Freeradius + EAP Certificates
-
Folks,
I'm running the current 2.0-RC1 and am looking into Freeradius to use it to authenticate my WLAN clients. I was thinking about using WPA2-Enterprise with a certificated based authentication. Looking through the forums I found a few How-Tos to get the certificates into the freeradius configuration. these howtos were all based on the 1.2.x release of PFsense.
Now with 2.0 and the integrated certificatemanager will this change for the freeradius configuration? Do I still have to manually exported the certificates from pfsense and copy them into the config directory of freeradius, or will/is there an automatic "grabbing" of the certificates by the freeradius configuration?
Hope someone can help.
Regards
Alexander
-
Folks,
to answer my own question ….
a) no there is no integration of the certificate manager and Freeradius
b) the script to generate the certificates are missing in the package
c) I downloaded the current version of Freeradius and generated the certificates as documented here -> http://deployingradius.com/documents/configuration/certificates.html
d) modified the freeradius config to enable EAP-TLS as mentioned here -> http://forum.pfsense.org/index.php?topic=7682.0e) imported the CA file ca.der(for windows) or ca.pem(OSx) and client.p12 into the certificate store of OSX/Windows
f) everything worked.
Hope this helps.
Cheers
Alexander
-
Hi Alex,
perhaps you remeber, that we had a conversation with PM in the past.
Now I am back and would appreciate your help with freeRADIUS and certificates. :-))Could you explain to me, how I could create the certificates the easiest way ?
Do I really need an extra machine with linux and freeradius installed ? Isn't there a way to create the certificates on pfsense with openssl ?And where to find the ca.cnf and server.cnf which are posted in your link above ?
Is it possible that you could upload those files here in the forum als "blank" ones without your real entries so I and other people could edit these files ?Please give me a more precise help how to create certificates.
Thank you very much!
-
Hi Nachtfalke,
attached is a part of the freeradius installation. Its only the Folder for the certificates. In this is also a makefile to generate (with openssl) the necessary certificates and CA. In the README it is mentioned what needs to be modified. You will have to rename the file from certs.zip.xls to certs.zip
In general you have to configure the ca.cnf, server.cnf and client.cnf with the names (organization etc.. and export password). Then generate the certificates with the Makefile (or manually).
After that you have everything you need to import into the freeradius config and also your client machines.
You need to define 1 ca and 1 server certificate. If all your clients get the same certificate you just need to create 1 client certificate (this is what I did). Nataurally you can create multiple client certificates in case you want to revoke certificates.
Hope this helps. If not give me a shout.
Regards
Alexander
-
Great!
I will give it a try and post back if I need more advice and/or if it works ;-)
-
Hello again ;-)
I am now at home and I gave it a try:
1.) I edited ca.cn server.cnf and client.cnf
In all three files I changes the input_password and output_password to the same pass.
I changes CommonName and so on in all three files to the same.after this I did:
chmod u+x bootstrapand than created the certificates with:
./bootstrapAfter this I have these files in the certs directory:
-rw-r--r-- 1 root wheel 70 Jun 6 16:08 .gitignore -rw-r----- 1 root wheel 4260 Jun 6 21:41 01.pem -rw-r--r-- 1 root wheel 148992 Jun 6 21:43 MYCA.tar -rwxr--r-- 1 root wheel 4262 Jun 6 21:08 Makefile -rwxr--r-- 1 root wheel 7821 Jun 6 21:08 README -rwxr--r-- 1 root wheel 2640 Jun 6 21:08 bootstrap -rwxr--r-- 1 root wheel 1317 Jun 6 21:08 ca.cnf -rw-r----- 1 root wheel 1221 Jun 6 21:41 ca.der -rw-r----- 1 root wheel 1751 Jun 6 21:41 ca.key -rw-r----- 1 root wheel 1708 Jun 6 21:41 ca.pem -rwxr--r-- 1 root wheel 1154 Jun 6 21:08 client.cnf -rw-r----- 1 root wheel 0 Jun 6 21:41 client.crt -rw-r----- 1 root wheel 1074 Jun 6 21:41 client.csr -rw-r----- 1 root wheel 1751 Jun 6 21:41 client.key drwxr--r-- 2 root wheel 512 Jun 6 16:10 demoCA -rw-r----- 1 root wheel 245 Jun 6 21:41 dh -rw-r----- 1 root wheel 134 Jun 6 21:41 index.txt -rw-r----- 1 root wheel 21 Jun 6 21:41 index.txt.attr -rw-r----- 1 root wheel 0 Jun 6 21:41 index.txt.old -rw-r----- 1 root wheel 5120 Jun 6 21:41 random -rw-r----- 1 root wheel 3 Jun 6 21:41 serial -rw-r----- 1 root wheel 3 Jun 6 21:41 serial.old -rwxr--r-- 1 root wheel 1155 Jun 6 21:08 server.cnf -rw-r----- 1 root wheel 4260 Jun 6 21:41 server.crt -rw-r----- 1 root wheel 1074 Jun 6 21:41 server.csr -rw-r----- 1 root wheel 1743 Jun 6 21:41 server.key -rw-r----- 1 root wheel 2557 Jun 6 21:41 server.p12 -rw-r----- 1 root wheel 3545 Jun 6 21:41 server.pem -rw-r--r-- 1 root wheel 74240 Jun 6 21:42 v -rwxr--r-- 1 root wheel 578 Jun 6 21:08 xpextensionsWhich files do I need now for the client (Windows XP / Windows 7 ) ?
