Thursday, April 26, 2012

How to configure FreeRADIUS2.x support EAP-TTLS under Linux?

If you would like to make FreeRADIUS 2.x support EAP-TTLS, then following steps outline how to configure it:

1. Re-generate Root CA/Server certificate:
# cd /etc/raddb/certs
# rm -f ca.der ca.key ca.pem
# rm -f server.crt server.csr server.key server.p12 server.pem

2. Make Root CA:

# vi ca.cnf
  Edit the "input_password" and "output_password" fields to be the
  password for the CA certificate.
  Edit the [certificate_authority] section to have the correct values
  for your country, state, etc.
# make ca.pem
  This step creates the CA certificate.
# make ca.der
  This step creates the DER format of the self-signed certificate,
  which is can be imported into Windows.

3. MAKING A SERVER CA:

# vi server.cnf
  Edit the "input_password" and "output_password" fields to be the
  password for the server certificate.
  Edit the [server] section to have the correct values for your
  country, state, etc.  Be sure that the commonName field here is
  different from the commonName for the CA certificate.
# make server.pem
  This step creates the server certificate.
  If you have an existing certificate authority, and wish to create a
  certificate signing request for the server certificate, edit
  server.cnf as above, and type the following command.
# make server.csr
  You will have to ensure that the certificate contains the XP
  extensions needed by Microsoft clients.

4. To modify client configuration directives in /etc/raddb/clients.conf

client 10.10.0.0/16 {
        secret          = testing123
        shortname       = private-network-2
}

5. To modify EAP type in /etc/raddb/eap.conf

default_eap_type = ttls
....
ttls {
                default_eap_type = mschapv2
                copy_request_to_tunnel = yes
                use_tunneled_reply = yes
                #virtual_server = "inner-tunnel"
}
....

6. To add user in /etc/raddb/users
lawrence Cleartext-Password := "testing"

7. To disable MPPE in /etc/raddb/modules/mschap
        use_mppe = no

8. Restart FreeRADIUS:
# /etc/init.d/radiusd restart

That's all.




1 comment:

venki said...

Hi,

Followed as per your documentation, but getting error while executing "make server.pem"

Using configuration from ./server.cnf
unable to load CA private key
1077819068:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:539:
1077819068:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:104:
1077819068:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:130:
1077819068:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:132: