Search:  
Gentoo Wiki

HOWTO_WPA_Enterprise_with_MySQL

This article is still a Stub. You can help Gentoo-Wiki by expanding it.

Contents

Introduction

WPA-Enterprise (WPA/RADIUS) is a wireless encryption technology that when implemented creates a secure wireless-network configuration based on username/password and encryption certificates verification.

The advantage of using WPA-Enterprise compared to WEP and WPA-PSK (Pre-Shared-Key) lay in its ability to authenticate users against a database instead of having all users use a Pre-Shared-Key, and that it is not susceptible to the same types of direct wireless attacks that both WEP and WPA-PSK are.

Requirements

The following software was used in this example:

Installation of software is based on gentoo’s portage system. They can be installed without the help of portage but the installed files are often not installed to the same locations as in this example.

Hardware that was used in this example is a Linksys WRT54G wireless router with a modified firmware from Sveasoft to give it WPA/RADIUS support but most commercial wireless access points and a handful of consumer products already have this support built-in.

Install software

It’s a good idea to make sure that we have the support we need in our use flags.

Edit: /etc/make.conf

USE=”ssl mysql”

Next is to installing freeradius and MySQL (OpenSSL should already be install):

# emerge --ask freeradius mysql

MySQL

Now its time to setup the MySQL database service and prepare it for use with freeRADIUS.

Start by first starting up the database:

# /etc/init.d/mysql start

Next is to issue the following command and create the root account to administrate the MySQL database with:

# /usr/bin/mysqladmin -u root password 'new-password'

Next up is to create the database for radius to reside in. Log into the MySQL service with root privileges, enter the following commands (Don’t forget the ”;” at the end of the lines):

# mysql -p (use the password you chose above)
> CREATE DATABASE radius;
> GRANT ALL PRIVILEGES ON radius.* to 'radiususer'@'localhost' IDENTIFIED BY 'radiuspass';
> FLUSH PRIVILEGES;
> EXIT

Then import the SQL schema for freeRADIUS (Use you radiuspass you chose above):

# cat /usr/share/doc/freeradius/examples/mysql.sql | mysql -u radiususer -p radius

Older versions of freeradius my have there sql scheme like this:

# zcat /usr/share/doc/freeradius-1.1.0-r1/sql.schemas/db_mysql.sql.gz | mysql -u radiususer -p radius

Let’s also insert a test user into our database to help with testing:

# mysql -u radiususer -p (use you radiuspass when asked)
> USE radius;
> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('mysqltestuser', 'Password', 'mysqltestpass');
> EXIT

Certificates

Before we can setup our radius server to use encryption we will need to create our encryption certificates first.

First off we will need to get our hands on a script that freeradius provides for us but unfortunately gentoo portage has left out.

Change your working directory to /tmp/, download and unpack the latest freeradius package directly from www.freeradius.org:

# cd /tmp
# wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.1.6.tar.gz
# tar zxvf freeradius-1.1.6.tar.gz

Clear out the /etc/raddb/certs/ directory with the following:

# rm /etc/raddb/certs/*

Copy the CA.all script file located under freeradius-1.1.6/scripts to the /etc/raddb/certs/ directory:

# cp /tmp/freeradius-1.1.6/scripts/CA.all /etc/raddb/certs/	

Now change your working directory to /etc/raddb/certs/ and create a file called xpextensions and enter the following:

Edit: xpextensions

[xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[xpserver_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

Then we need to customize two files that the script uses to create unique certificates. Tips: Backup your openssl.cnf before you start playing around.

Edit: /etc/ssl/openssl.cnf and change the following to your info:

countryName_default           = AU
stateOrProvinceName_default   = Some-State
0.organizationName_default    = Internet Widgits Pty Ltd
#1.organizationName_default   = World Wide Web Pty Ltd

Next is to change some config settings and passwords in our CA.all script file that will be used when creating the certificates.

You also NEED to replace all instances of “whatever” in the CA.all file with the password you want for your certificates. (This Is Very Important!). Tip: If you use nano hit the Esc and R (CAPS!) to use the “replace” command.

Edit: /etc/raddb/certs/CA.all and change the following:

SSL=/etc/ssl 
rm -rf roo* cert* *.pem *.der
echo "newreq.pem" | /etc/ssl/misc/CA.pl –newca

Lastly, find/replace all the passwords in /etc/raddb/certs/CA.all

Esc 
Shift-R 
Search (to replace): whatever
Enter 
Replace with: verysecretpass
Enter
Replace this instance? y (Repeat y tills there are no more instances of whatever left)

Next step is to run the CA.all script. The script will create three different certificates. Accept the default values except for the common name field and challenge password. The common name must be unique in all of the three certificates. Make sure that you are in the /etc/raddb/certs/ directory, freeRADIUS will look for the certificates there:

Run the CA.all script from the /etc/raddb/certs/ directory:

# ./CA.all

The first (root):

Country Name (2 letter code) [SE]:
State or Province Name (full name) [Stockholm]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Creater]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: TheNameSeenByTheClient
Email Address []:	

The second (cert-clt):

Country Name (2 letter code) [SE]:
State or Province Name (full name) [Stockholm]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Creater]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: Client
Email Address []:	
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: verysecretpass
An optional company name []:
# Sign the certificate? [y/n]: y
# 1 out of 1 certificate requests certified, commit? [y/n] y