Thanks again!
–-edit---
After that I configured the eap.conf and I got this error after starting radiusd -X
Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/server.key" tls: certificate_file = "/usr/local/etc/raddb/certs/server.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/ca.pem" tls: private_key_password = "xxxXXXxxx" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = "%{User-Name}" tls: cipher_list = "DEFAULT" tls: check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory rlm_eap_tls: Error reading Trusted root CA list rlm_eap: Failed to initialize type tls radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[328] Unknown module "eap". radiusd.conf[312] Failed to parse authenticate section. -
Hi Nachtfalke,
you need to modify the eap.conf file first in /etc/raddb. This file defines which protocol (TLS, TTLS etc…) can be used. Since I just wanted to use TLS I uncommented this. Additionally in the TLS sections you will have to config:
private_key_password = "this is your output_password"
private_key_file = /path/to/server.key
certificate_file = /path/to/server.pem
CA_file = /path/to/ca.pem... so now your server is ready. Restart with radiusd -X to show you debugging. You should see that the EAP config is pulled and activated.
On the client side you now need to import the ca.der and client.p12 into the certificate store of Windows (during import of the client.p12 you will be prompted for a password (output_password) ). Now the certificate is available for windows.
Now config your WIFI ... delete the current config and create a new config with WPA2 Enterprise as described here -> http://freeradius.org/doc/EAPTLS.pdf
This should bring everything up and running.
Alexander
P.S. Recently I've moved away from the freeradius installation from pfsense, since it was flaky (this is my experience). I have moved it onto my OSX server which now provides the radius authentication. Your mileage naturally may vary.
-
Hi,
first:
I solved the problem that radiusd wasn't starting. I did a spellingmistake for the ca.crt :(
Now freeRADIUS is running with no errors.second:
as you can see above, there is no client.p12 in my certs folder. Don't know why but I hope I could try it tomorrow with a client.What hardware specs do you have on your pfsense ?
And how many users are connected and authenticated with freeRADIUS ?Thanks
-
Hi Nachtfalke,
concerning the client.p12 … I forgot to mention that this isn't generated by the bootstrap or the "make all" command. You need to either do a "make client" or the openssl commands in the makefile.
from the makefile (execute the openssl for cleint.crt and the the openssl for the client.p12 manually):
client.crt: client.csr ca.pem ca.key
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnfclient.p12: client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)Currently I'm running about 5 devices over the freeradius server, all with 1 client certificate. the hardware then (when I had it running on pfsense) was an epia board. Now I'm running freeradius of a macMini with Snow Leopard Server running.
Alexander
-
Hi,
everytime I run ./bootstrap I got this error at the end of the client.cnf process
Certificate is to be certified until Jun 4 11:51:20 2021 GMT (3650 days) failed to update database TXT_DB error number 2After this, the client.crt is only 0 bytes - like you could see above.
And because of this I cannot continue with the other openssl commands :(Any ideas ?
