Tuesday, September 6, 2011

Radius and 802.1X

Configure Radius and 802.1X.


1. Generate a new self-signed root CA, write the encrypted private key to CA/private/cakey.pem, and then write the Base-64,ASN.1-encoded, self-signed certificate to CA/cacert.pem. This certificate will be used for signing client and server certificates.# openssl req -new -x509 -extensions v3_ca -keyout CA/priv/cakey.pem -out CA/cacert.pem -days 730 -config openssl.cnf

# openssl x509 -in cacert.pem -noout -text
# openssl x509 -in cacert.pem -noout -dates
# openssl x509 -in cacert.pem -noout -purpose
# openssl x509 -in cacert.pem -noout -issuer
# openssl rsa -noout -modulus -in CA/priv/cakey.pem | openssl sha1
# openssl x509 -noout -modulus -in CA/cacert.pem | openssl sha1

Check the modulus and public exponent in the private key and certificate to make sure they match.# openssl rsa -noout -modulus -in CA/priv/cakey.pem | openssl sha1
# openssl x509 -noout -modulus -in CA/cacert.pem | openssl sha1

2. Export the root CA signing certificate to ASN.1, DER encoded format so that clients can import it.
# openssl x509 -in CA/cacert.pem -outform DER -out clientCerts/myRootCA.der

2a. Convert the DER encoded CA back to pem format and place in a .crt file so that Android can read it. (This is an extra, un-needed step as cacert.pem can be copied and renamed to .crt). (Android does not understand pem files so write the DER encoded certificate to PEM format in a file with extension .crt).
# openssl x509 -inform der -in clientCerts/myRootCA.der -out clientCerts/myRootCA.crt

3. Generate radius server certificate (i.e. signing request) and private key in unencrypted format.
# openssl req -new -nodes -keyout tempCerts/radius_key.pem -out tempCerts/radius_req.pem -days 730 -config openssl.cnf

4. Sign the radius server certificate. note: Microsoft clients require the creation of an xpextensions file. Add '-extensions xpserver_ext -extfile ./xpextensions' to the following command.
# openssl ca -out tempCerts/radius_cert.pem -infiles tempCerts/radius_req.pem -config openssl.cnf

5. Install the root CA signing certificate, Radius server private key, and Radius server signed certificate.
# cp tempCerts/radius_cert.pem /etc/radwl/certs/server/
# cp tempCerts/radius_key.pem /etc/radwl/certs/server/
# cp CA/cacert.pem /etc/radwl/certs/server/

6. Create the client certificate (i.e. signing request) and private key. note: match the output file names with the client identity or common name.
# openssl req -new -keyout tempCerts/myandroid_key.pem -out tempCerts/myandroid_req.pem -days 730 -config openssl.cnf

7. Sign the client certificate.
# openssl ca -out tempCerts/myandroid_cert.pem -infiles tempCerts/myandroid_req.pem -config openssl.cnf

8. Export the signed client certificate and private key to pkcs#12 format.
# openssl pkcs12 -export -in tempCerts/myandroid_cert.pem -inkey tempCerts/myandroid_key.pem -out clientCerts/myandroid_cert.p12 -clcerts

9. Install the signed client certs on the Radius server.
# cp tempCerts/*_cert.pem /etc/radwl/certs/clients

10. Copy the client pkcs#12 certificate to appropriate device.
# cp clientCerts/myandroid_cert.p12 DEVICE

11. Copy the CA signing certificate to the same device.
# cp clientCerts/myRootCA.crt DEVICE

12. on OS X, use the following commands to add the freeradius user to the freeradius group. Also run chsh freeradius and set the shell to /sbin/nologin
# dscl . append /Groups/freeradius GroupMembership freeradius