Freeradius + EAP Certificates

seggerman

Hi Nachtfalke,

attached is a part of the freeradius installation. Its only the Folder for the certificates. In this is also a makefile to generate (with openssl) the necessary certificates and CA. In the README it is mentioned what needs to be modified. You will have to rename the file from certs.zip.xls to certs.zip

In general you have to configure the ca.cnf, server.cnf and client.cnf with the names (organization etc.. and export password). Then generate the certificates with the Makefile (or manually).

After that you have everything you need to import into the freeradius config and also your client machines.

You need to define 1 ca and 1 server certificate. If all your clients get the same certificate you just need to create 1 client certificate (this is what I did). Nataurally you can create multiple client certificates in case you want to revoke certificates.

Hope this helps. If not give me a shout.

Regards

Alexander

certs.zip.xls

Nachtfalke

Great!

I will give it a try and post back if I need more advice and/or if it works ;-)

Nachtfalke

Hello again ;-)

I am now at home and I gave it a try:

1.) I edited ca.cn server.cnf and client.cnf
In all three files I changes the input_password and output_password to the same pass.
I changes CommonName and so on in all three files to the same.

after this I did:

chmod u+x bootstrap

and than created the certificates with:

./bootstrap

After this I have these files in the certs directory:

-rw-r--r--  1 root  wheel      70 Jun  6 16:08 .gitignore
-rw-r-----  1 root  wheel    4260 Jun  6 21:41 01.pem
-rw-r--r--  1 root  wheel  148992 Jun  6 21:43 MYCA.tar
-rwxr--r--  1 root  wheel    4262 Jun  6 21:08 Makefile
-rwxr--r--  1 root  wheel    7821 Jun  6 21:08 README
-rwxr--r--  1 root  wheel    2640 Jun  6 21:08 bootstrap
-rwxr--r--  1 root  wheel    1317 Jun  6 21:08 ca.cnf
-rw-r-----  1 root  wheel    1221 Jun  6 21:41 ca.der
-rw-r-----  1 root  wheel    1751 Jun  6 21:41 ca.key
-rw-r-----  1 root  wheel    1708 Jun  6 21:41 ca.pem
-rwxr--r--  1 root  wheel    1154 Jun  6 21:08 client.cnf
-rw-r-----  1 root  wheel       0 Jun  6 21:41 client.crt
-rw-r-----  1 root  wheel    1074 Jun  6 21:41 client.csr
-rw-r-----  1 root  wheel    1751 Jun  6 21:41 client.key
drwxr--r--  2 root  wheel     512 Jun  6 16:10 demoCA
-rw-r-----  1 root  wheel     245 Jun  6 21:41 dh
-rw-r-----  1 root  wheel     134 Jun  6 21:41 index.txt
-rw-r-----  1 root  wheel      21 Jun  6 21:41 index.txt.attr
-rw-r-----  1 root  wheel       0 Jun  6 21:41 index.txt.old
-rw-r-----  1 root  wheel    5120 Jun  6 21:41 random
-rw-r-----  1 root  wheel       3 Jun  6 21:41 serial
-rw-r-----  1 root  wheel       3 Jun  6 21:41 serial.old
-rwxr--r--  1 root  wheel    1155 Jun  6 21:08 server.cnf
-rw-r-----  1 root  wheel    4260 Jun  6 21:41 server.crt
-rw-r-----  1 root  wheel    1074 Jun  6 21:41 server.csr
-rw-r-----  1 root  wheel    1743 Jun  6 21:41 server.key
-rw-r-----  1 root  wheel    2557 Jun  6 21:41 server.p12
-rw-r-----  1 root  wheel    3545 Jun  6 21:41 server.pem
-rw-r--r--  1 root  wheel   74240 Jun  6 21:42 v
-rwxr--r--  1 root  wheel     578 Jun  6 21:08 xpextensions

Which files do I need now for the client (Windows XP / Windows 7 ) ?

Thanks again!

