuration? Do I still have to manually exported the certificates from pfsense and copy them into the config directory of freeradius, or will/is there an automatic "grabbing" of the certificates by the freeradius configuration?

Hope someone can help.

Regards

Alexander

seggerman

Folks,

to answer my own question ….

a) no there is no integration of the certificate manager and Freeradius
b) the script to generate the certificates are missing in the package
c) I downloaded the current version of Freeradius and generated the certificates as documented here -> http://deployingradius.com/documents/configuration/certificates.html
d) modified the freeradius config to enable EAP-TLS as mentioned here -> http://forum.pfsense.org/index.php?topic=7682.0

e) imported the CA file ca.der(for windows) or ca.pem(OSx) and client.p12 into the certificate store of OSX/Windows

f) everything worked.

Hope this helps.

Cheers

Alexander

Nachtfalke

Hi Alex,

perhaps you remeber, that we had a conversation with PM in the past.
Now I am back and would appreciate your help with freeRADIUS and certificates. :-))

Could you explain to me, how I could create the certificates the easiest way ?
Do I really need an extra machine with linux and freeradius installed ? Isn't there a way to create the certificates on pfsense with openssl ?

And where to find the ca.cnf and server.cnf which are posted in your link above ?
Is it possible that you could upload those files here in the forum als "blank" ones without your real entries so I and other people could edit these files ?

Please give me a more precise help how to create certificates.

Thank you very much!

seggerman

Hi Nachtfalke,

attached is a part of the freeradius installation. Its only the Folder for the certificates. In this is also a makefile to generate (with openssl) the necessary certificates and CA. In the README it is mentioned what needs to be modified. You will have to rename the file from certs.zip.xls to certs.zip

In general you have to configure the ca.cnf, server.cnf and client.cnf with the names (organization etc.. and export password). Then generate the certificates with the Makefile (or manually).

After that you have everything you need to import into the freeradius config and also your client machines.

You need to define 1 ca and 1 server certificate. If all your clients get the same certificate you just need to create 1 client certificate (this is what I did). Nataurally you can create multiple client certificates in case you want to revoke certificates.

Hope this helps. If not give me a shout.

Regards

Alexander

certs.zip.xls

Nachtfalke

Great!

I will give it a try and post back if I need more advice and/or if it works ;-)

Nachtfalke

Hello again ;-)

I am now at home and I gave it a try:

1.) I edited ca.cn server.cnf and client.cnf
In all three files I changes the input_password and output_password to the same pass.
I changes CommonName and so on in all three files to the same.

after this I did:

chmod u+x bootstrap

and than created the certificates with:

./bootstrap

After this I have these files in the certs directory:

-rw-r--r--  1 root  wheel      70 Jun  6 16:08 .gitignore
-rw-r-----  1 root  wheel    4260 Jun  6 21:41 01.pem
-rw-r--r--  1 root  wheel  148992 Jun  6 21:43 MYCA.tar
-rwxr--r--  1 root  wheel    4262 Jun  6 21:08 Makefile
-rwxr--r--  1 root  wheel    7821 Jun  6 21:08 README
-rwxr--r--  1 root  wheel    2640 Jun  6 21:08 bootstrap
-rwxr--r--  1 root  wheel    1317 Jun  6 21:08 ca.cnf
-rw-r-----  1 root  wheel    1221 Jun  6 21:41 ca.der
-rw-r-----  1 root  wheel    1751 Jun  6 21:41 ca.key
-rw-r-----  1 root  wheel    1708 Jun  6 21:41 ca.pem
-rwxr--r--  1 root  wheel    1154 Jun  6 21:08 client.cnf
-rw-r-----  1 root  wheel       0 Jun  6 21:41 client.crt
-rw-r-----  1 root  wheel    1074 Jun  6 21:41 client.csr
-rw-r-----  1 root  wheel    1751 Jun  6 21:41 client.key
drwxr--r--  2 root  wheel     512 Jun  6 16:10 demoCA
-rw-r-----  1 root  wheel     245 Jun  6 21:41 dh
-rw-r-----  1 root  wheel     134 Jun  6 21:41 index.txt
-rw-r-----  1 root  wheel      21 Jun  6 21:41 index.txt.attr
-rw-r-----  1 root  wheel       0 Jun  6 21:41 index.txt.old
-rw-r-----  1 root  wheel    5120 Jun  6 21:41 random
-rw-r-----  1 root  wheel       3 Jun  6 21:41 serial
-rw-r-----  1 root  wheel       3 Jun  6 21:41 serial.old
-rwxr--r--  1 root  wheel    1155 Jun  6 21:08 server.cnf
-rw-r-----  1 root  wheel    4260 Jun  6 21:41 server.crt
-rw-r-----  1 root  wheel    1074 Jun  6 21:41 server.csr
-rw-r-----  1 root  wheel    1743 Jun  6 21:41 server.key
-rw-r-----  1 root  wheel    2557 Jun  6 21:41 server.p12
-rw-r-----  1 root  wheel    3545 Jun  6 21:41 server.pem
-rw-r--r--  1 root  wheel   74240 Jun  6 21:42 v
-rwxr--r--  1 root  wheel     578 Jun  6 21:08 xpextensions