The third (cert-srv):

Country Name (2 letter code) [SE]:
State or Province Name (full name) [Stockholm]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Creater]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: Server
Email Address []:	
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: verysecretpass
An optional company name []:
# Sign the certificate? [y/n]: y
# 1 out of 1 certificate requests certified, commit? [y/n]: y

Now we have to create a two more files. The first is a Diffie-Hellman parameters file, or dh file, which is used by freeradius for negotiating TLS session keys:

# openssl dhparam -check -text -5 512 -out dh

Next is a random bitstream file that also is used in TLS operations:

# dd if=/dev/urandom of=random count=2

Now we're done with creating all the certificates and other files that are needed for this type of security implementation. Of all the files that have been created, there is one that will have to be copied over to the client computer for the authentication process to complete; It's called root.der.

Configuration

Now that we have all the files we need, we should start editing the config files for freeradius under /etc/raddb/

The standard settings in radiusd.conf are good for what we want it to do for us but we will need to uncomment one line to get MySQL support.

Tips: Search for the line “Look in an SQL database” to quickly find the line we want to uncomment

sql

Edit: /etc/raddb/radiusd.conf

Find section authorize and uncomment sql

Find section accounting and uncomment sql (to enable sql accounting)


Now that we know we are going to connect to a mysql, lets edit the sql.conf file and decide what we want to use for our user/pass.

Edit: /etc/raddb/sql.conf and change the following:

login = radiususer
pass = radiuspass

Next is the clients.conf the edit. The clients.conf file is where the “secret” passphrase and ip-address of the authenticator (Access Point) are stored.

Edit: /etc/raddb/clients.conf and enter the following:

client 10.0.0.5 {	
  secret     = radiussecret
  shortname  = ap
  nastype    = other
}

Replace the ip-address I used (client 10.0.0.5) with the address for your access point.

A good idea is to insert an extra client to use for testing:

client 127.0.0.1 {	
  secret     = testing
  shortname  = ap
  nastype    = other
}

Next is the users file. The best way to get this to work with MySQL is to comment out everything except a test user we add to it.

Edit: /etc/raddb/users and uncommend everthing, and then add the following (look below):

test Auth-Type := Local, User-Password := "testpass"             //User-Password := not ==

If you use == instead of := you always get Access-Reject error

BUT we are using plaintext password (for test), as a result of this we must use

test Auth-Type := Local, Cleartext-Password := "testpass" (and not User-Password)

Next up is to edit the eap.conf file witch is where we specified what type of encryption protocols will be used and where our encryption certificates are stored. Uncomment and edit the following lines. Edit: /etc/raddb/eap.conf:

eap {
  default_eap_type = ttls
  tls {
    private_key_password = verysecretpass
    private_key_file = ${raddbdir}/certs/cert-srv.pem
    certificate_file = ${raddbdir}/certs/cert-srv.pem
    CA_file = ${raddbdir}/certs/demoCA/cacert.pem
    dh_file = ${raddbdir}/certs/dh
    random_file = ${raddbdir}/certs/random
  } 
  ttls {
    default_eap_type = mschapv2
  }
  peap { 
    default_eap_type = mschapv2
  }
}

Testing

Now that everything on the server side should be correctly configured its time to test them out before we enter the necessary setting in our hardware.

First off is the start everything up and if all works, to add them to our auto start. The MySQL server is already started so we will proceed to start our freeRADIUS server in debug mode to see what happens:

# radiusd -X

Open up a new console window and issue the following commands to test our configs:

# radtest test testpass 127.0.0.1 1812 testing

The results of this program will tell us if our radius server worked, if for some reason you got a “Access-Reject” then you can take a look at the debug output.

The syntax to the radtest program are:

Usage: radtest user passwd radius-server[:port] nas-port-number secret

Next up is to test if freeRADIUS is working with the MySQL database, and to do this we run the same test as above but this mysql test user we created (mysqltestuser):

# radtest mysqltestuser mysqltestpass 127.0.0.1 1812 testing

The results of this program will tell us if our radius server worked with MySQL support.

Last Words

At this point you should have a working radius server in conjugation with a mysql database. The only thing left to do is enter the setting needed into our access point witch are for this example:

Security Mode:		WPA Enterprise (WPA/RADIUS)
WPA Algorithms:		AES
RADIUS Server Address:	10.10.10.2	(In my example, change this to yours).
RADIUS Port:			1812
Shared Key:			radiussecret	(That which you chose).

And then the last thing is to copy over the root.der certificate to your clients and configure them to use wpa-enterprise (Unfortunately configuring the clients is beyond the scope of this howto but there are othere howto’s for that.)

Other RADIUS Servers

This contains other RADIUS servers that support WPA enterprise:

Author

This document is written and maintained by Jonatan Mcevenue. Any authors who modify this may add their name if they wish.

In the meantime there's a howto for gentoo at http://www.urbanwireless.co.nz/?page_id=22 <nowiki>Insert non-formatted text here</nowiki>

Retrieved from "http://www.gentoo-wiki.info/FreeRADIUS"

Last modified: Mon, 08 Sep 2008 04:49:00 +0000 Hits: 16,997