Finally Able To Run My Own WPA2-AES EAP-TTLS FreeRADIUS Server (RasPi)

I should have posted these pre-steps: First download the latest stable freeradius source code, extract and change directory, ./configure && make, su and make install. Also, the post-config to run the service itself: /usr/local/sbin/radiusd

And here are my example configuration notes in case anyone else is interested:

cd /usr/local/etc/raddb/certs

export D=`pwd` ; export KEY_CONFIG=$D/openssl.cnf
cat /etc/ssl/openssl.cnf | tr '\t' ' ' | sed -e "s@^dir .*\$@dir = `pwd`@g" -e "s@^countryName_default .*\$@countryName_default = CA@g" -e "s@^stateOrProvinceName_default .*\$@stateOrProvinceName_default = Ontario@g" -e "s@^0.organizationName_default .*\$@0.organizationName_default = stoops@g" > openssl.cnf

sed -i -e 's@demoCA@@g' -e 's@/newcerts@@g' /usr/lib/ssl/openssl.cnf

rm -fv index.txt ; touch index.txt
rm -fv serial ; echo 01 > serial
mkdir -p ./newcerts

openssl dhparam -out dh 2048
openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG
openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -config $KEY_CONFIG
openssl ca -extensions v3_ca -days 3650 -out server.crt -in server.csr -cert ca.crt -keyfile ca.key -config $KEY_CONFIG

cat ca.crt ca.key > ca.pem
cat server.crt server.key > server.pem


#cd /etc/freeradius/certs

#openssl genrsa -out server.key 2048
#openssl req -new -key server.key -out server.csr
#openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
#openssl dhparam -outform PEM -out dh 2048

#cat server.crt server.key > server.pem ; cat server.pem > ca.pem
#echo > ../acct_users
#( echo 'client 0.0.0.0/0 {' ; echo '  secret = "pwd"' ; echo '  shortname = "wifi"' ; echo '}' ) > ../clients.conf
#echo 'jon Cleartext-Password := "pwd"' > ../users
vim /usr/local/etc/raddb/eap.conf
vim /usr/local/etc/raddb/modules/inner-eap

eap {
    ...
    default_eap_type = ttls
    ...
    tls {
        ...
        private_key_file = ${certdir}/server.pem
        certificate_file = ${certdir}/server.pem
        CA_file = ${cadir}/ca.pem
        dh_file = ${certdir}/dh
        cipher_list = "DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA"
        ...
    }
    ...
    ttls {
        ...
        default_eap_type = mschapv2
        ...
    }
    ...
    mschapv2 {
        ...
    }
    ...
}
vim /usr/local/etc/raddb/clients.conf

client 0.0.0.0/0 {
    secret    = [long-secret-passphrase-here]
    shortname = homewifi
    nastype   = other
}

Authentication:

vim /usr/local/etc/raddb/users

"jon" Cleartext-Password := "[personal-password-here]"

or

vim /usr/local/etc/raddb/sites-{available,enabled}/{default,inner-tunnel}

authorize {
    ...
    unix
    ...
}

* Note: Make sure to publish/distribute the ca.crt file above for connecting clients to use, it should look something like this:

-----BEGIN CERTIFICATE-----
MIIDzTCCArWgAwIBAgIJAMML9s5w/d4oMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNV
BAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMRAwDgYDVQQHDAdUb3JvbnRvMQ8wDQYD
VQQKDAZzdG9vcHMxDTALBgNVBAsMBHdpZmkxDzANBgNVBAMMBnJhZHNydjEZMBcG
CSqGSIb3DQEJARYKcm9vdEBsb2NhbDAeFw0xMzEyMzAyMjE0MzBaFw0yMzEyMjgy
MjE0MzBaMH0xCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMRAwDgYDVQQH
DAdUb3JvbnRvMQ8wDQYDVQQKDAZzdG9vcHMxDTALBgNVBAsMBHdpZmkxDzANBgNV
BAMMBnJhZHNydjEZMBcGCSqGSIb3DQEJARYKcm9vdEBsb2NhbDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMsYNqwP+Zd9szkwwEVjxgOPn+d7kIZKbKnh
ZJOhG2poxnlPcv2Ac67xPuJ4tuiU6Xni1+YElkx4uxNa4GNm9EF2M0MRAE/eAwxK
QN9Y4/KN3C3AU8VDyIUXMx+XN38HI48lgZIj1c9HhoB8llTHeL4jGRVDmzqGqOCl
GwSNMh9mCgedTODARyDyJ9tyEayU1D+WDqwQTFbBfvd7VYejCtzo7edjCoMt6Kap
HsB3eE1LRTcE/QWlaDmszBzdFk+jqp2rzP+eKLXNLvalZEPOJ0koGqy9BfI9+fqW
avy/fphcN5+5UhNXadRrYOYJuPBe/AC90NmlFn+ztYmiRwf+GtkCAwEAAaNQME4w
HQYDVR0OBBYEFPE09eFbbSvz8E4uY2F4cA0PJmreMB8GA1UdIwQYMBaAFPE09eFb
bSvz8E4uY2F4cA0PJmreMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB
AFYN7lTdZjNhHohCul9HzP87vHFiiV0N47eCBeyoujvkKkQHm2fKunxKLfe0ySBa
xOXdHHEhfBiv7Qz1LgryaYjMeJ8OhbktPT3ahGIWnNgyeKJiM3eD0fNVFWxp0ZBO
OlVQh5NYbuHhWafnAP8DDyhgKB99uEpF5iS1KwfkCGBbynYOayqNZGIVIH0c0Bmb
Ps+qNYxLKHQRi3+dnv4/gKPwKFDDiccHrQxiAEMXY+iO0rnPjc35SPri2QMAKdYf
1Nv/lmEPwQutjns1EUHHSmNwuC4O/1AUR54iskxzHy3v3RafOQ9B5aO6fyaMVFQF
iYX2djQzSq9qfOj9lMz5Cww=
-----END CERTIFICATE-----

Note: You can run this command to decode the certificate above: openssl x509 -in ca.crt -text -noout

Edit: For some basic OpenSSH cipher choices: Ignore the randomness

Advertisements
Finally Able To Run My Own WPA2-AES EAP-TTLS FreeRADIUS Server (RasPi)

2 thoughts on “Finally Able To Run My Own WPA2-AES EAP-TTLS FreeRADIUS Server (RasPi)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s