wpa howto.htm

802.1x认证的认证服务器freeradius的howto文档

    -extfile xpextensions -infiles $PEMDIR/newreq.pem
$OPENSSL pkcs12 -export -in $PEMDIR/newcert.pem -inkey $PEMDIR/newreq.pem -out \
    $P12DIR/$CLNAME.p12 -clcerts -passin pass:$PASSWD -passout pass:$PASSWD
$OPENSSL pkcs12 -in $P12DIR/$CLNAME.p12 -out $PEMDIR/$CLNAME.pem -passin \
    pass:$PASSWD -passout pass:$PASSWD
$OPENSSL x509 -inform PEM -outform DER -in $PEMDIR/$CLNAME.pem -out \
    $PEMDIR/$CLNAME.der

rm -rf $PEMDIR/newcert.pem $PEMDIR/newreq.pem
</pre>
<p><br />
The following file is also needed to handle extensions to SSL for Windows XP.
</p>
<div class="listing">
<p>Listing 3.4&nbsp;&nbsp;&nbsp;xpextensions
</p>
<pre class="listing">
[ xpclient_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
</pre>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=19" title="Edit section: Notes on the Shell Script Variables">edit</a>]</div><a name="Notes_on_the_Shell_Script_Variables"></a><h4>Notes on the Shell Script Variables</h4>
<p>The following variables appear in one or more of the above scripts.
</p>
<ul><li> <b>OPENSSL</b> - the name of (or path to) your OpenSSL executable (obviously)
</li><li> <b>CAPL</b> - the name of (or path to) CA.pl. In Fedora Core, this is /usr/share/misc/CA.pl
</li><li> <b>KEYGEN</b> - the path to a program used to generated random passwords (e.g. sequences of ASCII characters). For this, I use the <i>dns-keygen</i> program for the generation of DNSSEC keys that comes with BIND 9. Automatic password generation is discussed more below.
</li><li> <b>PASSDIR</b> - the path to where files for the various certificate passwords reside (see below).
</li><li> <b>DERDIR</b>, <b>P12DIR</b>, <b>PEMDIR</b> - directories for the output of various types of files generated by the process.
</li><li> <b>VALIDFOR</b> - specifies the time <i>in days</i> for which the certificate is to be valid.
</li></ul>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=20" title="Edit section: Invoking the Scripts">edit</a>]</div><a name="Invoking_the_Scripts"></a><h3>Invoking the Scripts</h3>
<p>These scripts needn't be invoked on the machine that's going to be the RADIUS server, but I did because it was the machine at hand with the faculty to do so.
</p><p>First, a note on certificate passwords.
</p>
<ul><li> The scripts are designed to accept certificate protection passwords as the first, second and third arguments for root, server and client, respectively.
</li><li> If no passwords are given, the scripts next look to the contents of <span class="filename">pass/root.pass</span>, <span class="filename">pass/<span class="var">server-name</span>.pass</span> and <span class="filename">pass/<span class="var">client-name</span>.pass</span> to source a passwords. If you wish to set pre-existing passwords, place them here.
</li><li> If this fails, <tt>$KEYGEN</tt> is invoked and its output used. For the server and root certificates, only the first 32 characters are used; for clients, the first 16 (Windows XP doesn't seem to like really long passwords here). Note that any automatically-generated passwords are stored in <span class="filename">pass/root.pass</span>, <span class="filename">pass/<span class="var">server-name</span>.pass</span> or <span class="filename">pass/<span class="var">client-name</span>.pass</span>, depending on the script invoked. You will need these later when using the certificates.
</li></ul>
<p>First, generate the root certificate:
</p><p><br />
</p>
<pre>$ <b>./CA.root <span class="comment">[<span class="var">password</span>]</span></b>
</pre>
<p><br />
The <i>password</i> argument is optional. You will be asked a variety of questions about who you are, what organisation this certificate is for, etc. <strong>When asked for a common name,</strong> leave the field blank.
</p><p>Next, the server's:
</p><p><br />
</p>
<pre>$ <b>./CA.server <span class="var">server-name</span> <span class="comment">[<span class="var">password</span></span> <span class="comment">[<span class="var">root-password</span>]]</span></b>
</pre>
<p><br />