-
Hi Nachtfalke,
try to execute the commands manually (extract from the Makefile):
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
where PASSWORD_CA and PASSWORD_CLIENT the respective passwords in your ca.cnf and client.cnf are.
Cheers
Alexander
-
This is the output error - still the same. I do not know where I did something wrong :(
[2.0-RC2][admin@pfsense2.hpa]/usr/local/etc/raddb/certs(8): openssl req -new -out client.csr -keyout client.key -config ./client.cnf Generating a 2048 bit RSA private key .....................................................+++ .........................+++ writing new private key to 'client.key' ----- [2.0-RC2][admin@pfsense2.hpa]/usr/local/etc/raddb/certs(9): openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key Passwort -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf Using configuration from ./client.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Jun 7 15:10:39 2011 GMT Not After : Jun 4 15:10:39 2021 GMT Subject: countryName = DE stateOrProvinceName = Deutschland organizationName = Polizeiakademie Hessen commonName = freeRADIUS HPA-CA emailAddress = rbs.hpa@polizei.hessen.de X509v3 extensions: X509v3 Extended Key Usage: TLS Web Client Authentication Certificate is to be certified until Jun 4 15:10:39 2021 GMT (3650 days) failed to update database TXT_DB error number 2 [2.0-RC2][admin@pfsense2.hpa]/usr/local/etc/raddb/certs(10): openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:Passwort -passout pass:Passwort No certificate matches private keyAnd here: The client.crt ist still 0 bytes because of the error above …
[2.0-RC2][admin@pfsense2.hpa]/usr/local/etc/raddb/certs(11): ls -la total 84 drwxr-xr-x 3 root wheel 1024 Jun 7 17:11 . drwxr-x--- 5 root wheel 1024 Jun 6 16:16 .. -rw-r--r-- 1 root wheel 70 Jun 6 16:08 .gitignore -rw-r----- 1 root wheel 4260 Jun 7 17:09 01.pem -rwxrwxrwx 1 root wheel 4260 Jun 6 22:25 Makefile -rwxrwxrwx 1 root wheel 7821 Jun 6 21:08 README -rwxrwxrwx 1 root wheel 2642 Jun 7 13:47 bootstrap -rwxrwxrwx 1 root wheel 1297 Jun 7 13:41 ca.cnf -rw-r----- 1 root wheel 1221 Jun 7 17:09 ca.der -rw-r----- 1 root wheel 1751 Jun 7 17:09 ca.key -rw-r----- 1 root wheel 1708 Jun 7 17:09 ca.pem -rwxrwxrwx 1 root wheel 1134 Jun 7 13:40 client.cnf -rw-r----- 1 root wheel 0 Jun 7 17:10 client.crt -rw-r----- 1 root wheel 1074 Jun 7 17:10 client.csr -rw-r----- 1 root wheel 1743 Jun 7 17:10 client.key -rw-r--r-- 1 root wheel 0 Jun 7 17:11 client.p12 drwxrwxrwx 2 root wheel 512 Jun 7 13:24 demoCA -rw-r----- 1 root wheel 424 Jun 7 17:09 dh -rw-r----- 1 root wheel 134 Jun 7 17:09 index.txt -rw-r----- 1 root wheel 21 Jun 7 17:09 index.txt.attr -rw-r----- 1 root wheel 0 Jun 7 17:09 index.txt.old -rw-r----- 1 root wheel 5120 Jun 7 17:09 random -rw-r----- 1 root wheel 3 Jun 7 17:09 serial -rw-r----- 1 root wheel 3 Jun 7 17:09 serial.old -rwxrwxrwx 1 root wheel 1135 Jun 7 13:40 server.cnf -rw-r----- 1 root wheel 4260 Jun 7 17:09 server.crt -rw-r----- 1 root wheel 1074 Jun 7 17:09 server.csr -rw-r----- 1 root wheel 1751 Jun 7 17:09 server.key -rw-r----- 1 root wheel 2557 Jun 7 17:09 server.p12 -rw-r----- 1 root wheel 3553 Jun 7 17:09 server.pem -rwxrwxrwx 1 root wheel 578 Jun 6 21:08 xpextensions -
Hi Nachtfalke,
you used the "bootstrap" file to create the certificates and I used the make command. I assume that there is some difference. Reading through the README file it states that bootstrap is used to create standard certificate for testing. Maybe some data in the files (index, dh, random ….) do not match the information in the *.cnf files you modified. I would use the makefile.
