Monday, May 07, 2012

How to configure FreeRADIUS2.x support EAP-TLS under Linux?

延續上篇How to configure FreeRADIUS2.x support EAP-TTLS under Linux?
現在只要再產生client端要使用的certificate並且把ROOTCA與ClientCA匯入到client端,就可以使用EAP-TLS了,整個步驟如下:

Step1: MAKING A CLIENT CERTIFICATE

  Client certificates are used by EAP-TLS, and optionally by EAP-TTLS
and PEAP.  The following steps outline how to create a client
certificate that is signed by the server certificate created above.
You will have to have the password for the server certificate in the
"input_password" and "output_password" fields of the server.cnf file.

$ vi client.cnf
  Edit the "input_password" and "output_password" fields to be the
  password for the client certificate.  You will have to give these
  passwords to the end user who will be using the certificates.
  Edit the [client] section to have the correct values for your
  country, state, etc.  Be sure that the commonName field here is
  the User-Name that will be used for logins!
$ make client.pem
  The users certificate will be in "emailAddress.pem",
  i.e. "user@example.com.pem".
  To create another client certificate, just repeat the steps for
  making a client certificate, being sure to enter a different login
  name for "commonName", and a different password.

Step2: IMPORT ROOTCA, and Client Certificate/以Fedora16為例:
- 安全性: WPA&WPA2 Enterprise
- 驗證: TLS
- 識別: commonName
- CA: ca.pem
- 私密金鑰: client.p12
- 私密金鑰密碼: "input_password" and "output_password"
Note: ca.pem and client.p12是產生ROOTCA與Client Certificate時所一併產生的,所在的目錄是/etc/raddb/certs/

That's all.

1 comment:

karose said...

an eap-tls example for wpa_supplicant.
network={
ssid="aweaptest"
key_mgmt=WPA-EAP
eap=TLS
pairwise=TKIP
identity="carlos"
ca_cert="/etc/ca.pem"
client_cert="/etc/client.pem"
private_key="/etc/client.pem"
private_key_passwd="whatever"
priority=1
}