–-edit---

After that I configured the eap.conf and I got this error after starting radiusd -X

Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/usr/local/etc/raddb/certs/server.key"
 tls: certificate_file = "/usr/local/etc/raddb/certs/server.pem"
 tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/ca.pem"
 tls: private_key_password = "xxxXXXxxx"
 tls: dh_file = "/usr/local/etc/raddb/certs/dh"
 tls: random_file = "/usr/local/etc/raddb/certs/random"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = yes
 tls: check_cert_cn = "%{User-Name}"
 tls: cipher_list = "DEFAULT"
 tls: check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory
rlm_eap_tls: Error reading Trusted root CA list
rlm_eap: Failed to initialize type tls
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[328] Unknown module "eap".
radiusd.conf[312] Failed to parse authenticate section.

seggerman

Hi Nachtfalke,

you need to modify the eap.conf file first in /etc/raddb. This file defines which protocol (TLS, TTLS etc…) can be used. Since I just wanted to use TLS I uncommented this. Additionally in the TLS sections you will have to config:
private_key_password = "this is your output_password"
private_key_file = /path/to/server.key
certificate_file = /path/to/server.pem
CA_file = /path/to/ca.pem

... so now your server is ready. Restart with radiusd -X to show you debugging. You should see that the EAP config is pulled and activated.

On the client side you now need to import the ca.der and client.p12 into the certificate store of Windows (during import of the client.p12 you will be prompted for a password (output_password) ). Now the certificate is available for windows.

Now config your WIFI ... delete the current config and create a new config with WPA2 Enterprise as described here -> http://freeradius.org/doc/EAPTLS.pdf

This should bring everything up and running.

Alexander

P.S. Recently I've moved away from the freeradius installation from pfsense, since it was flaky (this is my experience). I have moved it onto my OSX server which now provides the radius authentication. Your mileage naturally may vary.

Nachtfalke

Hi,

first:
I solved the problem that radiusd wasn't starting. I did a spellingmistake for the ca.crt :(
Now freeRADIUS is running with no errors.

second:
as you can see above, there is no client.p12 in my certs folder. Don't know why but I hope I could try it tomorrow with a client.

What hardware specs do you have on your pfsense ?
And how many users are connected and authenticated with freeRADIUS ?

Thanks

seggerman

Hi Nachtfalke,

concerning the client.p12 … I forgot to mention that this isn't generated by the bootstrap or the "make all" command. You need to either do a "make client" or the openssl commands in the makefile.

from the makefile (execute the openssl for cleint.crt and the the openssl for the client.p12 manually):

client.crt: client.csr ca.pem ca.key
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf

client.p12: client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)

Currently I'm running about 5 devices over the freeradius server, all with 1 client certificate. the hardware then (when I had it running on pfsense) was an epia board. Now I'm running freeradius of a macMini with Snow Leopard Server running.

Alexander

Nachtfalke

Hi,

everytime I run ./bootstrap I got this error at the end of the client.cnf process

Certificate is to be certified until Jun  4 11:51:20 2021 GMT (3650 days)
failed to update database
TXT_DB error number 2

After this, the client.crt is only 0 bytes - like you could see above.
And because of this I cannot continue with the other openssl commands :(

Any ideas ?

seggerman

Hi Nachtfalke,

try to execute the commands  manually (extract from the Makefile):

openssl req -new  -out client.csr -keyout client.key -config ./client.cnf

openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf

openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)

where PASSWORD_CA and PASSWORD_CLIENT the respective passwords in your ca.cnf and client.cnf are.

Cheers

Alexander

Nachtfalke

This is the output error - still the same. I do not know where I did something wrong :(

[2.0-RC2][admin@pfsense2.hpa]/usr/local/etc/raddb/certs(8): openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
Generating a 2048 bit RSA private key
.....................................................+++
.........................+++
writing new private key to 'client.key'
-----
[2.0-RC2][admin@pfsense2.hpa]/usr/local/etc/raddb/certs(9): openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key Passwort -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
Using configuration from ./client.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Jun  7 15:10:39 2011 GMT
            Not After : Jun  4 15:10:39 2021 GMT
        Subject:
            countryName               = DE
            stateOrProvinceName       = Deutschland
            organizationName          = Polizeiakademie Hessen
            commonName                = freeRADIUS HPA-CA
            emailAddress              = rbs.hpa@polizei.hessen.de
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
Certificate is to be certified until Jun  4 15:10:39 2021 GMT (3650 days)
failed to update database
TXT_DB error number 2
[2.0-RC2][admin@pfsense2.hpa]/usr/local/etc/raddb/certs(10): openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:Passwort -passout pass:Passwort
No certificate matches private key