Can you try a
- make destroycerts
- make clean
- make all
- make client
This is what worked for me (just gave it a try).
Regards
Alexander
-
Hi,
the problem is, that in pfsense there is no "make"…command not found.
I think this is "normal" because pfsense is a firewall solution an noone should or needs to compile something.Perhaps I will try it with the single commands in the "Makefile" or I will test it on a linux live CD.
PS: Do you know if it is possible to do authentication on freeRADIUS using the device MAC address ?
I know freeRADIUS can do this but is it possible with the pfsense freeRADIUS GUI ?
Or do I have to edit the users file manually with different parameters ? I think this is the only way or do you have other experience ? -
Hi,
I uploaded the files to an Ubuntu live CD and then it works with "make" and "make client"
no errors and files with more than zero bytes and p12 files :-)
Tomorrow I will try it with my pfsense and my switches.Thank you very much for your help and taking time for my problem!
I will post back if it works or if I expect more problems :D -
I uploaded the files to an Ubuntu live CD and then it works with "make" and "make client"
no errors and files with more than zero bytes and p12 files :-)
Tomorrow I will try it with my pfsense and my switches.… great that everything is there now. Everything else should be a breeze ...
PS: Do you know if it is possible to do authentication on freeRADIUS using the device MAC address ?
I know freeRADIUS can do this but is it possible with the pfsense freeRADIUS GUI ?
Or do I have to edit the users file manually with different parameters ? I think this is the only way or do you have other experience ?If a MAC authentication is possible, then you definately can do it. You will have to manually edit the necessary files, since there isn't a GUI integration for all the features in freeradius. I personally don't have any experience with this feature.
Cheers
Alexander
-
Hi,
just want to let you know, that I got freeRADIUS on pfsense with my CISCO SG-300 and Windows XP working. The creation of the certificates is much easier under a linux distrubution which has "make" installed than under pfsense ;-)
But now I have another question:
To authenticate to the network I still need a to enter the username and password on the Windows XP machine. The problem is that in my network the PCs are NOT in a domain. They are all workgroup PCs.
And it is common, that many users use the same Windows Logon Name than others and the same password (or no password).Is it possible to enter (AND SAVE) a custom username and password so that the users do not need to enter them every time they connect to the network ?
I read something about "computer certificates" which work before the use will logon into windows.
Thank you!
-
Hi,
just want to let you know, that I got freeRADIUS on pfsense with my CISCO SG-300 and Windows XP working. The creation of the certificates is much easier under a linux distrubution which has "make" installed than under pfsense ;-)
But now I have another question:
To authenticate to the network I still need a to enter the username and password on the Windows XP machine. The problem is that in my network the PCs are NOT in a domain. They are all workgroup PCs.
And it is common, that many users use the same Windows Logon Name than others and the same password (or no password).Is it possible to enter (AND SAVE) a custom username and password so that the users do not need to enter them every time they connect to the network ?
I read something about "computer certificates" which work before the use will logon into windows.
Thank you!
Not quite sure I understand you.
The client certificates are being used for the authentication to the Wifi/Radius Network. I assume this works. As mentioned previously you need to copy the client.p12 and the ca certificate to each client and activate the "certificate authentication" in the wifi settings. This works without additional uid/pw. You have to have TLS (and not TTLS) authentication.
Do you want to have windows logon using a certificate (has nothing to do with wifi/radius)?
REgards
Alexander
-
Hi,
I am not using WiFi.
I would like to authenticate windows machines with certificates against radius. This is working.
If I do not install the client.p12 on the windows machine, I cannot authenticate.But in Windows I have always to enter a username and a password, if I connect the network cable.
The username/password is the same I have to enter in the freeRADIUS webGUI on pfsense.
Is this different to you ? Don't you have to enter a username/password in the freeRADIUS webGUI ?Thanks!
-
Hi Nachtfalke,
I'm using Radius+Certificates for the wifi EAP (WPA2) authentication. So this is to allow/disallow access to my wifi network using certificates.
Reading your last posts you it seems as if you want to use a certificate to log on to windows using a Radius server.
I'm sorry, but I cannot help you with that (if I understood your problem correctly)
Cheers
Alexander