Freeradius + EAP Certificates



  • Folks,

    I'm running the current 2.0-RC1 and am looking into Freeradius to use it to authenticate my WLAN clients. I was thinking about using WPA2-Enterprise with a certificated based authentication. Looking through the forums I found a few How-Tos to get the certificates into the freeradius configuration. these howtos were all based on the 1.2.x release of PFsense.

    Now with 2.0 and the integrated certificatemanager will this change for the freeradius configuration? Do I still have to manually exported the certificates from pfsense and copy them into the config directory of freeradius, or will/is there an automatic "grabbing" of the certificates by the freeradius configuration?

    Hope someone can help.

    Regards

    Alexander



  • Folks,

    to answer my own question ….

    a) no there is no integration of the certificate manager and Freeradius
    b) the script to generate the certificates are missing in the package
    c) I downloaded the current version of Freeradius and generated the certificates as documented here -> http://deployingradius.com/documents/configuration/certificates.html
    d) modified the freeradius config to enable EAP-TLS as mentioned here -> http://forum.pfsense.org/index.php?topic=7682.0

    e) imported the CA file ca.der(for windows) or ca.pem(OSx) and client.p12 into the certificate store of OSX/Windows

    f) everything worked.

    Hope this helps.

    Cheers

    Alexander



  • Hi Alex,

    perhaps you remeber, that we had a conversation with PM in the past.
    Now I am back and would appreciate your help with freeRADIUS and certificates. :-))

    Could you explain to me, how I could create the certificates the easiest way ?
    Do I really need an extra machine with linux and freeradius installed ? Isn't there a way to create the certificates on pfsense with openssl ?

    And where to find the ca.cnf and server.cnf which are posted in your link above ?
    Is it possible that you could upload those files here in the forum als "blank" ones without your real entries so I and other people could edit these files ?

    Please give me a more precise help how to create certificates.

    Thank you very much!



  • Hi Nachtfalke,

    attached is a part of the freeradius installation. Its only the Folder for the certificates. In this is also a makefile to generate (with openssl) the necessary certificates and CA. In the README it is mentioned what needs to be modified. You will have to rename the file from certs.zip.xls to certs.zip

    In general you have to configure the ca.cnf, server.cnf and client.cnf with the names (organization etc.. and export password). Then generate the certificates with the Makefile (or manually).

    After that you have everything you need to import into the freeradius config and also your client machines.

    You need to define 1 ca and 1 server certificate. If all your clients get the same certificate you just need to create 1 client certificate (this is what I did). Nataurally you can create multiple client certificates in case you want to revoke certificates.

    Hope this helps. If not give me a shout.

    Regards

    Alexander

    certs.zip.xls



  • Great!

    I will give it a try and post back if I need more advice and/or if it works ;-)



  • Hello again ;-)

    I am now at home and I gave it a try:

    1.) I edited ca.cn server.cnf and client.cnf
    In all three files I changes the input_password and output_password to the same pass.
    I changes CommonName and so on in all three files to the same.

    after this I did:

    chmod u+x bootstrap
    

    and than created the certificates with:

    ./bootstrap
    

    After this I have these files in the certs directory:

