Install FreeRadius2 on a OpenWRT router for EAP authentication

Posted: January 8th, 2015 | Author: | Filed under: freeRADIUS, OpenWRT | Tags: , , , , , , , , , | No Comments »

This tutorial requires an OpenWRT based router (obviously). It is based from my experience installing FreeRadius2 on a Netgear WNDR3800. At the end of this, you get a router with built in FreeRADIUS server, PEAP encryption over wifi and user storage. I have had good experience with routers that are based on the Atheros AR7161 chip set. They are plenty quick and have plenty of RAM and Flash (usually at least 64MB – 128MB) and have 8 – 16MB of flash memory.
Prerequisites:
I recommend you do a few things first before you install FreeRADIUS2 and start configuring:

  • Login to the web interface of OpenWRT, go under System -> Startup and disable telnet. It is just good practice.
  • Unless you like to edit files using vi OpenWRT, install a text editor.
  • Install openssh-sftp-server, so you can transfer the key certificates and related files easily via sftp
  • ssh into your router and install OpenSSL utility by issuing:
    > opkg install openssl-util
  • Stay in the shell and create the CA & server certificates you are going use with freeRADIUS, skip this step if you already have an authenticated certificate. Just upload it to a directory you can remember in the router
  • Create the OpenSSL ca.cert and server.pem certificates:
    1. Create the directory structure: (if you store it in your etc directory, it will get backed up by the stock backup utility)

      > mkdir ~/CA && chmod 700 ~/CA && cd ~/CA
      > mkdir certs
      > mkdir newcerts
      > mkdir private
      > mkdir crl
      > touch index.txt
      > echo "01" > serial
      > echo "00" > crlnumber
    2. Copy openssl.cnf from the /etc/ssl/openssl.cnf to the /CA directory above. Also edit it to your satisfaction (note the directory name). Directory variables should match the ones above.
    3. Create a file called xpextensions with the following content and leave it in the directory where you put openssl.cnf.

      [xpclient_ext]
      extendedKeyUsage = 1.3.6.1.5.5.7.3.2
      [xpserver_ext]
      extendedKeyUsage = 1.3.6.1.5.5.7.3.1
    4. Create the CA key and link it symbolically to the private dir:

      > openssl req -new -x509 -days 7300 -keyout cakey.pem -out cacert.pem -config openssl.cnf
      > ln -s cakey.pem /CA/private/cakey.pem
    5. Create the certificates (make sure you keep track of all the passwords! especially the in/out passwords at the last step, you need that for freeRADIUS’s config.)

      > openssl req -config openssl.cnf -newkey rsa:4096 -keyout serverkey.pem -out servercert.req
      > openssl ca -config openssl.cnf -out servercert.pem -extensions xpserver_ext -extfile xpextensions -keyfile cakey.pem -infiles servercert.req
      > openssl pkcs12 -export -in servercert.pem -inkey serverkey.pem -out server.p12 -clcerts
      > openssl pkcs12 -in server.p12 -out server.pem
    6. Create the Certificate Revocation List, DH and Random

      > openssl ca -config openssl.cnf -gencrl -out crl.pem
      > openssl dhparam -text -5 1024 -out dh
      > dd if=/dev/random of=random bs=1M count=2
  • The default wpa drivers (wpad-mini) doesn’t support 802.1x enterprise encryption, so we need to install the full version of wpad.
    The step below is specific to routers that are based on the Atheros chip set. So consult OpenWRT Hardware list to make sure.
    Uninstall wpad-mini and install the full wpad. Some older instructions will say install hostpadap but that has been deprecated since OpenWRT 7.0.3 (see here)

    > opkg remove wpad-mini
    > opkg install wpad
  • Optionally install SQLite3, in case you have quite a few users and want to do accounting etc.

    > opkg install sqlite3-cli libsqlite3

Installation:
Copy and paste the following into the ssh shell.

> opkg install freeradius2 freeradius2-common freeradius2-mod-chap freeradius2-mod-detail freeradius2-mod-eap freeradius2-mod-eap-md5 freeradius2-mod-eap-mschapv2 freeradius2-mod-eap-peap freeradius2-mod-eap-tls freeradius2-mod-eap-ttls freeradius2-mod-exec freeradius2-mod-files freeradius2-mod-logintime freeradius2-mod-mschap freeradius2-mod-pap freeradius2-mod-passwd freeradius2-mod-preprocess freeradius2-mod-radutmp freeradius2-utils

Also the following if you want to use SQLite (I recommend this for test purposes for now).