where <i>server-name</i> could be the host-name of the RADIUS server. <i>password</i> and <i>root-password</i> are optional arguments: the first is that of the client certificate; the second is that of the root certificate given previously. <i>server-name</i> name will form the basename of all certificate and key files associated with this machine. You will again be asked a variety of questions about who you are, but <strong>when asked for a common name,</strong> enter the fully-qualified domain-name of the RADIUS server.
</p><p>Finally, for the client:
</p><p><br />
</p>
<pre>$ <b>./CA.client <span class="var">client-name</span> <span class="comment">[<span class="var">password</span></span> <span class="comment">[<span class="var">root-password</span>]]</span></b>
</pre>
<p><br />
where <i>client-name</i> could be the host-name (or better still, the fully-qualified domain-name) of the certified client. <strong>When asked for a common name,</strong> enter the same as for <i>client-name</i>.
</p><p>Obviously, you will need to repeat this last step for every other client you wish to authenticate.
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=21" title="Edit section: Installing the Certificates">edit</a>]</div><a name="Installing_the_Certificates"></a><h3>Installing the Certificates</h3>
<p>You should now have several files in the sub-directories <span class="filename">der/</span>, <span class="filename">p12/</span> and <span class="filename">pem/</span>.
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=22" title="Edit section: On the Windows XP Client">edit</a>]</div><a name="On_the_Windows_XP_Client"></a><h4>On the Windows XP Client</h4>
<p>Copy the files <span class="filename">der/root.der</span> and <span class="filename">p12/</span><i>client-name</i><span class="filename">.p12</span> to the XP box.
</p><p>First, install the root certificate to establish ourselves as an authority.
</p><p><br />
</p>
<ol><li> Double-click on <span class="filename">root.der</span>.
</li><li> In the &quot;Certificate&quot; property box, click <span class="widget">Install Certificate</span>.
</li><li> In the Wizard, click <span class="widget">Next</span>.
</li><li> Choose <span class="widget">Place all certificates in the following store</span>, and choose &quot;Trusted Root Certification Authorities&quot;.
</li><li> Click <span class="widget">Next</span> to finish.
</li></ol>
<p><br />
Next, install the client certificate.
</p><p><br />
</p>
<ol><li> Double-click on <span class="filename"><span class="var">client-name</span>.p12</span>.
</li><li> In the Wizard, click <span class="widget">Next</span> and <span class="widget">Next</span> again.
</li><li> You will be asked for a password. This is the certificate password specified either when you invoked <tt>CA.client</tt>, or can be found in <span class="filename">pass/<span class="var">client-name</span>.pass</span>.
</li><li> Choose <span class="widget">Automatically select the certificate store based on the type of certificate</span>.
</li><li> Click <span class="widget">Next</span> to finish.
</li></ol>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=23" title="Edit section: On the RADIUS Server">edit</a>]</div><a name="On_the_RADIUS_Server"></a><h4>On the RADIUS Server</h4>
<p>First, we need to make a certificate store. For this purpose, I chose <span class="filename">/etc/wireless-auth/</span>. Elevate yourself to the superuser, and:
</p>
<pre># mkdir /etc/wireless-auth
</pre>
<p>Copy the private keys.
</p>
<pre># cp pem/root.pem pem/<i>server-name</i>.pem /etc/wireless-auth
</pre>
<p>Lock up the keys as appropriate. I intend to run <tt>radiusd</tt> with username and group <span class="username">radiusd</span>, so I allow the superuser <tt>rw</tt> permissions on the file, and the group <span class="username">radiusd</span> <tt>r</tt> permissions.
</p>
<pre># <b>chown root:radiusd /etc/wireless-auth/*.pem</b>
# <b>chmod 0640 /etc/wireless-auth/*.pem</b>
</pre>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=24" title="Edit section: Step 2: Configure FreeRADIUS">edit</a>]</div><a name="Step_2:_Configure_FreeRADIUS"></a><h2>Step 2: Configure FreeRADIUS</h2>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=25" title="Edit section: Before You Proceed">edit</a>]</div><a name="Before_You_Proceed"></a><h3>Before You Proceed</h3>
