5.10.1. Radius Certificates Configuration

To be able to perform authentications through EAP, such as EAP-TLS or to be able to verify the identity of the servers by clients, it is necessary to configure the certificates in OpenNAC Enterprise.

../../_images/eap-certs_ss.png


When you deploy an ON Server from an OVA, you probably have the FreeRadius certificates expired, and “eapol_test” will fail.

By default, the necessary files for the configuration of the certificates in the RADIUS service are:

  • ca.pem: Certificate containing the public CA to be able to perform EAP-TLS authentications. In case of having a PKI chain, it is recommended to include all the CAs of the chain in this file (End -> Intermediate -> Root).

-----BEGIN CERTIFICATE-----
    (Primary SSL certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
    (Intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
    (Root certificate)
-----END CERTIFICATE-----

  • server.pem: Server certificate so that clients can verify the identity of the server.

# Private key of the SSL certificate
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
# Public key of the SSL certificate (the server certificate)
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

5.10.1.1. Use an external CA certificate

In case you have your own CA certificate, you can use it with FreeRADIUS.

  • First you have to remove the test certificates information:

cd /etc/raddb/certs
make destroycerts

Warning

The “destroycerts” command will delete all certificates. Exercise extreme caution when executing this command on clients in a production environment, particularly when renewing certificates.

  • Modify in server.cnf file, all the properties you consider, taking special care in the following list:

vim server.cnf

  • default_days

  • input_password

  • output_password

  • countryName

  • stateOrProvinceName

  • localityName

  • organizationName

Note

Server properties (countryName, stateOrProvinceName, localityName and organizationName) have to match the CA certificate values.

  • Modify the private_key_password property from tls section, in the /etc/raddb/mods-enabled/eap_opennac and /etc/raddb/mods-enabled/inner-eap_opennac files, with the output_password value previosly indicated.

  • Generate the CSR request file, for server certificate:

make server.csr

  • Send the generated server.csr file to your certificate authority to obtain the certificate. Remember to include the XP extensions to use with Microsoft Windows.

  • You have to receive the server.pem file from the Certificate Authority, and copy it in /etc/raddb/certs directory.

If you receive a server.crt instead of a server.pem, then you can generate the server.pem file, with the following commands:

PASSWORD_SERVER=`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:${PASSWORD_SERVER} -passout pass:${PASSWORD_SERVER}
openssl pkcs12 -in server.p12 -out server.pem -passin pass:${PASSWORD_SERVER} -passout pass:${PASSWORD_SERVER}

  • You have to get the public certificate from the Certificate Authority, for instance, the ca.pem file, and copy it in /etc/raddb/certs directory, to be used by FreeRADIUS to check the client certificates.

  • Prepare the dh and random files:

make dh
make random

  • Finally, provide the right ownership to all the new files and restart RADIUS server:

chown root:radiusd *
systemctl restart radiusd

5.10.1.2. Testing Mode Certificates

Warning

This section is for test purposes. It is not recommended to use this configuration in production environments.

You can perform the following steps to renew the certificates in test mode and be careful when using it to production mode. We have followed the <raddb_dir>/certs/README indications.

  • First of all, go to the certificates folder and remove the old test certificates and the certificate’s counters:

cd /etc/raddb/certs
make destroycerts

Note

In case you only want regenerate one specific kind of certificate, you have to remove the indicated CRT and KEY files, and modify the property “unique_subject = no” inside index.txt.attr file, to allow rewrite an existing subject.</notice>

  • Define the “default_days” property in each CNF files (ca, server or client), to indicate the validity of the certificates. 60 days is configured by default. If you want, you can modify the information related to the organization and passwords.

  • Execute bootstrap file, to generate the CA and server certificates:

./bootstrap

  • Finally, provide to all new files the right ownership and restart RADIUS server:

chown root:radiusd *
systemctl restart radiusd

5.10.1.2.1. Making a client certificate

  • To generate client certificates, you have to indicate a unique emailAddress and commonName in client.cnf file:

vim client.cnf

And generate the certificate with the following command:

make client.pem

Note

The users certificate will be in “<emailAddress>.pem”, i.e. “user@example.com.pem”.

To create another client certificate, just repeat the steps for making a client certificate. Be sure to enter a different login name for “commonName”, and a different password.