Radius Certificate Configuration¶
FreeRadius certificates¶
When you deploy an openNAC server from an OVA, probably you have the FreeRadius certificates expired, and “eapol_test” will fail.
Renewal of certificates¶
You can follow the next steps to renew the certificates in testing mode and take care when you use it to production mode. We have followed the <raddb_dir>/certs/README indications.
First of all, go to the certificates folder and remove the old test certificates and the certificate’s counters:
cd /etc/raddb/certs
rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
Or execute the destroycerts make command:
cd /etc/raddb/certs
make destroycerts
In case you only want regenerate one specific kind of certificate, you have to remove the indicated CRT and KEY files, and modify the property “unique_subject = no” inside index.txt.attr file, to allow rewrite an existing subject.
Define the “default_days” property in each CNF files (ca, server or client), to indicate the validity of the certificates. By default, 60 days is configured. If you want, you can modify the information related with organization and passwords.
Execute bootstrap file, to generate the CA and server certificates:
./bootstrap
To generate client certificates, you have to indicate a unique emailAddress and commonName in client.cnf file, and generate the certificate with the next command:
make client
cp client.p12 `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.p12
Finally, provide to all new files the right ownership and restart radius server:
chown root:radiusd *
service radiusd restart
Use an external CA certificate¶
In case you have your own CA certificate, you can use it with FreeRADIUS.
Like in section before, you have to remove the old test certificates information:
cd /etc/raddb/certs
make destroycerts
Modify in server.cnf file, all the properties you consider, taking special care in the following list:
- default_days
- input_password
- output_password
- countryName
- stateOrProvinceName
- localityName
- organizationName
Modify the private_key_password property from tls section, in the /etc/raddb/eap.conf and /etc/raddb/modules/inner-eap files, with the output_password value previosly indicated.
Generate the CSR request file, for server certificate:
make server.csr
Send the generated server.csr file to your certificate authority, in order to obtain the certificate. Remember include the XP extensions for use with Microsoft Windows. .. If you have to create the server certificate, using your CA certificate and OpenSSL, you could use this commands:
cat >xpext.txt<<EOF
[ xpserver_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
EOF
PASSWORD_CA=`grep output_password ca.cnf | sed 's/.*=//;s/^ *//'`
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key ${PASSWORD_CA} -out server.crt -extensions xpserver_ext -extfile xpext.txt -config ./server.cnf
You have to receive the server.crt file from Certificate Authority, and copy in /etc/raddb/certs directory. Then you can generate the server.pem file, with the following commands:
PASSWORD_SERVER=`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:${PASSWORD_SERVER} -passout pass:${PASSWORD_SERVER}
openssl pkcs12 -in server.p12 -out server.pem -passin pass:${PASSWORD_SERVER} -passout pass:${PASSWORD_SERVER}
From Certificate Authority, you have to get the public certificate, for example the ca.pem file, and copy it in /etc/raddb/certs directory, to be used by FreeRADIUS for check the client certificates.
Prepare the dh and random files:
make dh
make random
Finally, provide to all new files the right ownership and restart radius server:
chown root:radiusd *
service radiusd restart
Install CA certificate on Windows¶
In order to avoid deselect the option “Validate server certificate” in “Protected EAP Properties” as is shown in step 4 on Setup 802.1x clients document, you can install the CA certificate in the Windows client, and enable this like a “Trusted Root Certification Authority”, following these steps:
- From the Windows client you have to access to the ca.der file or copy on it.
- Double click on this file, open the certificate properties and you can install certificate from it using “Certificate Import Wizard”. In this wizard, you have to specify the “Certificate store” as “Trusted Root Certification Authorities”.
- Once installed, you can modify the 802.1x connection indicating “Validate server certificate”, deselect “Connect to these servers” (or specify the list of possible servers) and select the imported CA as a trusted root certification authority. In case you don’t select the new trusted root CA, a window will appear the first time user connect to validate this CA.
Use client certificate on Windows¶
To use a client certificate with 802.1x connections on Windows machine, you have to import the certificate and configure the 802.1x connection to use it.
First of all, you have to access to the client.p12 file, and with double click on it, the “Certificate Import Wizard” is opened. Introduce the password used when the certificate was created (output_password in client.cnf file) and not select the option “Enable strong private key protection”. Finally, store it in “Personal” folder or “Automatically select the certificate store based on the type of certificate”.
Once installed, in the 802.1x connection properties, you can specify “Smart Card or other Certificate” as “Network authentication method” in order to use “Protected EAP”, and configure these properties: Select the option “Use a certificate on this computer”. If you have installed the CA certificate, you can leave the “Validate server certificate” selected, how is defined in previous section. Depending on the commonName specified in the client certificate, you have to allow change this value as user name when connection is established, selecting “Use a different user name for the connection”.