    -rw-r--r--  1 root  wheel      70 Jun  6 16:08 .gitignore
    -rw-r-----  1 root  wheel    4260 Jun  6 21:41 01.pem
    -rw-r--r--  1 root  wheel  148992 Jun  6 21:43 MYCA.tar
    -rwxr--r--  1 root  wheel    4262 Jun  6 21:08 Makefile
    -rwxr--r--  1 root  wheel    7821 Jun  6 21:08 README
    -rwxr--r--  1 root  wheel    2640 Jun  6 21:08 bootstrap
    -rwxr--r--  1 root  wheel    1317 Jun  6 21:08 ca.cnf
    -rw-r-----  1 root  wheel    1221 Jun  6 21:41 ca.der
    -rw-r-----  1 root  wheel    1751 Jun  6 21:41 ca.key
    -rw-r-----  1 root  wheel    1708 Jun  6 21:41 ca.pem
    -rwxr--r--  1 root  wheel    1154 Jun  6 21:08 client.cnf
    -rw-r-----  1 root  wheel       0 Jun  6 21:41 client.crt
    -rw-r-----  1 root  wheel    1074 Jun  6 21:41 client.csr
    -rw-r-----  1 root  wheel    1751 Jun  6 21:41 client.key
    drwxr--r--  2 root  wheel     512 Jun  6 16:10 demoCA
    -rw-r-----  1 root  wheel     245 Jun  6 21:41 dh
    -rw-r-----  1 root  wheel     134 Jun  6 21:41 index.txt
    -rw-r-----  1 root  wheel      21 Jun  6 21:41 index.txt.attr
    -rw-r-----  1 root  wheel       0 Jun  6 21:41 index.txt.old
    -rw-r-----  1 root  wheel    5120 Jun  6 21:41 random
    -rw-r-----  1 root  wheel       3 Jun  6 21:41 serial
    -rw-r-----  1 root  wheel       3 Jun  6 21:41 serial.old
    -rwxr--r--  1 root  wheel    1155 Jun  6 21:08 server.cnf
    -rw-r-----  1 root  wheel    4260 Jun  6 21:41 server.crt
    -rw-r-----  1 root  wheel    1074 Jun  6 21:41 server.csr
    -rw-r-----  1 root  wheel    1743 Jun  6 21:41 server.key
    -rw-r-----  1 root  wheel    2557 Jun  6 21:41 server.p12
    -rw-r-----  1 root  wheel    3545 Jun  6 21:41 server.pem
    -rw-r--r--  1 root  wheel   74240 Jun  6 21:42 v
    -rwxr--r--  1 root  wheel     578 Jun  6 21:08 xpextensions
    
    

    Which files do I need now for the client (Windows XP / Windows 7 ) ?

    Thanks again!

    –-edit---

    After that I configured the eap.conf and I got this error after starting radiusd -X

    Module: Instantiated unix (unix)
    Module: Loaded eap
     eap: default_eap_type = "md5"
     eap: timer_expire = 60
     eap: ignore_unknown_eap_types = no
     eap: cisco_accounting_username_bug = no
    rlm_eap: Loaded and initialized type md5
    rlm_eap: Loaded and initialized type leap
     gtc: challenge = "Password: "
     gtc: auth_type = "PAP"
    rlm_eap: Loaded and initialized type gtc
     tls: rsa_key_exchange = no
     tls: dh_key_exchange = yes
     tls: rsa_key_length = 512
     tls: dh_key_length = 512
     tls: verify_depth = 0
     tls: CA_path = "(null)"
     tls: pem_file_type = yes
     tls: private_key_file = "/usr/local/etc/raddb/certs/server.key"
     tls: certificate_file = "/usr/local/etc/raddb/certs/server.pem"
     tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/ca.pem"
     tls: private_key_password = "xxxXXXxxx"
     tls: dh_file = "/usr/local/etc/raddb/certs/dh"
     tls: random_file = "/usr/local/etc/raddb/certs/random"
     tls: fragment_size = 1024
     tls: include_length = yes
     tls: check_crl = yes
     tls: check_cert_cn = "%{User-Name}"
     tls: cipher_list = "DEFAULT"
     tls: check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
    rlm_eap_tls: Loading the certificate file as a chain
    rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory
    rlm_eap_tls: Error reading Trusted root CA list
    rlm_eap: Failed to initialize type tls
    radiusd.conf[10]: eap: Module instantiation failed.
    radiusd.conf[328] Unknown module "eap".
    radiusd.conf[312] Failed to parse authenticate section.
    