<p>You'll need to create some files and know some parameters before proceeding to configure FreeRADIUS.
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=26" title="Edit section: Random Files">edit</a>]</div><a name="Random_Files"></a><h4>Random Files</h4>
<p>The TLS element of FreeRADIUS's EAP module (the bit that does the real authentication, EAP itself is just a wrapper) requires two files with random data: <span class="filename">/etc/wireless-auth/DH</span> and <span class="filename">/etc/wireless-auth/random</span>. Any random data will do for this, and I use the <tt>dns-keygen</tt> program.
</p><p><br />
</p>
<pre># <b>/usr/sbin/dns-keygen &gt; /etc/wireless-auth/DH</b>
# <b>/usr/sbin/dns-keygen &gt; /etc/wireless-auth/random</b>
# <b>chown root:radiusd /etc/wireless-auth/DH /etc/wireless-auth/random</b> 
# <b>chmod 0640 /etc/wireless-auth/DH /etc/wireless-auth/random</b>
</pre>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=27" title="Edit section: Keys and Shared Secrets">edit</a>]</div><a name="Keys_and_Shared_Secrets"></a><h4>Keys and Shared Secrets</h4>
<p>You will need to know the password for the server's private key. This was established in <a href="/WPA_HOWTO#Invoking_the_Scripts" title="WPA HOWTO">&sect;3.2</a>, where you either passed the password to the scripts as arguments or it was found or generated and stored in <span class="filename">pass/<span class="var">server-name</span>.pass</span>.
</p><p>In addition, you will need a <i>shared secret</i> known only to the RADIUS server and the AP allowing the latter to identify itself to the former. This can be up to 31 characters long and anything you like, but obviously the longer and crazier the better. So I used:
</p>
<pre>$ <b>/usr/sbin/dnskeygen | head -c 31</b>
</pre>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=28" title="Edit section: Configuration Files">edit</a>]</div><a name="Configuration_Files"></a><h3>Configuration Files</h3>
<p>The following scheme assumes you will be using FreeRADIUS exclusively for WPA authentication, and as such it's pretty minimal (FreeRADIUS gurus in all likelihood won't be reading this HOWTO). I arrived at it by taking the advice in McKay's HOWTO, and then deleting bits until it broke FreeRADIUS.
</p><p>You will need the following files in <span class="filename">/etc/raddb/</span> (or wherever your FreeRADIUS is configured to search for its boot files):
</p>
<ul><li> <b>radiusd.conf</b> - the core FreeRADIUS configuration, given below
</li><li> <b>clients.conf</b> - controls which APs can access this RADIUS server, given below
</li><li> <b>users</b> - a list of client users, given below
</li><li> <b>dictionary</b> - this can be left as it is
</li><li> <b>acct_users</b>, <b>db.daily</b>, <b>preproxy_users</b>, <b>hints</b>, <b>huntgroups</b> - can be empty files
</li></ul>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=29" title="Edit section: FreeRADIUS Core Configuration">edit</a>]</div><a name="FreeRADIUS_Core_Configuration"></a><h4>FreeRADIUS Core Configuration</h4>
<p>Please note that there are several settings in this file you will have to enter in accordance with your local network.
</p><p>Listing 4.1 - /etc/raddb/radiusd.conf
</p>
<pre>
# radiusd.conf
# Configuration of this RADIUS server.
#
# IMPORTANT: THIS FILE CONTAINS SECRETS.
# This file should have -rw-r----- root:radiusd permissions.

# Various directories
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

# Location of config and logfiles
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log

# Libraries, modules, etc.
libdir = /usr/lib

# The pid file
pidfile = ${run_dir}/radiusd.pid

# User/group config of the RADIUS server
user = radiusd
group = radiusd

# Request handling
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024

# bind_address: we need only listen on the wireless subnet.
bind_address = (IP address to listen on)
port = 0
hostname_lookups = no

# How the server conducts itself
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes

# Logging behaviour
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no