> opkg install freeradius2-mod-sql freeradius2-mod-sql-sqlite freeradius2-mod-sqlcounter freeradius2-mod-sqllog

Small steps before configuration

  1. Go under LuCi under System -> Startup click on the Enabled button to disable radiusd, if radiusd is running click on Stop
  2. ssh and edit /etc/init.d/radiusd replace or comment out radiusd -i $IPADDR -p 1812,1813 $OPTIONS replace it with radiusd $OPTIONS

The reasoning for step 1 is you would want to run radiusd -XX (debug mode), while you are configuring and testing. We need step 2 because radiusd will also be listening to localhost, we want to stop radiusd from just listening to our network ip address.

Configuration:
Unlike in FreeRADIUS documentation, our configuration files are stored in /etc/freeradius2 directory instead of /etc/raddb or /etc/freeradius/ directories.

Here are the list of files you will need to modify:

  1. radiusd.conf
    In this section you configure the listening ports and ip address

    listen {
            type = auth
            ipaddr = 127.0.0.1
            port = 0
            interface = br-lan
    }

    In the above example
    type is required, ipaddr and interface are recommended. If they are not there, radiusd will try to best guess.

    • type can be auth or acct, stands for authentication and accounting.
    • ipaddr is the ip address, since we are running a server locally, localhost is a must.
    • port is the port to listen for, 0 will tell radiusd to see what the system default is.
    • interface is the name of which network interface, you want radiusd to listen for OpenWRT, br-lan is the bridged lan virtual interface.

    If you want other AP on your network to authenticate using this server, make another listen instance and listen to this server’s network address.

  2. eap.conf
    Since we are going to use PEAP, you just have to go to tls {} section and fill in the relevant information ie:

    • certdir that’s the directory where the server certificate lives (see above)
    • cadir that’s the directory where the ca certificate lives
    • private_key_password that’s the “out” password used in the last step of the server.pem generation.
    • private_key_file location of server.pem

    Make sure the files referenced in the lines after the above make sense.

  3. clients.conf
    This file stores the information of other AP or devices might use this server for authentication. For our purposes, we will need localhost.

    client localhost {
            secret          = SomeSecretPhrase
            require_message_authenticator = no
            nastype     = other
    }

    You will need to enter the secret in the WiFi Security setup page.

    You can add other APs by their particular ip addresses.

  4. users
    This is the text file which stores users’ names and passwords in cleartext.

    "User name in quotes"       Cleartext-Password := "Password in quotes"
                     Reply-Message = "Hello, %{User-Name}",
                     Fall-Through = Yes

    Enable the Fall-Through option if you have other users after this one.

  5. sql.conf

    The setup is quite simple:

    sql {
      database = 'sqlite'
    }

    The default database always resides in /etc/freeradius2 and is called sqlite_radius_client_database

    I don’t think SQLite is production ready yet for version 2 of freeRADIUS. You can grab the scheme and sql files from the 3.0.x source tree particularly under the feeradius-server/raddb/mods-config/sql directory.

    Put the SQL files in a directory that you can access on OpenWRT. Use the .read command to read and execute the SQL files.

    Reference to SQLite CLI interface.

Configuring the Wifi interface:

    Go under Network -> Wifi in LuCi

  1. Select Wireless Security tab underneath Interface Configuration
  2. Select WPA2-EAP
  3. Enter the radiusd’s ip address in the Radius-Authentication-Server field
  4. Enter the secret (as you typed in clients.conf) in the Radius-Authentication-Secret field
  5. Click on Save and Apply

Test and Debug:
Open a ssh shell and type in radiusd -XX, if the configuration is correct. A whole bunch of text will fly by and ends up saying radiusd is listening and now you can try to get some of your wireless devices to connect, using new WPA2-EAP or WPA2-Enterprise settings.

When you are happy with the setting go back to System -> Startup and enable radiusd.