    


  • Hi Nachtfalke,

    you need to modify the eap.conf file first in /etc/raddb. This file defines which protocol (TLS, TTLS etc…) can be used. Since I just wanted to use TLS I uncommented this. Additionally in the TLS sections you will have to config:
    private_key_password = "this is your output_password"
    private_key_file = /path/to/server.key
    certificate_file = /path/to/server.pem
    CA_file = /path/to/ca.pem

    ... so now your server is ready. Restart with radiusd -X to show you debugging. You should see that the EAP config is pulled and activated.

    On the client side you now need to import the ca.der and client.p12 into the certificate store of Windows (during import of the client.p12 you will be prompted for a password (output_password) ). Now the certificate is available for windows.

    Now config your WIFI ... delete the current config and create a new config with WPA2 Enterprise as described here -> http://freeradius.org/doc/EAPTLS.pdf

    This should bring everything up and running.

    Alexander

    P.S. Recently I've moved away from the freeradius installation from pfsense, since it was flaky (this is my experience). I have moved it onto my OSX server which now provides the radius authentication. Your mileage naturally may vary.



  • Hi,

    first:
    I solved the problem that radiusd wasn't starting. I did a spellingmistake for the ca.crt :(
    Now freeRADIUS is running with no errors.

    second:
    as you can see above, there is no client.p12 in my certs folder. Don't know why but I hope I could try it tomorrow with a client.

    What hardware specs do you have on your pfsense ?
    And how many users are connected and authenticated with freeRADIUS ?

    Thanks



  • Hi Nachtfalke,

    concerning the client.p12 … I forgot to mention that this isn't generated by the bootstrap or the "make all" command. You need to either do a "make client" or the openssl commands in the makefile.

    from the makefile (execute the openssl for cleint.crt and the the openssl for the client.p12 manually):

    client.crt: client.csr ca.pem ca.key
    openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf

    client.p12: client.crt
    openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)

    Currently I'm running about 5 devices over the freeradius server, all with 1 client certificate. the hardware then (when I had it running on pfsense) was an epia board. Now I'm running freeradius of a macMini with Snow Leopard Server running.

    Alexander



  • Hi,

    everytime I run ./bootstrap I got this error at the end of the client.cnf process

    Certificate is to be certified until Jun  4 11:51:20 2021 GMT (3650 days)
    failed to update database
    TXT_DB error number 2
    
    

    After this, the client.crt is only 0 bytes - like you could see above.
    And because of this I cannot continue with the other openssl commands :(

    Any ideas ?



  • Hi Nachtfalke,

    try to execute the commands  manually (extract from the Makefile):

    openssl req -new  -out client.csr -keyout client.key -config ./client.cnf

    openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf

    openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)

    where PASSWORD_CA and PASSWORD_CLIENT the respective passwords in your ca.cnf and client.cnf are.

    Cheers

    Alexander



  • This is the output error - still the same. I do not know where I did something wrong :(

    [2.0-RC2][admin@pfsense2.hpa]/usr/local/etc/raddb/certs(8): openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
    Generating a 2048 bit RSA private key
    .....................................................+++
    .........................+++
    writing new private key to 'client.key'
    -----
    [2.0-RC2][admin@pfsense2.hpa]/usr/local/etc/raddb/certs(9): openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key Passwort -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
    Using configuration from ./client.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 2 (0x2)
            Validity
                Not Before: Jun  7 15:10:39 2011 GMT
                Not After : Jun  4 15:10:39 2021 GMT
            Subject:
                countryName               = DE
                stateOrProvinceName       = Deutschland
                organizationName          = Polizeiakademie Hessen
                commonName                = freeRADIUS HPA-CA
                emailAddress              = rbs.hpa@polizei.hessen.de
            X509v3 extensions:
                X509v3 Extended Key Usage:
                    TLS Web Client Authentication
    Certificate is to be certified until Jun  4 15:10:39 2021 GMT (3650 days)
    failed to update database
    TXT_DB error number 2
    [2.0-RC2][admin@pfsense2.hpa]/usr/local/etc/raddb/certs(10): openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:Passwort -passout pass:Passwort
    No certificate matches private key
    