And here: The client.crt ist still 0 bytes because of the error above …

[2.0-RC2][admin@pfsense2.hpa]/usr/local/etc/raddb/certs(11): ls -la
total 84
drwxr-xr-x  3 root  wheel  1024 Jun  7 17:11 .
drwxr-x---  5 root  wheel  1024 Jun  6 16:16 ..
-rw-r--r--  1 root  wheel    70 Jun  6 16:08 .gitignore
-rw-r-----  1 root  wheel  4260 Jun  7 17:09 01.pem
-rwxrwxrwx  1 root  wheel  4260 Jun  6 22:25 Makefile
-rwxrwxrwx  1 root  wheel  7821 Jun  6 21:08 README
-rwxrwxrwx  1 root  wheel  2642 Jun  7 13:47 bootstrap
-rwxrwxrwx  1 root  wheel  1297 Jun  7 13:41 ca.cnf
-rw-r-----  1 root  wheel  1221 Jun  7 17:09 ca.der
-rw-r-----  1 root  wheel  1751 Jun  7 17:09 ca.key
-rw-r-----  1 root  wheel  1708 Jun  7 17:09 ca.pem
-rwxrwxrwx  1 root  wheel  1134 Jun  7 13:40 client.cnf
-rw-r-----  1 root  wheel     0 Jun  7 17:10 client.crt
-rw-r-----  1 root  wheel  1074 Jun  7 17:10 client.csr
-rw-r-----  1 root  wheel  1743 Jun  7 17:10 client.key
-rw-r--r--  1 root  wheel     0 Jun  7 17:11 client.p12
drwxrwxrwx  2 root  wheel   512 Jun  7 13:24 demoCA
-rw-r-----  1 root  wheel   424 Jun  7 17:09 dh
-rw-r-----  1 root  wheel   134 Jun  7 17:09 index.txt
-rw-r-----  1 root  wheel    21 Jun  7 17:09 index.txt.attr
-rw-r-----  1 root  wheel     0 Jun  7 17:09 index.txt.old
-rw-r-----  1 root  wheel  5120 Jun  7 17:09 random
-rw-r-----  1 root  wheel     3 Jun  7 17:09 serial
-rw-r-----  1 root  wheel     3 Jun  7 17:09 serial.old
-rwxrwxrwx  1 root  wheel  1135 Jun  7 13:40 server.cnf
-rw-r-----  1 root  wheel  4260 Jun  7 17:09 server.crt
-rw-r-----  1 root  wheel  1074 Jun  7 17:09 server.csr
-rw-r-----  1 root  wheel  1751 Jun  7 17:09 server.key
-rw-r-----  1 root  wheel  2557 Jun  7 17:09 server.p12
-rw-r-----  1 root  wheel  3553 Jun  7 17:09 server.pem
-rwxrwxrwx  1 root  wheel   578 Jun  6 21:08 xpextensions

seggerman

Hi Nachtfalke,

you used the "bootstrap" file to create the certificates and I used the make command. I assume that there is some difference. Reading through the README file it states that bootstrap is used to create standard certificate for testing. Maybe some data in the files (index, dh, random ….) do not match the information in the *.cnf files you modified. I would use the makefile.

Can you try a

• make destroycerts
• make clean
• make all
• make client

This is what worked for me (just gave it a try).

Regards

Alexander

Nachtfalke

Hi,

the problem is, that in pfsense there is no "make"…command not found.
I think this is "normal" because pfsense is a firewall solution an noone should or needs to compile something.

Perhaps I will try it with the single commands in the "Makefile" or I will test it on a linux live CD.

PS: Do you know if it is possible to do authentication on freeRADIUS using the device MAC address ?
I know freeRADIUS can do this but is it possible with the pfsense freeRADIUS GUI ?
Or do I have to edit the users file manually with different parameters ? I think this is the only way or do you have other experience ?

Nachtfalke

Hi,

I uploaded the files to an Ubuntu live CD and then it works with "make" and "make client"

no errors and files with more than zero bytes and p12 files :-)
Tomorrow I will try it with my pfsense and my switches.

Thank you very much for your help and taking time for my problem!
I will post back if it works or if I expect more problems :D

seggerman

@Nachtfalke:

I uploaded the files to an Ubuntu live CD and then it works with "make" and "make client"

no errors and files with more than zero bytes and p12 files :-)
Tomorrow I will try it with my pfsense and my switches.

… great that everything is there now. Everything else should be a breeze ...

PS: Do you know if it is possible to do authentication on freeRADIUS using the device MAC address ?
I know freeRADIUS can do this but is it possible with the pfsense freeRADIUS GUI ?
Or do I have to edit the users file manually with different parameters ? I think this is the only way or do you have other experience ?

If a MAC authentication is possible, then you definately can do it. You will have to manually edit the necessary files, since there isn't a GUI integration for all the features in freeradius. I personally don't have any experience with this feature.