Backup:
A note about the Backup function under System-> Backup/Flash command. It only backs up the /etc directory. So do keep in mind of that, do backup your certificate directory.


Receipe for Compiling and Installing FreeRADIUS 2.1 on Debian 5 from source

Posted: January 6th, 2011 | Author: | Filed under: Debian, freeRADIUS, Virtual Box | Tags: , , , , , , , , , , , | No Comments »

With the advent of virtualization, I prefer to have virtual machines that perform one and only function.
So instead of having one server that would be my RADIUS, file server etc. I rather have several virtual machines each performing one task.
To setup a FreeRADIUS server from source on a Debian server:
First install Debian:

  1. Grab the latest netinst CD from debian.org.
  2. Install the base installation (I think 3GB of disc space will be more than enough).
  3. Run apt-get update and apt-get upgrade to make sure you have the latest version.
  4. Edit the network configuration which is located /etc/network/interfaces
  5. Install sudo
  6. Install openssh-server, so that you can ssh into the machine remotely.
  7. Save and Shutdown the VM.
  8. Replicate the VM via your virtualization software. We will use one copy to compile from source, and the other one to install.

Second, configure, compile and create the Debian packages.
Since we are using this as a one off compile machine, we will compile as root.

  1. Grab the latest stable FreeRADIUS source code from the website
  2. apt-get install bunzip2
  3. apt-get install fakeroot
  4. apt-get install dpkg-dev (this will get all of the development environment)
  5. apt-get build-dep freeradius (this will grab all the libraries required for compile). Unlike the official instructions libssl-dev is automatically downloaded.
  6. apt-get install quilt
  7. run ./configure in the source directory
  8. run make to compile
  9. fakeroot dpkg-buildpackage -b -uc

Now you should have the following one directory up.

freeradius_2.1.10+git_amd64.changes
freeradius_2.1.10+git_amd64.deb
freeradius-common_2.1.10+git_all.deb
freeradius-dbg_2.1.10+git_amd64.deb
freeradius-dialupadmin_2.1.10+git_all.deb
freeradius-iodbc_2.1.10+git_amd64.deb
freeradius-krb5_2.1.10+git_amd64.deb
freeradius-ldap_2.1.10+git_amd64.deb
freeradius-mysql_2.1.10+git_amd64.deb
freeradius-postgresql_2.1.10+git_amd64.deb
freeradius-server-2.1.10
freeradius-server-2.1.10.tar
freeradius-utils_2.1.10+git_amd64.deb
libfreeradius2_2.1.10+git_amd64.deb
libfreeradius-dev_2.1.10+git_amd64.deb

Third, install and configure your FreeRADIUS machine.

  1. Transfer the FreeRADIUS *.deb files from the compiling machine to the deployment machine.
  2. You can shutdown and delete the compiling virtual machine now.
  3. Create a directory for the Certificate Authority (I use /ca)
  4. Copy the the files: xpextensions, client.cnf, server.cnf, ca.cnf and bootstrap from the raddb/certs directory to the /ca directory
  5. Install Openssl by issue the following command apt-get install openssl openssl-blacklist ssl-cert libltdl3 libperl5.10
  6. Edit the *.cnf files and create the required certificates
  7. Note the path of the server certificate and keys, also the location of the ca certificate
  8. Run openssl dhparam -out dh 2048 in the ca directory (note the path)
  9. Also run dd if=/dev/urandom of=random count=2
  10. Install mysql (optional, or any database backend) by using this command: apt-get install mysql-server, libmysqlclient15-dev
  11. Install libpcap0.8 (optional)
  12. Install the deb files in the following order via dpkg -i package.deb command:
  13. libfreeradius2_2.1.10+git_amd64.deb
    libfreeradius-dev_2.1.10+git_amd64.deb
    freeradius-common_2.1.10+git_all.deb
    freeradius_2.1.10+git_amd64.deb
    freeradius-mysql_2.1.10+git_amd64.deb (or postgres version)
    freeradius-utils_2.1.10+git_amd64.deb
    freeradius-dbg_2.1.10+git_amd64.deb
  14. Edit the eap.conf file in the /etc/freeradius directory and put in the variables gained from Step 7.
  15. Create a freerad user and freerad group
  16. Add this 2 commands in the /etc/init.d/freeradius file:
    mkdir -p /tmp/radiusd
    chown freerad:freerad /tmp/radiusd

    Somewhere before the statement test -f $PROGRAM || exit 0 should be fine (mine is around line 23). This is for the option to verify the client certificate, the option to do that is located in eap.conf.

  17. Add an entry into the clients.conf which indicate the IP of your AP where TLS requests will be coming from, the ipaddr variable is the ip address of your AP. The secret has to be the same as the secret set on the AP. The secret is completely unrelated to anything else, so you can have a random phrase. It is between the AP and the FreeRADIUS server. It is not required anywhere else.
    client wifi {
            ipaddr = 192.168.1.2
            secret = mysecretisnosecret
    #       shortname = linksys
            nastype = other
    }
  18. Setup mysql (ie set root password etc), then run admin.sql, nas.sql, ippool.sql, schema,sql and cui.sql in the /etc/freeradius/sql/mysql
  19. Setup the user radius‘ password and add the pertinent information to /etc/freeradius/sql.conf
  20. Add a test user sqltest with password testpassword, attribute Cleartext-Password, op == in the radcheck table
  21. Do your clean up ie create ssh keys for remote logins etc.

Testing:

  1. Stop any running freeradius servers by /etc/init.d/freeradius -stop
  2. Run radius server in debug mode: freeradius -X (note captialised X)
  3. Open another ssh window and issue radtest username password localhost 1812 testing123
    It should return something simliar to this:

    Sending Access-Request of id 28 to 127.0.0.1 port 1812
      User-Name = "username"
      User-Password = "password"
      NAS-IP-Address = 67.213.65.132
      NAS-Port = 1812
    rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=28, length=26
      Framed-IP-Address = 192.168.1.2 (your ip)

    NAS-IP Address is the address that the machine managed to resolve your IP from.

  4. If the FreeRADIUS server is not receiving your request from your AP. eg You initiated 802.1X authentication but the AP reports the server is not responding AND there is no activity shown on the screen of freeradius -X. Reset the AP!

Additional Reading:


How to setup MacOSX 10.6 for freeRADIUS TLS or WPA2 Enterprise access

Posted: January 6th, 2011 | Author: | Filed under: freeRADIUS, Mac | Tags: , , , , , , , , , , | No Comments »

Apple’s documentation for TLS access is rather thin on how to use generate certificates etc. for freeRADIUS. Here are some quick instructions.
First, the guest machine must generate a certificate request.

  1. Go to Applications -> Utilities -> Keychain Access
  2. Under Keychain Access -> Certificate Assistant -> Request a Certificate from a Certificate Authority…
  3. Fill in the info, give them your CA Email Address (the one that is in your ca.cnf file)
  4. Either Save or Email (however if a guest is visiting your house and doesn’t have wifi nor cell access, it could be a problem!).
  5. Once you have transfered the request to your server issue the command (substitute guestname with what ever you like, in my guest.cnf, I have set the lifetime of the certificate to 1 day:
    openssl ca -config guest.cnf -policy policy_anything -out guests/guestname.crt -extensions xpclient_ext -extfile xpextensions -infiles guestname.crt
  6. Return the ca.crt (if your guest is a frequent visitor or a close friend) and guestname.crt

Setup 802.1X or WPA2 Enterprise access on the guest’s machine:

  1. Open Keychain Assistant (if you have closed it)
  2. Click the user’s keychain, if the padlock is closed, click on it.
  3. Drag the certificates generated above into the keychain
  4. Optionally: Click on the Trust tab and select Always Trust (Assuming you do no evil!)
  5. Quit Keychain Assistant
  6. Open Preferences -> Network
  7. Select Airport -> Advanced..
  8. Select 802.1X tab
  9. Create a new User Profile via the + icon on the lower left hand corner of the window.
  10. Give the profile any name you like
  11. Check the TLS box under Authentication
  12. Click on Configure Trust
  13. Select the Certificates tab
  14. On the lower left hand corner, click on the + and select Select Certificate From Keychain
  15. Click OK and the window will close
  16. Select the SSID from the Wireless Network: drop down list
  17. Select WPA2 Enterprise from the Security Type: drop down list
  18. Click OK and you will be back in the Network window
  19. The profile name should appear now next to 802.1X
  20. Click on Turn Airport On
  21. The 802.1X should automatically connect, if not click on the Connect button
  22. To disconnect, click on Disconnect or Turn Airport Off.

