Let's start with my system setup:
1. Slamd64 12.1
2. Freeradius 1.1.7
3. OpenSSL 0.9.8g (comes with Slamd64 12.1)
Now, to the quirks of building Freeradius 1.1.7. I didn't manage to compile Freeradius with the default ./configure and make command in Slamd64. Therefore, I'm only interested to enable EAP-TLS support. Therefore, I use the following commands to build it:
./configure --prefix=/usr --libdir=/usr/lib64 --sysconfdir=/etc --mandir=/usr/man \
--enable-strict-dependencies --without-rlm_dbm --without-rlm_krb5 --without-rlm_pam \
--without-rlm_sql_postgresql
make
As you see, Kerberos, pam, and sql support are disabled. In this setup, it's not needed as well. Therefore, it's not a problem.
The next quirk is in the wpa_supplicant configuration file. You have to be very careful especially regarding the entries you put in the certificate related fields. Below is the snippet of the wpa_supplicant configuration file in my laptop.
# WPA2-EAP/CCMP using EAP-TLS
network={
ssid="your_ap_ssid"
key_mgmt=WPA-EAP
proto=RSN
identity="your_machine_common_name"
pairwise=CCMP
group=CCMP
eap=TLS
ca_cert="/etc/wireless/cacert.pem"
private_key="/etc/wireless/linux_laptop.p12"
private_key_passwd="your_secret_pkcs12_password"
}
In the configuration snippet above, the laptop (a user in RADIUS vocabulary), lump the certificate and the private key together into a PKCS12 file for Windows compatibility reason. This is not needed in Linux. You can split the certificate and the private if you are using Linux by using the following configuration:
# WPA2-EAP/CCMP using EAP-TLS
network={
ssid="your_ap_ssid"
key_mgmt=WPA-EAP
proto=RSN
identity="your_machine_common_name"
pairwise=CCMP
group=CCMP
eap=TLS
ca_cert="/etc/wireless/cacert.pem"
client_cert="/etc/wireless/linux_laptop_cert.pem"
private_key="/etc/wireless/linux_laptop_key.pem"
private_key_passwd="your_private_key_password"
}
If you look carefully in both of the configuration above, you will notice that the password for both of the configuration are different. Indeed, the former uses the password that you enter when you make the PKCS12 file while the latter uses the password that you enter when you make the private key. These are different passwords. For RADIUS newbie this can be easily become problem. Therefore, as always, run Freeradius as radiusd -X before you found a working configuration.
Also, take a note on file permissions for Freeradius configuration file because it can be easily becomes a problem. Moreover, if you run the Freeradius daemon as nobody (as explained in the tutorial by SmallNetBuilder), then set the config file group to user nobody, so that it can be read by Freeradius when it runs. Don't forget to disable read-write-execute permission on the configuration file for unwanted users. This way is safer for you.
This Freeradius howto explains a much cleaner approach if you are interested. It's a bit more complicated as well. But, manageable for quite average *NIX administrator and user.
In any case, by protecting your home wireless access point with radius, you have established a strong enough perimeter against malicious wannabes around your access point.
Post a Comment
No comments:
Post a Comment