Solutions to freeRADIUS TLS “Certificate Compatibility” Issue

Posted: January 6th, 2011 | Author: | Filed under: freeRADIUS | Tags: , , , , , , , , , , , , , | 1 Comment »

Christmas and New Years celebration came and passed in a blur! I had quite a few parties at my place over the holidays and in this day and age guests often wants to have access to your wifi network. Instead of giving away my PSK, I have decided to try freeRADIUS and assign each guests a day TLS certificate instead.

freeRADIUS is a very configurable system. However, it also means for the uninitiated the configuration files are quite daunting. I highly recommend setting a system using any virtualization software and keep snap shots at each step.

When I first researched how to setup freeRADIUS, I followed instructions like this. I didn’t grasp the importance of correct SSL certificate generation, and the wrong configuration options will cause problems down the line.

Everything went smoothly until I started to sent TLS requests for authentication. When running under debug mode I encounter:

WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x34567a5d346e47c0a8c did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Sending Access-Challenge of id 0 to 192.168.168.168 port 2050
  EAP-Message = 0x010100060d20
  Message-Authenticator = 0x00000000000000000000000000000000
  State = 0x34567a5d346e47c0a8c

If everything works, it should also show:

  Sending Access-Accept of id 0 to 192.168.1.168 port 2050
  Framed-IP-Address := 192.168.1.18
  MS-MPPE-Recv-Key = 0x2abc7be1c8bfdcf2214bb36a983b1ccbebf38f3ce03a30a71fe01c1e0d5a6148
  MS-MPPE-Send-Key = 0x5d218788c3c05366d75af398a722525fed8f1bae97d002a32fa92e2daf878444
  EAP-Message = 0x010100060d20
  Message-Authenticator = 0x00000000000000000000000000000000
  User-Name = "godwin"

I have to say the responses on the freeRADIUS meesage list and wiki sites are rather terse. They don’t really tell you wants wrong, so what’s wrong is the certificates were formatted incorrectly and won’t generate the Sending Access-Accept message which means that the connection has been made. (Obvious once I know what to look for but since it is not an explicit error message, it takes a while to figure it out). In the end, I finally figured it out. The certificate generation instructions changes quite often and the website I was referencing from was for an older version!

Here is what you want to do in an ideal situation.
1. Install OpenSSL
2. Do not configure OpenSSL yet!
3. Install freeRADIUS
4. Figure out which freeRADIUS version you are using (for me it is 2.1.10).
5. I would either go to github (the website that hosts the freeRADIUS source code), or your source directory.
6. Copy bootstrap (which is a script that will configure your ca if you want), all the cnf and xpextensions file put it in your Certificate Authority file (assuming you are cheap like me and going to self sign and be your own Certificate Authority).
7. The certificate generation commands are in bootstrap script, so study it.
8. Edit the cnf files, I have also created a guest.cnf file so it will generate 1 day passes.

For me here are the commands I used to generate the certificates (this works for version 2.1.10). I kept my cert files in /ca directory.

To generate the CA (I picked 1825 days which is 5 years because I think it is reasonable, adjust to taste.):

openssl req -config /ca/ca.cnf -new -x509 -extensions v3_ca -keyout /ca/private/ca.key -out /ca/certs/ca.crt -days 1825

To generate the Server keys: (The first command generates a request, then the last one signs it)

openssl req -config server.cnf -new -nodes -keyout private/server.key -out server.csr -days 1825
openssl ca -config server.cnf -policy policy_anything -out certs/server.crt -infiles server.csr

Use openssl verify -purpose sslserver -CAfile /ca/certs/ca.crt /ca/certs/certificatename.crt to verify your certificates were generated correctly.

Add the file locations into your /etc/freeradius/eap.conf file.

Now you can get your guests to generate their certificate requests. You will use the following command to sign their certificate and return to them.

openssl ca -config guest.cnf -policy policy_anything -out guests/guest.crt -extensions xpclient_ext -extfile xpextensions -infiles request.crt

One Comment on “Solutions to freeRADIUS TLS “Certificate Compatibility” Issue”

  1. 1 Random Notes » Blog Archive » Receipe for Installing FreeRADIUS 2.1.10 on Debian 5.0 said at 18:46 on January 6th, 2011:

    […] My earlier post about debugging certificate problems. […]


Leave a Reply

You must be logged in to post a comment.