    

    And here: The client.crt ist still 0 bytes because of the error above …

    [2.0-RC2][admin@pfsense2.hpa]/usr/local/etc/raddb/certs(11): ls -la
    total 84
    drwxr-xr-x  3 root  wheel  1024 Jun  7 17:11 .
    drwxr-x---  5 root  wheel  1024 Jun  6 16:16 ..
    -rw-r--r--  1 root  wheel    70 Jun  6 16:08 .gitignore
    -rw-r-----  1 root  wheel  4260 Jun  7 17:09 01.pem
    -rwxrwxrwx  1 root  wheel  4260 Jun  6 22:25 Makefile
    -rwxrwxrwx  1 root  wheel  7821 Jun  6 21:08 README
    -rwxrwxrwx  1 root  wheel  2642 Jun  7 13:47 bootstrap
    -rwxrwxrwx  1 root  wheel  1297 Jun  7 13:41 ca.cnf
    -rw-r-----  1 root  wheel  1221 Jun  7 17:09 ca.der
    -rw-r-----  1 root  wheel  1751 Jun  7 17:09 ca.key
    -rw-r-----  1 root  wheel  1708 Jun  7 17:09 ca.pem
    -rwxrwxrwx  1 root  wheel  1134 Jun  7 13:40 client.cnf
    -rw-r-----  1 root  wheel     0 Jun  7 17:10 client.crt
    -rw-r-----  1 root  wheel  1074 Jun  7 17:10 client.csr
    -rw-r-----  1 root  wheel  1743 Jun  7 17:10 client.key
    -rw-r--r--  1 root  wheel     0 Jun  7 17:11 client.p12
    drwxrwxrwx  2 root  wheel   512 Jun  7 13:24 demoCA
    -rw-r-----  1 root  wheel   424 Jun  7 17:09 dh
    -rw-r-----  1 root  wheel   134 Jun  7 17:09 index.txt
    -rw-r-----  1 root  wheel    21 Jun  7 17:09 index.txt.attr
    -rw-r-----  1 root  wheel     0 Jun  7 17:09 index.txt.old
    -rw-r-----  1 root  wheel  5120 Jun  7 17:09 random
    -rw-r-----  1 root  wheel     3 Jun  7 17:09 serial
    -rw-r-----  1 root  wheel     3 Jun  7 17:09 serial.old
    -rwxrwxrwx  1 root  wheel  1135 Jun  7 13:40 server.cnf
    -rw-r-----  1 root  wheel  4260 Jun  7 17:09 server.crt
    -rw-r-----  1 root  wheel  1074 Jun  7 17:09 server.csr
    -rw-r-----  1 root  wheel  1751 Jun  7 17:09 server.key
    -rw-r-----  1 root  wheel  2557 Jun  7 17:09 server.p12
    -rw-r-----  1 root  wheel  3553 Jun  7 17:09 server.pem
    -rwxrwxrwx  1 root  wheel   578 Jun  6 21:08 xpextensions
    
    


  • Hi Nachtfalke,

    you used the "bootstrap" file to create the certificates and I used the make command. I assume that there is some difference. Reading through the README file it states that bootstrap is used to create standard certificate for testing. Maybe some data in the files (index, dh, random ….) do not match the information in the *.cnf files you modified. I would use the makefile.

    Can you try a

    • make destroycerts
    • make clean
    • make all
    • make client

    This is what worked for me (just gave it a try).

    Regards

    Alexander



  • Hi,

    the problem is, that in pfsense there is no "make"…command not found.
    I think this is "normal" because pfsense is a firewall solution an noone should or needs to compile something.

    Perhaps I will try it with the single commands in the "Makefile" or I will test it on a linux live CD.