Additional Reading:
Apple’s Resources with pretty pictures.


Solutions to freeRADIUS TLS “Certificate Compatibility” Issue

Posted: January 6th, 2011 | Author: | Filed under: freeRADIUS | Tags: , , , , , , , , , , , , , | 1 Comment »

Christmas and New Years celebration came and passed in a blur! I had quite a few parties at my place over the holidays and in this day and age guests often wants to have access to your wifi network. Instead of giving away my PSK, I have decided to try freeRADIUS and assign each guests a day TLS certificate instead.

freeRADIUS is a very configurable system. However, it also means for the uninitiated the configuration files are quite daunting. I highly recommend setting a system using any virtualization software and keep snap shots at each step.

When I first researched how to setup freeRADIUS, I followed instructions like this. I didn’t grasp the importance of correct SSL certificate generation, and the wrong configuration options will cause problems down the line.

Everything went smoothly until I started to sent TLS requests for authentication. When running under debug mode I encounter:

WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x34567a5d346e47c0a8c did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Sending Access-Challenge of id 0 to 192.168.168.168 port 2050
  EAP-Message = 0x010100060d20
  Message-Authenticator = 0x00000000000000000000000000000000
  State = 0x34567a5d346e47c0a8c

If everything works, it should also show:

  Sending Access-Accept of id 0 to 192.168.1.168 port 2050
  Framed-IP-Address := 192.168.1.18
  MS-MPPE-Recv-Key = 0x2abc7be1c8bfdcf2214bb36a983b1ccbebf38f3ce03a30a71fe01c1e0d5a6148
  MS-MPPE-Send-Key = 0x5d218788c3c05366d75af398a722525fed8f1bae97d002a32fa92e2daf878444
  EAP-Message = 0x010100060d20
  Message-Authenticator = 0x00000000000000000000000000000000
  User-Name = "godwin"

I have to say the responses on the freeRADIUS meesage list and wiki sites are rather terse. They don’t really tell you wants wrong, so what’s wrong is the certificates were formatted incorrectly and won’t generate the Sending Access-Accept message which means that the connection has been made. (Obvious once I know what to look for but since it is not an explicit error message, it takes a while to figure it out). In the end, I finally figured it out. The certificate generation instructions changes quite often and the website I was referencing from was for an older version!

Here is what you want to do in an ideal situation.
1. Install OpenSSL
2. Do not configure OpenSSL yet!
3. Install freeRADIUS
4. Figure out which freeRADIUS version you are using (for me it is 2.1.10).
5. I would either go to github (the website that hosts the freeRADIUS source code), or your source directory.
6. Copy bootstrap (which is a script that will configure your ca if you want), all the cnf and xpextensions file put it in your Certificate Authority file (assuming you are cheap like me and going to self sign and be your own Certificate Authority).
7. The certificate generation commands are in bootstrap script, so study it.
8. Edit the cnf files, I have also created a guest.cnf file so it will generate 1 day passes.

For me here are the commands I used to generate the certificates (this works for version 2.1.10). I kept my cert files in /ca directory.

To generate the CA (I picked 1825 days which is 5 years because I think it is reasonable, adjust to taste.):

openssl req -config /ca/ca.cnf -new -x509 -extensions v3_ca -keyout /ca/private/ca.key -out /ca/certs/ca.crt -days 1825

To generate the Server keys: (The first command generates a request, then the last one signs it)

openssl req -config server.cnf -new -nodes -keyout private/server.key -out server.csr -days 1825
openssl ca -config server.cnf -policy policy_anything -out certs/server.crt -infiles server.csr

Use openssl verify -purpose sslserver -CAfile /ca/certs/ca.crt /ca/certs/certificatename.crt to verify your certificates were generated correctly.

Add the file locations into your /etc/freeradius/eap.conf file.

Now you can get your guests to generate their certificate requests. You will use the following command to sign their certificate and return to them.

openssl ca -config guest.cnf -policy policy_anything -out guests/guest.crt -extensions xpclient_ext -extfile xpextensions -infiles request.crt