Receipe for Compiling and Installing FreeRADIUS 2.1 on Debian 5 from source

Posted: January 6th, 2011 | Author: | Filed under: Debian, freeRADIUS, Virtual Box | Tags: , , , , , , , , , , , | No Comments »

With the advent of virtualization, I prefer to have virtual machines that perform one and only function.
So instead of having one server that would be my RADIUS, file server etc. I rather have several virtual machines each performing one task.
To setup a FreeRADIUS server from source on a Debian server:
First install Debian:

  1. Grab the latest netinst CD from debian.org.
  2. Install the base installation (I think 3GB of disc space will be more than enough).
  3. Run apt-get update and apt-get upgrade to make sure you have the latest version.
  4. Edit the network configuration which is located /etc/network/interfaces
  5. Install sudo
  6. Install openssh-server, so that you can ssh into the machine remotely.
  7. Save and Shutdown the VM.
  8. Replicate the VM via your virtualization software. We will use one copy to compile from source, and the other one to install.

Second, configure, compile and create the Debian packages.
Since we are using this as a one off compile machine, we will compile as root.

  1. Grab the latest stable FreeRADIUS source code from the website
  2. apt-get install bunzip2
  3. apt-get install fakeroot
  4. apt-get install dpkg-dev (this will get all of the development environment)
  5. apt-get build-dep freeradius (this will grab all the libraries required for compile). Unlike the official instructions libssl-dev is automatically downloaded.
  6. apt-get install quilt
  7. run ./configure in the source directory
  8. run make to compile
  9. fakeroot dpkg-buildpackage -b -uc

Now you should have the following one directory up.

freeradius_2.1.10+git_amd64.changes
freeradius_2.1.10+git_amd64.deb
freeradius-common_2.1.10+git_all.deb
freeradius-dbg_2.1.10+git_amd64.deb
freeradius-dialupadmin_2.1.10+git_all.deb
freeradius-iodbc_2.1.10+git_amd64.deb
freeradius-krb5_2.1.10+git_amd64.deb
freeradius-ldap_2.1.10+git_amd64.deb
freeradius-mysql_2.1.10+git_amd64.deb
freeradius-postgresql_2.1.10+git_amd64.deb
freeradius-server-2.1.10
freeradius-server-2.1.10.tar
freeradius-utils_2.1.10+git_amd64.deb
libfreeradius2_2.1.10+git_amd64.deb
libfreeradius-dev_2.1.10+git_amd64.deb

Third, install and configure your FreeRADIUS machine.

  1. Transfer the FreeRADIUS *.deb files from the compiling machine to the deployment machine.
  2. You can shutdown and delete the compiling virtual machine now.
  3. Create a directory for the Certificate Authority (I use /ca)
  4. Copy the the files: xpextensions, client.cnf, server.cnf, ca.cnf and bootstrap from the raddb/certs directory to the /ca directory
  5. Install Openssl by issue the following command apt-get install openssl openssl-blacklist ssl-cert libltdl3 libperl5.10
  6. Edit the *.cnf files and create the required certificates
  7. Note the path of the server certificate and keys, also the location of the ca certificate
  8. Run openssl dhparam -out dh 2048 in the ca directory (note the path)
  9. Also run dd if=/dev/urandom of=random count=2
  10. Install mysql (optional, or any database backend) by using this command: apt-get install mysql-server, libmysqlclient15-dev
  11. Install libpcap0.8 (optional)
  12. Install the deb files in the following order via dpkg -i package.deb command:
  13. libfreeradius2_2.1.10+git_amd64.deb
    libfreeradius-dev_2.1.10+git_amd64.deb
    freeradius-common_2.1.10+git_all.deb
    freeradius_2.1.10+git_amd64.deb
    freeradius-mysql_2.1.10+git_amd64.deb (or postgres version)
    freeradius-utils_2.1.10+git_amd64.deb
    freeradius-dbg_2.1.10+git_amd64.deb
  14. Edit the eap.conf file in the /etc/freeradius directory and put in the variables gained from Step 7.
  15. Create a freerad user and freerad group
  16. Add this 2 commands in the /etc/init.d/freeradius file:
    mkdir -p /tmp/radiusd
    chown freerad:freerad /tmp/radiusd

    Somewhere before the statement test -f $PROGRAM || exit 0 should be fine (mine is around line 23). This is for the option to verify the client certificate, the option to do that is located in eap.conf.

  17. Add an entry into the clients.conf which indicate the IP of your AP where TLS requests will be coming from, the ipaddr variable is the ip address of your AP. The secret has to be the same as the secret set on the AP. The secret is completely unrelated to anything else, so you can have a random phrase. It is between the AP and the FreeRADIUS server. It is not required anywhere else.
    client wifi {
            ipaddr = 192.168.1.2
            secret = mysecretisnosecret
    #       shortname = linksys
            nastype = other
    }
  18. Setup mysql (ie set root password etc), then run admin.sql, nas.sql, ippool.sql, schema,sql and cui.sql in the /etc/freeradius/sql/mysql
  19. Setup the user radius‘ password and add the pertinent information to /etc/freeradius/sql.conf
  20. Add a test user sqltest with password testpassword, attribute Cleartext-Password, op == in the radcheck table
  21. Do your clean up ie create ssh keys for remote logins etc.

