7.10. RADIUS CRLs in Certificate Based Authentications

In cases where we are performing authentication based on certificates, the use of CRLs is usually necessary. These allow us to control and deny access to those users who use certificates that have been revoked by the CA.

The use of these revocation lists must be configured correctly and be very clear as to how they work in each scenario.

7.10.1. Configuring the CRL in RADIUS

To configure the CRLs in the RADIUS module, proceed by following these steps:

  1. Add the CRL file linked to the CA that is being used for authentication in the directory where we have the radius certificates, by default:

/etc/raddb/certs/

If you have direct access to the file you can send it to the opennac servers using scp and add them to the indicated folder.

If you want to obtain the CRL from the certificate revocation list distribution point you can obtain the download link for your CA with the following command:

openssl asn1parse -in /etc/raddb/certs/ca.pem | grep -A 1 'X509v3 CRL Distribution Points' | tail -1 | cut -d: -f 4 | cut -b21- | perl -ne 's/(..)/print chr(hex($1))/ge; END {print "\n"}'

To obtain it we will only have to perform a wget (adding the authentication if there is one) and move the downloaded file to the path specified above.

  1. Make sure that all the certificates in the directory have the correct permissions so that the RADIUS service can use them:

chown root:radiusd /etc/raddb/certs/*

  1. Once we have the CA and the CRL in that directory, execute the following command to make the link between them:

openssl rehash /etc/raddb/certs/

  1. Activate the CRL check in the RADIUS modules. For this, uncomment the following line in the files:

  • /etc/raddb/mods-available/eap_opennac

  • /etc/raddb/mods-available/inner-eap_opennac

check_crl = yes

Warning

If we want to allow the use of expired CRLs (not recommended), set the following line in the files:

allow_expired_crl = yes

  1. Restart the RADIUS service:

systemctl restart radiusd

At this point, the certificates that have been revoked and are in the CRL must cease to be valid and cannot be authenticated in OpenNAC.

The CRL is updated on a recurring basis in organizations to prevent it from becoming out of date and to always contain the certificates that have been revoked. To guarantee that we always have an up-to-date CRL, it is highly recommended to follow the steps in the next section.

7.10.2. Automatic update of CRLs

Since CRLs must be kept updated to be able to dispose of the last updates of certificate revocations and prevent these CRLs from exploding, it is advisable to activate the automatic update of the CRLs.

To activate the CRLs automatic update script, we must follow the following steps:

  1. If the server where the CRL is requires authentication to download it, configure the /usr/share/opennac/freeradius3-config/utils/.crlcreds.conf file with the corresponding user and password:

WGETUSER=user
WGETPASSW=password

  1. Configure the cron to run the script automatically, for this we can copy the /usr/share/opennac/freeradius3-config/utils/opennac-radius to /etc/cron.d/opennac-radius :

cp -ipr /usr/share/opennac/freeradius3-config/utils/opennac-radius /etc/cron.d/opennac-radius

  1. Edit /etc/cron.d/opennac-radius if you want to change the script execution frequency:

0 3 * * * cd /usr/share/opennac/freeradius3-config/utils/; ./crl-update.sh 2>&1 > /dev/null

  • The parameter “-p” of the script allows us to manually set the URL of CRL Distribution Point in case we want to use a different one than the one defined in the CA.

  • The parameter “-c” of the script allows us to manually set the CA file in case we want to use a different one than the one defined by default.

  • The parameter “-d” of the script allows us to manually set the certificates directory in case we want to use a different one than the one defined by default.

  1. If we want to validate the CRL Distribution Point of the CA, we can execute the script with the parameter “-i” to get information about the CRL Distribution point of the currently defined CA and get current CRL dates.

[root@23-principal-01 ~]# bash /usr/share/opennac/freeradius3-config/utils/crl-update-v2.sh -i
STARTING CRL UPDATE [20230504_114308] ...

CRL Distribution Points: http://10.10.39.254:10080/mycrl/mycrl.pem

You can see the logs related to the execution of this script in /var/log/opennac/radius-crlupdate.log