    PS: Do you know if it is possible to do authentication on freeRADIUS using the device MAC address ?
    I know freeRADIUS can do this but is it possible with the pfsense freeRADIUS GUI ?
    Or do I have to edit the users file manually with different parameters ? I think this is the only way or do you have other experience ?



  • Hi,

    I uploaded the files to an Ubuntu live CD and then it works with "make" and "make client"

    no errors and files with more than zero bytes and p12 files :-)
    Tomorrow I will try it with my pfsense and my switches.

    Thank you very much for your help and taking time for my problem!
    I will post back if it works or if I expect more problems :D



  • @Nachtfalke:

    I uploaded the files to an Ubuntu live CD and then it works with "make" and "make client"

    no errors and files with more than zero bytes and p12 files :-)
    Tomorrow I will try it with my pfsense and my switches.

    … great that everything is there now. Everything else should be a breeze ...

    PS: Do you know if it is possible to do authentication on freeRADIUS using the device MAC address ?
    I know freeRADIUS can do this but is it possible with the pfsense freeRADIUS GUI ?
    Or do I have to edit the users file manually with different parameters ? I think this is the only way or do you have other experience ?

    If a MAC authentication is possible, then you definately can do it. You will have to manually edit the necessary files, since there isn't a GUI integration for all the features in freeradius. I personally don't have any experience with this feature.

    Cheers

    Alexander



  • Hi,

    just want to let you know, that I got freeRADIUS on pfsense with my CISCO SG-300 and Windows XP working. The creation of the certificates is much easier under a linux distrubution which has "make" installed than under pfsense ;-)

    But now I have another question:
    To authenticate to the network I still need a to enter the username and password on the Windows XP machine. The problem is that in my network the PCs are NOT in a domain. They are all workgroup PCs.
    And it is common, that many users use the same Windows Logon Name than others and the same password (or no password).

    Is it possible to enter (AND SAVE) a custom username and password so that the users do not need to enter them every time they connect to the network ?

    I read something about "computer certificates" which work before the use will logon into windows.

    Thank you!



  • @Nachtfalke:

    Hi,

    just want to let you know, that I got freeRADIUS on pfsense with my CISCO SG-300 and Windows XP working. The creation of the certificates is much easier under a linux distrubution which has "make" installed than under pfsense ;-)

    But now I have another question:
    To authenticate to the network I still need a to enter the username and password on the Windows XP machine. The problem is that in my network the PCs are NOT in a domain. They are all workgroup PCs.
    And it is common, that many users use the same Windows Logon Name than others and the same password (or no password).

    Is it possible to enter (AND SAVE) a custom username and password so that the users do not need to enter them every time they connect to the network ?

    I read something about "computer certificates" which work before the use will logon into windows.

    Thank you!

    Not quite sure I understand you.

    The client certificates are being used for the authentication to the Wifi/Radius Network. I assume this works. As mentioned previously you need to copy the client.p12 and the ca certificate to each client and activate the "certificate authentication" in the wifi settings. This works without additional uid/pw. You have to have TLS (and not TTLS) authentication.

    Do you want to have windows logon using a certificate (has nothing to do with wifi/radius)?

    REgards

    Alexander



  • Hi,

    I am not using WiFi.
    I would like to authenticate windows machines with certificates against radius. This is working.
    If I do not install the client.p12 on the windows machine, I cannot authenticate.

    But in Windows I have always to enter a username and a password, if I connect the network cable.
    The username/password is the same I have to enter in the freeRADIUS webGUI on pfsense.
    Is this different to you ? Don't you have to enter a username/password in the freeRADIUS webGUI ?

    Thanks!



  • Hi Nachtfalke,

    I'm using Radius+Certificates for the wifi EAP (WPA2) authentication. So this is to allow/disallow access to my wifi network using certificates.

    Reading your last posts you it seems as if you want to use a certificate to log on to windows using a Radius server.

    I'm sorry, but I cannot help you with that (if I understood your problem correctly)

    Cheers

    Alexander



  • Hi,

    you didn't understand me correct or I didn't explain it correct.

