When generating certificates for use by FreeRadius EAP-TLS, there is an extension which is to be added to the certificate in order for the client to be able to validate the certificate against a root CA certificate. If such extension is not present in your FreeRadius certificate, the auth process will fail, because the client will stop communicating with your server due that it can't validate your cert. Some people would say that it is better to have EAP-TTLS, but sometimes it is not easy to deploy such a PKI. If you want to use EAP-TLS and if you happen to have your CA running on a Winbugs box, then this might be of help. We are going to generate a request using openssl and issue the certificate with winbugs with the extension needed embeded into the cert file.
There are two ways of doing this. For either of them, you need to have openssl installed in the computer where your freeradius server is and a Certification Authority running on a Winbugs box. The first way, and the best one, is as follows: >From the computer where your freeradius is, you generate a request and a >private key by: shell:~ # openssl req -new -nodes -keyout mykey.pem -out server.csr The challenge password is important because it'll be used in the freeradius configuration The file mykey.pem is the private key. Copy this file to /usr/local/etc/raddb/certs shell:~ # cp mykey.pem /usr/local/etc/raddb/certs server.csr is the certificate request. Copy this file to the computer where you CA is. Then, let's feed this request into your Winbugs CA. Open a command prompt window and type C:\>certreq -submit server.csr A window will popup asking you to select the CA where your request is to be submited to. Select the one that you own. This will give you a RequestID. This number is important because it'll be used for the next part. When a client uses PEAP-EAP-MS-Challenge Handshake Authentication Protocol (CHAP) version 2 authentication, PEAP with EAP-TLS authentication, or EAP-TLS authentication, Microsoft specifies that certificates must have the "Enhanced Key Usage" attribute with the value "Server Authentication" (OID 1.3.6.1.5.5.7.3.1). [Ref.: http://support.microsoft.com/kb/814394/en-us] Since the certificate request generated in openssl according to the procedure above does not provide this attribute, it is necessary to add it to the pending request with the Windows CLI command "certutil". The general syntax is C:\>certutil -setextension RequestID ExtensionOID Flags @InFile - The OID for the attribute "Enhanced Key Usage" is : 2.5.29.37 - The flag value is set to 0. - Create an input text file "eku.txt" : C:\>echo 30 0a 06 08 2b 06 01 05 05 07 03 01 > eku.txt Finally, run the following command : C:\>certutil -setextension RequestID 2.5.29.37 0 @eku.txt [Comment: to discover the OID of an attribute, it is possible to dump the contents of an existing valid certificate containing the needed attribute with : certutil -v certfile.cer Ref.: http://technet2.microsoft.com/WindowsServer/en/library/165ee684-1c3a-4cc1-9c5b-0bc1ec1e710a1033.mspx?mfr=true] Then, open your Certification Authority application, go to "Pending request", right click on the one you modified (RequestID), "All tasks"->"Issue" Go to "Issued certificates" and double-click on the one you just issued (RequestID). A window will open displaying cert's info. Go to the tab "Details" and check that the field "Enhanced Key Usage" is present and its value is "Server Authentication (1.3.6.1.5.5.7.3.1)". Click on the button "Copy to file..." and save it as either DER encoded or Base-64 encoded, give a filename (let's call it certificate for now) and finish the wizard. This will give you a file "certificate.cer". Copy this file to your freeradius server in /usr/local/etc/raddb/certs shell:~ # cd /usr/local/etc/raddb/certs If you exported the certificate as DER encoded there is a final step you have to perform. We need to convert this file to a format FreeRadius can understand. So, now type: shell:/usr/local/etc/raddb/certs # openssl x509 -inform DER -in certificate.cer -outform PEM -out certificate.pem If the certificate is Base-64 encoded, then just rename the file (this step is optional, it's just to be consistent with the eap.conf file at the end of this file). shell:/usr/local/etc/raddb/certs # mv certificate.cer certificate.pem Get your CA certificate, and put it in /usr/local/etc/raddb/certs. Suppose that your CA certificate is DER enconded in a file named ca.cer, then your convert it to PEM by shell:~ # openssl x509 -inform DER -in ca.cer -outform PEM -out ca.pem shell:~ # cp ca.pem /usr/local/etc/raddb/certs Now edit your eap.conf file and you are done. A sample eap.conf is at the end of this guide. Configure your clients to use PEAP, check the checkbox "Validate server certificate" and select your Trusted Root Certification Authority from the list. The second way of doing this, which is not very neat, is as follows: >From the computer where your freeradius is, you generate a request and a >private key by: shell:~ # openssl req -new -nodes -keyout mykey.pem -out server.csr The challenge password is important because it'll be used in the freeradius configuration The file mykey.pem is the private key. Copy this file to /usr/local/etc/raddb/certs shell:~ # cp mykey.pem /usr/local/etc/raddb/certs Then, from the computer where your CA authority is, open a Command prompt window and type: C:\>certutil -backup directory It will prompt you for the password for your private key and will generate a backup of your CA private and public key inside the directory "directory". Let's say that your password is "password". Then, go to "directory" C:\>cd directory And copy the file "Certification Authority.p12" to the computer where your FreeRadius is. This file contains both your CA's private and public keys. Then, from your freeradius computer, you need to convert this file to a format more "manageable". shell:~ # openssl pkcs12 -in "Certification Authority.p12" -out ca.pem Then, you need to modify your /etc/ssl/openssl.cnf file. Locate the section [ CA_default ] and modify the lines certificate and private_key, so they point to the file you generated in the last step. Those lines should look like: certificate = /root/ca.pem private_key = /root/ca.pem Once you have finished doing these changes, then create a file called xpextensions with the following contents: [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 This is required to add the extension needed for your certificate. Then shell:~ # openssl ca -policy policy_anything -out certificate.pem -passin pass:password -key password -extensions xpserver_ext -extfile xpextensions -infiles server.csr Delete the file server.csr shell:~ # rm server.csr And copy the files ca.pem and certificate.pem to /usr/local/etc/raddb/certs shell:~ # cp ca.pem certificate.pem /usr/local/etc/raddb/certs It is preferable to delete all info about the private key from the file ca.pem, but it is up to you. Now edit your eap.conf file and you are done. A sample eap.conf is at the end of this guide. Configure your clients to use PEAP, check the checkbox "Validate server certificate" and select your Trusted Root Certification Authority from the list. SAMPLE EAP.CONF eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_password = #The challenge password you have chosen when you generated your private key private_key_file = ${raddbdir}/certs/mykey.pem certificate_file = ${raddbdir}/certs/certificate.pem CA_file = ${raddbdir}/certs/ca.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 } mschapv2 { } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