Which files do I need now for the client (Windows XP / Windows 7 ) ?

Thanks again!

–-edit---

After that I configured the eap.conf and I got this error after starting radiusd -X

Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/usr/local/etc/raddb/certs/server.key"
 tls: certificate_file = "/usr/local/etc/raddb/certs/server.pem"
 tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/ca.pem"
 tls: private_key_password = "xxxXXXxxx"
 tls: dh_file = "/usr/local/etc/raddb/certs/dh"
 tls: random_file = "/usr/local/etc/raddb/certs/random"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = yes
 tls: check_cert_cn = "%{User-Name}"
 tls: cipher_list = "DEFAULT"
 tls: check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory
rlm_eap_tls: Error reading Trusted root CA list
rlm_eap: Failed to initialize type tls
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[328] Unknown module "eap".
radiusd.conf[312] Failed to parse authenticate section.

seggerman

Hi Nachtfalke,

you need to modify the eap.conf file first in /etc/raddb. This file defines which protocol (TLS, TTLS etc…) can be used. Since I just wanted to use TLS I uncommented this. Additionally in the TLS sections you will have to config:
private_key_password = "this is your output_password"
private_key_file = /path/to/server.key
certificate_file = /path/to/server.pem
CA_file = /path/to/ca.pem

... so now your server is ready. Restart with radiusd -X to show you debugging. You should see that the EAP config is pulled and activated.

On the client side you now need to import the ca.der and client.p12 into the certificate store of Windows (during import of the client.p12 you will be prompted for a password (output_password) ). Now the certificate is available for windows.

Now config your WIFI ... delete the current config and create a new config with WPA2 Enterprise as described here -> http://freeradius.org/doc/EAPTLS.pdf

This should bring everything up and running.

Alexander

P.S. Recently I've moved away from the freeradius installation from pfsense, since it was flaky (this is my experience). I have moved it onto my OSX server which now provides the radius authentication. Your mileage naturally may vary.

Nachtfalke

Hi,

first:
I solved the problem that radiusd wasn't starting. I did a spellingmistake for the ca.crt :(
Now freeRADIUS is running with no errors.

second:
as you can see above, there is no client.p12 in my certs folder. Don't know why but I hope I could try it tomorrow with a client.

What hardware specs do you have on your pfsense ?
And how many users are connected and authenticated with freeRADIUS ?

Thanks

seggerman

Hi Nachtfalke,

concerning the client.p12 … I forgot to mention that this isn't generated by the bootstrap or the "make all" command. You need to either do a "make client" or the openssl commands in the makefile.

from the makefile (execute the openssl for cleint.crt and the the openssl for the client.p12 manually):

client.crt: client.csr ca.pem ca.key
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf

client.p12: client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)

Currently I'm running about 5 devices over the freeradius server, all with 1 client certificate. the hardware then (when I had it running on pfsense) was an epia board. Now I'm running freeradius of a macMini with Snow Leopard Server running.

Alexander

Nachtfalke

Hi,

everytime I run ./bootstrap I got this error at the end of the client.cnf process

Certificate is to be certified until Jun  4 11:51:20 2021 GMT (3650 days)
failed to update database
TXT_DB error number 2

After this, the client.crt is only 0 bytes - like you could see above.
And because of this I cannot continue with the other openssl commands :(

Any ideas ?

seggerman

Hi Nachtfalke,

try to execute the commands  manually (extract from the Makefile):

openssl req -new  -out client.csr -keyout client.key -config ./client.cnf

openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf

openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)

where PASSWORD_CA and PASSWORD_CLIENT the respective passwords in your ca.cnf and client.cnf are.