Testing:

  1. Stop any running freeradius servers by /etc/init.d/freeradius -stop
  2. Run radius server in debug mode: freeradius -X (note captialised X)
  3. Open another ssh window and issue radtest username password localhost 1812 testing123
    It should return something simliar to this:

    Sending Access-Request of id 28 to 127.0.0.1 port 1812
      User-Name = "username"
      User-Password = "password"
      NAS-IP-Address = 67.213.65.132
      NAS-Port = 1812
    rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=28, length=26
      Framed-IP-Address = 192.168.1.2 (your ip)

    NAS-IP Address is the address that the machine managed to resolve your IP from.

  4. If the FreeRADIUS server is not receiving your request from your AP. eg You initiated 802.1X authentication but the AP reports the server is not responding AND there is no activity shown on the screen of freeradius -X. Reset the AP!

Additional Reading:


Solutions to freeRADIUS TLS “Certificate Compatibility” Issue

Posted: January 6th, 2011 | Author: | Filed under: freeRADIUS | Tags: , , , , , , , , , , , , , | 1 Comment »

Christmas and New Years celebration came and passed in a blur! I had quite a few parties at my place over the holidays and in this day and age guests often wants to have access to your wifi network. Instead of giving away my PSK, I have decided to try freeRADIUS and assign each guests a day TLS certificate instead.

freeRADIUS is a very configurable system. However, it also means for the uninitiated the configuration files are quite daunting. I highly recommend setting a system using any virtualization software and keep snap shots at each step.

When I first researched how to setup freeRADIUS, I followed instructions like this. I didn’t grasp the importance of correct SSL certificate generation, and the wrong configuration options will cause problems down the line.

Everything went smoothly until I started to sent TLS requests for authentication. When running under debug mode I encounter:

WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x34567a5d346e47c0a8c did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Sending Access-Challenge of id 0 to 192.168.168.168 port 2050
  EAP-Message = 0x010100060d20
  Message-Authenticator = 0x00000000000000000000000000000000
  State = 0x34567a5d346e47c0a8c

If everything works, it should also show:

  Sending Access-Accept of id 0 to 192.168.1.168 port 2050
  Framed-IP-Address := 192.168.1.18
  MS-MPPE-Recv-Key = 0x2abc7be1c8bfdcf2214bb36a983b1ccbebf38f3ce03a30a71fe01c1e0d5a6148
  MS-MPPE-Send-Key = 0x5d218788c3c05366d75af398a722525fed8f1bae97d002a32fa92e2daf878444
  EAP-Message = 0x010100060d20
  Message-Authenticator = 0x00000000000000000000000000000000
  User-Name = "godwin"

I have to say the responses on the freeRADIUS meesage list and wiki sites are rather terse. They don’t really tell you wants wrong, so what’s wrong is the certificates were formatted incorrectly and won’t generate the Sending Access-Accept message which means that the connection has been made. (Obvious once I know what to look for but since it is not an explicit error message, it takes a while to figure it out). In the end, I finally figured it out. The certificate generation instructions changes quite often and the website I was referencing from was for an older version!

Here is what you want to do in an ideal situation.
1. Install OpenSSL
2. Do not configure OpenSSL yet!
3. Install freeRADIUS
4. Figure out which freeRADIUS version you are using (for me it is 2.1.10).
5. I would either go to github (the website that hosts the freeRADIUS source code), or your source directory.
6. Copy bootstrap (which is a script that will configure your ca if you want), all the cnf and xpextensions file put it in your Certificate Authority file (assuming you are cheap like me and going to self sign and be your own Certificate Authority).
7. The certificate generation commands are in bootstrap script, so study it.
8. Edit the cnf files, I have also created a guest.cnf file so it will generate 1 day passes.

For me here are the commands I used to generate the certificates (this works for version 2.1.10). I kept my cert files in /ca directory.

To generate the CA (I picked 1825 days which is 5 years because I think it is reasonable, adjust to taste.):

openssl req -config /ca/ca.cnf -new -x509 -extensions v3_ca -keyout /ca/private/ca.key -out /ca/certs/ca.crt -days 1825

To generate the Server keys: (The first command generates a request, then the last one signs it)

openssl req -config server.cnf -new -nodes -keyout private/server.key -out server.csr -days 1825
openssl ca -config server.cnf -policy policy_anything -out certs/server.crt -infiles server.csr

Use openssl verify -purpose sslserver -CAfile /ca/certs/ca.crt /ca/certs/certificatename.crt to verify your certificates were generated correctly.

Add the file locations into your /etc/freeradius/eap.conf file.

Now you can get your guests to generate their certificate requests. You will use the following command to sign their certificate and return to them.

openssl ca -config guest.cnf -policy policy_anything -out guests/guest.crt -extensions xpclient_ext -extfile xpextensions -infiles request.crt