Cheers

Alexander

Nachtfalke

Hi,

just want to let you know, that I got freeRADIUS on pfsense with my CISCO SG-300 and Windows XP working. The creation of the certificates is much easier under a linux distrubution which has "make" installed than under pfsense ;-)

But now I have another question:
To authenticate to the network I still need a to enter the username and password on the Windows XP machine. The problem is that in my network the PCs are NOT in a domain. They are all workgroup PCs.
And it is common, that many users use the same Windows Logon Name than others and the same password (or no password).

Is it possible to enter (AND SAVE) a custom username and password so that the users do not need to enter them every time they connect to the network ?

I read something about "computer certificates" which work before the use will logon into windows.

Thank you!

seggerman

@Nachtfalke:

Hi,

just want to let you know, that I got freeRADIUS on pfsense with my CISCO SG-300 and Windows XP working. The creation of the certificates is much easier under a linux distrubution which has "make" installed than under pfsense ;-)

But now I have another question:
To authenticate to the network I still need a to enter the username and password on the Windows XP machine. The problem is that in my network the PCs are NOT in a domain. They are all workgroup PCs.
And it is common, that many users use the same Windows Logon Name than others and the same password (or no password).

Is it possible to enter (AND SAVE) a custom username and password so that the users do not need to enter them every time they connect to the network ?

I read something about "computer certificates" which work before the use will logon into windows.

Thank you!

Not quite sure I understand you.

The client certificates are being used for the authentication to the Wifi/Radius Network. I assume this works. As mentioned previously you need to copy the client.p12 and the ca certificate to each client and activate the "certificate authentication" in the wifi settings. This works without additional uid/pw. You have to have TLS (and not TTLS) authentication.

Do you want to have windows logon using a certificate (has nothing to do with wifi/radius)?

REgards

Alexander

Nachtfalke

Hi,

I am not using WiFi.
I would like to authenticate windows machines with certificates against radius. This is working.
If I do not install the client.p12 on the windows machine, I cannot authenticate.

But in Windows I have always to enter a username and a password, if I connect the network cable.
The username/password is the same I have to enter in the freeRADIUS webGUI on pfsense.
Is this different to you ? Don't you have to enter a username/password in the freeRADIUS webGUI ?

Thanks!

seggerman

Hi Nachtfalke,

I'm using Radius+Certificates for the wifi EAP (WPA2) authentication. So this is to allow/disallow access to my wifi network using certificates.

Reading your last posts you it seems as if you want to use a certificate to log on to windows using a Radius server.

I'm sorry, but I cannot help you with that (if I understood your problem correctly)

Cheers

Alexander

Nachtfalke

Hi,

you didn't understand me correct or I didn't explain it correct.

Take a look at this thread:
http://www.administrator.de/index.php?content=154402#644826

Scroll down to the chapter:

Clients für die 802.1x Zugangskontrolle einrichten

After I login into windows, with my username and password I can see the desktop, open word an so on.
If I connect my LAN cable to the switch, there appears a hint in the systray "There are additional information needed to access the network". There I have to enter the username/password I entered in the freeRADIUS users tab on pfsense.

Windows XP allows you to use the same username and password for this authentication as you used for the windows logon. (This you can see in the third and fith picture in the chapter I told you above: (Clients für die 802.1x Zugangskontrolle einrichten) If you want to use a different username/password then the sixth picture appears.)

I want to save the information in the sixth picture for the entire computer and every user on this computer.

BUT I would be interested in, what your users file of freeradius contains.

I think there is a difference between using an AP or a switch to authenticate with freeradius.

seggerman

Hi,

Ok, now I understand your problem. I've looked at the document you linked. I have one main difference:

in the authentication section it is posted that for the EAP type you need to select "Geschütztes EAP (PEAP)". I have "Smart Card or other Certificate" (this is the other setting).

If you look here -> http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol

It is described that PEAP is similar to TTLS. It is basically a tunnel that is generated. TTLS or PEAP has an inner and an outer layer. One is the certificate the other is uid/pw. thats why you are being prompted for uid/pw.

for my config I only used EAP (so only the certificate authentication without a tunnel). therefore also the "smart card or other certificate" setting in the EAP type.

Since your computers are not connected to a domain you cannot pass the creditials (thats why you're being prompted).

Now the question is do you need PEAP, or is EAP sufficiant ?

Cheers

Alexander

Nachtfalke

Hi,

I think it would be enough with EAP. It will be better than only MAC address filtering I think.
I tried with "other certificate or smartcard" but I think I missed some checkboxes there.
Do you have a solution for me how to configure it the right way ?