Cheers

Alexander

Nachtfalke

This is the output error - still the same. I do not know where I did something wrong :(

[2.0-RC2][admin@pfsense2.hpa]/usr/local/etc/raddb/certs(8): openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
Generating a 2048 bit RSA private key
.....................................................+++
.........................+++
writing new private key to 'client.key'
-----
[2.0-RC2][admin@pfsense2.hpa]/usr/local/etc/raddb/certs(9): openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key Passwort -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
Using configuration from ./client.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Jun  7 15:10:39 2011 GMT
            Not After : Jun  4 15:10:39 2021 GMT
        Subject:
            countryName               = DE
            stateOrProvinceName       = Deutschland
            organizationName          = Polizeiakademie Hessen
            commonName                = freeRADIUS HPA-CA
            emailAddress              = rbs.hpa@polizei.hessen.de
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
Certificate is to be certified until Jun  4 15:10:39 2021 GMT (3650 days)
failed to update database
TXT_DB error number 2
[2.0-RC2][admin@pfsense2.hpa]/usr/local/etc/raddb/certs(10): openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:Passwort -passout pass:Passwort
No certificate matches private key

And here: The client.crt ist still 0 bytes because of the error above …

[2.0-RC2][admin@pfsense2.hpa]/usr/local/etc/raddb/certs(11): ls -la
total 84
drwxr-xr-x  3 root  wheel  1024 Jun  7 17:11 .
drwxr-x---  5 root  wheel  1024 Jun  6 16:16 ..
-rw-r--r--  1 root  wheel    70 Jun  6 16:08 .gitignore
-rw-r-----  1 root  wheel  4260 Jun  7 17:09 01.pem
-rwxrwxrwx  1 root  wheel  4260 Jun  6 22:25 Makefile
-rwxrwxrwx  1 root  wheel  7821 Jun  6 21:08 README
-rwxrwxrwx  1 root  wheel  2642 Jun  7 13:47 bootstrap
-rwxrwxrwx  1 root  wheel  1297 Jun  7 13:41 ca.cnf
-rw-r-----  1 root  wheel  1221 Jun  7 17:09 ca.der
-rw-r-----  1 root  wheel  1751 Jun  7 17:09 ca.key
-rw-r-----  1 root  wheel  1708 Jun  7 17:09 ca.pem
-rwxrwxrwx  1 root  wheel  1134 Jun  7 13:40 client.cnf
-rw-r-----  1 root  wheel     0 Jun  7 17:10 client.crt
-rw-r-----  1 root  wheel  1074 Jun  7 17:10 client.csr
-rw-r-----  1 root  wheel  1743 Jun  7 17:10 client.key
-rw-r--r--  1 root  wheel     0 Jun  7 17:11 client.p12
drwxrwxrwx  2 root  wheel   512 Jun  7 13:24 demoCA
-rw-r-----  1 root  wheel   424 Jun  7 17:09 dh
-rw-r-----  1 root  wheel   134 Jun  7 17:09 index.txt
-rw-r-----  1 root  wheel    21 Jun  7 17:09 index.txt.attr
-rw-r-----  1 root  wheel     0 Jun  7 17:09 index.txt.old
-rw-r-----  1 root  wheel  5120 Jun  7 17:09 random
-rw-r-----  1 root  wheel     3 Jun  7 17:09 serial
-rw-r-----  1 root  wheel     3 Jun  7 17:09 serial.old
-rwxrwxrwx  1 root  wheel  1135 Jun  7 13:40 server.cnf
-rw-r-----  1 root  wheel  4260 Jun  7 17:09 server.crt
-rw-r-----  1 root  wheel  1074 Jun  7 17:09 server.csr
-rw-r-----  1 root  wheel  1751 Jun  7 17:09 server.key
-rw-r-----  1 root  wheel  2557 Jun  7 17:09 server.p12
-rw-r-----  1 root  wheel  3553 Jun  7 17:09 server.pem
-rwxrwxrwx  1 root  wheel   578 Jun  6 21:08 xpextensions

seggerman

Hi Nachtfalke,

you used the "bootstrap" file to create the certificates and I used the make command. I assume that there is some difference. Reading through the README file it states that bootstrap is used to create standard certificate for testing. Maybe some data in the files (index, dh, random ….) do not match the information in the *.cnf files you modified. I would use the makefile.