    Take a look at this thread:
    http://www.administrator.de/index.php?content=154402#644826

    Scroll down to the chapter:

    Clients für die 802.1x Zugangskontrolle einrichten
    

    After I login into windows, with my username and password I can see the desktop, open word an so on.
    If I connect my LAN cable to the switch, there appears a hint in the systray "There are additional information needed to access the network". There I have to enter the username/password I entered in the freeRADIUS users tab on pfsense.

    Windows XP allows you to use the same username and password for this authentication as you used for the windows logon. (This you can see in the third and fith picture in the chapter I told you above: (Clients für die 802.1x Zugangskontrolle einrichten) If you want to use a different username/password then the sixth picture appears.)

    I want to save the information in the sixth picture for the entire computer and every user on this computer.

    BUT I would be interested in, what your users file of freeradius contains.

    I think there is a difference between using an AP or a switch to authenticate with freeradius.



  • Hi,

    Ok, now I understand your problem. I've looked at the document you linked. I have one main difference:

    in the authentication section it is posted that for the EAP type you need to select "Geschütztes EAP (PEAP)". I have "Smart Card or other Certificate" (this is the other setting).

    If you look here -> http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol

    It is described that PEAP is similar to TTLS. It is basically a tunnel that is generated. TTLS or PEAP has an inner and an outer layer. One is the certificate the other is uid/pw. thats why you are being prompted for uid/pw.

    for my config I only used EAP (so only the certificate authentication without a tunnel). therefore also the "smart card or other certificate" setting in the EAP type.

    Since your computers are not connected to a domain you cannot pass the creditials (thats why you're being prompted).

    Now the question is do you need PEAP, or is EAP sufficiant ?

    Cheers

    Alexander



  • Hi,

    I think it would be enough with EAP. It will be better than only MAC address filtering I think.
    I tried with "other certificate or smartcard" but I think I missed some checkboxes there.
    Do you have a solution for me how to configure it the right way ?



  • Nachtfalke,

    here are my config screens … in the second screen the "intern-CA" is my CA that is used for the client and server certificate.

    I cannot test it on my LAN, since my radius isn't configed for this, but it is identical to my WLAN config. After connecting to the LAN, and aquiring an IP address you should be prompted for the certificate needed for the authentication.

    Additional on your Cisco switch can you explicitly config the authentication to EAP ? So that the switch explicitly uses this authentication method.

    If this doesn't work, could you post the config of the cisco and also the "radiusd -X" log (this then has the config and also the challenge/response during the authentication.

    Regards

    Alexander






  • Hi,

    thanks for you help and screens. I think I did something close to your pics but not every checkboy is the same.
    I will try it on monday.

    Thanks.



  • Hi,

    erm I understand you correctly, you use your own radius install and not the package from the pfsense gui?

    Thanks
    Chunk0r



  • @chunk0r:

    Hi,

    erm I understand you correctly, you use your own radius install and not the package from the pfsense gui?

    Thanks
    Chunk0r

    seggerman is using his own RADIUS, I am using the pfsense package.



  • Thanks,

    I'm also confused of wifi access, so I want connect my AP with the Radius server, so that my clients has to be auth with wpa2 against radius.
    So my wpa2 key is the secret share key of radius? Cauz if I activate wpa2+eap on my openwrt AP, I don't have any other key field.



  • Your ap is the authenticator for the radius ( so you add it like client at radius )
    One place where you can have more info for that is (sorry guys) microsoft technet, there is quite well explained the roles of the devices



  • There is a difference between ENCRYPTION and AUTHENTICATION.

    The WPA2 key is the key to encrypt the wireless traffic. It is used between the W-AP and the W-Client.

    The password for AUTHENTICATION is between RADIUS and AP.



  • Quite easy photo, but it's written in Finnish



  • ah ok, but where I save my wpa key if the secret share is for the client auth?


Log in to reply