Can you try a

• make destroycerts
• make clean
• make all
• make client

This is what worked for me (just gave it a try).

Regards

Alexander

Nachtfalke

Hi,

the problem is, that in pfsense there is no "make"…command not found.
I think this is "normal" because pfsense is a firewall solution an noone should or needs to compile something.

Perhaps I will try it with the single commands in the "Makefile" or I will test it on a linux live CD.

PS: Do you know if it is possible to do authentication on freeRADIUS using the device MAC address ?
I know freeRADIUS can do this but is it possible with the pfsense freeRADIUS GUI ?
Or do I have to edit the users file manually with different parameters ? I think this is the only way or do you have other experience ?

Nachtfalke

Hi,

I uploaded the files to an Ubuntu live CD and then it works with "make" and "make client"

no errors and files with more than zero bytes and p12 files :-)
Tomorrow I will try it with my pfsense and my switches.

Thank you very much for your help and taking time for my problem!
I will post back if it works or if I expect more problems :D

seggerman

@Nachtfalke:

I uploaded the files to an Ubuntu live CD and then it works with "make" and "make client"

no errors and files with more than zero bytes and p12 files :-)
Tomorrow I will try it with my pfsense and my switches.

… great that everything is there now. Everything else should be a breeze ...

PS: Do you know if it is possible to do authentication on freeRADIUS using the device MAC address ?
I know freeRADIUS can do this but is it possible with the pfsense freeRADIUS GUI ?
Or do I have to edit the users file manually with different parameters ? I think this is the only way or do you have other experience ?

If a MAC authentication is possible, then you definately can do it. You will have to manually edit the necessary files, since there isn't a GUI integration for all the features in freeradius. I personally don't have any experience with this feature.

Cheers

Alexander

Nachtfalke

Hi,

just want to let you know, that I got freeRADIUS on pfsense with my CISCO SG-300 and Windows XP working. The creation of the certificates is much easier under a linux distrubution which has "make" installed than under pfsense ;-)

But now I have another question:
To authenticate to the network I still need a to enter the username and password on the Windows XP machine. The problem is that in my network the PCs are NOT in a domain. They are all workgroup PCs.
And it is common, that many users use the same Windows Logon Name than others and the same password (or no password).

Is it possible to enter (AND SAVE) a custom username and password so that the users do not need to enter them every time they connect to the network ?

I read something about "computer certificates" which work before the use will logon into windows.

Thank you!

seggerman

@Nachtfalke:

Hi,

just want to let you know, that I got freeRADIUS on pfsense with my CISCO SG-300 and Windows XP working. The creation of the certificates is much easier under a linux distrubution which has "make" installed than under pfsense ;-)

But now I have another question:
To authenticate to the network I still need a to enter the username and password on the Windows XP machine. The problem is that in my network the PCs are NOT in a domain. They are all workgroup PCs.
And it is common, that many users use the same Windows Logon Name than others and the same password (or no password).

Is it possible to enter (AND SAVE) a custom username and password so that the users do not need to enter them every time they connect to the network ?

I read something about "computer certificates" which work before the use will logon into windows.

Thank you!

Not quite sure I understand you.

The client certificates are being used for the authentication to the Wifi/Radius Network. I assume this works. As mentioned previously you need to copy the client.p12 and the ca certificate to each client and activate the "certificate authentication" in the wifi settings. This works without additional uid/pw. You have to have TLS (and not TTLS) authentication.

Do you want to have windows logon using a certificate (has nothing to do with wifi/radius)?

REgards

Alexander

Nachtfalke

Hi,

I am not using WiFi.
I would like to authenticate windows machines with certificates against radius. This is working.
If I do not install the client.p12 on the windows machine, I cannot authenticate.

But in Windows I have always to enter a username and a password, if I connect the network cable.
The username/password is the same I have to enter in the freeRADIUS webGUI on pfsense.
Is this different to you ? Don't you have to enter a username/password in the freeRADIUS webGUI ?

Thanks!

seggerman

Hi Nachtfalke,

I'm using Radius+Certificates for the wifi EAP (WPA2) authentication. So this is to allow/disallow access to my wifi network using certificates.

Reading your last posts you it seems as if you want to use a certificate to log on to windows using a Radius server.

I'm sorry, but I cannot help you with that (if I understood your problem correctly)

Cheers

Alexander