WPA HOWTO
From FreeRADIUS Wiki
Contents |
Introduction
About this HOWTO
This document is intended as a practical document with a view to getting WPA authentication up-and-running as quickly and as easily as possible. We therefore gloss over most of the theory behind 802.1x, WPA, cryptosystems, digital signatures and certificates, etc.
Why Would I Want WPA?
In short — security. Wi-Fi Protected Access implements a sub-set (or instance, if you like) of the IEEE's 802.1x authentication standards for wireless networks, and does so in a method compliant with the (at time of writing) forthcoming 802.11i standard. WPA provides for both authentication (assuring the identity of a client machine, the supplicant) and encryption (ensuring exchanges between the wireless access point and client are secure).
WPA Encryption
The encryption provided by WPA is considered to be much more secure than traditional WEP. WEP uses RC4 cryptography usually with a fixed key of 64 to 256 bits in length, and because of this an attack on a WEP-secured network can be mounted by collecting packets for analysis and extracting the key from them. Such a crack can take as long as a matter of days on a small, household network, to a few hours on a busy corporate system. WPA, on the other hand, uses the Temporal Key Integrity Protocol system, TKIP. This has a number of fancy features (with names like "per-packet mixing") that I don't understand, but most importantly the keys are changed over time to make an attack difficult. Some "unofficial" extensions to WPA (that I've found on my hardware, and will probably be on others' as well) also allow AES (alias "Rijndael") encryption, which I believe to the strongest of the lot (although I might be wrong here).
WPA Authentication
WPA Pre-Shared Key (WPA-PSK, or "WPA Personal") is the first kind of WPA, and is trivial to set up (so it's not covered in this document). This uses a password (which can be up to 63 characters in length) to shared between access point and client (a "shared secret") to authenticate, and act as the starting point for the cryptographic process.
WPA with 802.1x and EAP authentication ("WPA Enterprise") is the second form, and it's what we'll be setting up in this document. The Extensible Authentication Protocol is a provision of 802.1x that allows a variety of means of authenticating clients, and in our case we will be using TLS. This involves issuing potential client machines with digital certificates which have been signed by some authority in such a way that they cannot (for all practical purposes) be forged by an attacker. The access point achieves this by requesting the client's certificate and passing it to a RADIUS server, which then checks the certificate is genuine and whether the named client is allowed access. These certificates are also used as a starting point for the cryptographic process.
My Choice
Personally, I chose WPA because I realised I had all the necessary hardware and software to hand — i.e. I did it because I could. I'm currently under the impression that WPA with RADIUS is the most secure way to tie down a wireless LAN. It's also more convenient for me as I don't have to cook up and distribute new WPA-PSK keys every so often; I can also allow friends to use my network with a centrally-managed database and time-limited certificates, and thereby avoid having to divulge network secrets.
OK, so I'm a geek and I did it because I could.
For more information on WPA, visit the Wi-Fi Alliance's WPA official home-page at wi-fi.org, in particular their "WPA Overview" (from which much of this section was researched).
Assumptions
About You and Your System
I am assuming a basic level of competence/experience with UNIX/Linux system administration (i.e., no less basic than my own despotic experience as a home sysadmin), so all the usual cp, mv business, basic TCP/IP, networking, etc. I also assume that you, like I, might not know much about FreeRADIUS or the full extent of its capabilities except that it can be used to control access to wireless networks, and wish to use it exclusively for this purpose.
Hardware
- Something running Linux. For an ideas on specifications, see §§1.4.1
- A Wireless Access Point (AP) capable WPA (or 802.1x) authentication with RADIUS
- A Wireless Network Adapter connected to the Windows XP machine (at present, I have no experience with Linux clients and so cannot document this) with WPA ("Wi-Fi") capability.
Software
I assume that you have built and/or installed:
- Windows XP SP1 with Hotfix Q815485 installed (for WPA management). Service Pack 2 has since been installed, and makes no difference to the procedures outlined herein;
- All the relevant drivers and firmware updates for WPA support on your wireless network adapter;
- OpenSSL 0.9.7a; and
- FreeRADIUS 0.9.1
or better. For help building and installation, see either the documentation that came with the package ("Oh, really?!") or see Raymond McKay's HOWTO on this topic.
What I Use
Computers
The machine on which the RADIUS server resides started out as a stock Fedora Core 1 install. The software on it that as listed above, obtained as RPMs from the FC1 CDs, Fedora Updates, etc. You won't need a monster to run FreeRADIUS: my machine dates from 1998 and uses an 233 MHz AMD K6 CPU with 64 Mb EDO RAM and a 3.2 Gb HDD. It's no speed demon, but it manages to provide RADIUS, Samba, DNS, DHCP, IP routing/firewalling and printing services to a small bevy (of order 10) clients; you may need to scale specification in accordance with load.
My client is a Hewlett-Packard Pavilion zx5000-series notebook running Windows XP SP1 with a Broadcom 54g MaxPerformance 802.11g wireless ethernet adapter. In contrast, this has a 2.8 GHz Pentium 4 CPU with 512 Mb RAM, and still doesn't even know it's born.
Wireless Access Point
I use a U.S. Robotics SureConnect 9106 ADSL Wireless Gateway as a AP. It turns out that this is actually three separate devices rolled into one. Firstly, the DSL modem; secondly, an Ethernet switch. Finally, there is a computer in its own right in the unit running BusyBox Linux 0.60.4 (2.4 series kernel), complete with tools like IPTables for firewalling, etc. This computer has two physical network interfaces, eth0, hard-wired onto the switch, and wl0, the wireless interface. A bridge device br0 sits across these two, facilitating wireless access.
Network Topology
My RADIUS authentication server also acts as the local DNS server and DHCP server. It has two Ethernet cards in it: eth0 is connected to the wired network, and eth1 goes into the back of the AP, both on different Class C subnets. The machine has a number of IPTables rules configured to negotiate traffic between these two subnets.
HOWTO Do It: An Outline
OK, here's what we'll do get our WPA Authentication working:
- Make certificates. Certificates are a digital means of ensuring the identity of a machine or individual and providing keys for encryption. We'll need certificates for the client(s) and RADIUS server. These certificates also need to be certified by a root certification authority (CA), and we'll make one of these as well.
- Configure FreeRADIUS. FreeRADIUS checks the certificate and tells the wireless access point whether or not to accept the connection request.
- Configure the AP. Many modern APs can be configured as a NAS that refers to a RADIUS server for authentication.
- Configure the Client.
Step 1: Make Certificates
Here, we create and install the digital certificates used to authenticate clients on the wireless network.
Reminder You will need the OpenSSL script CA.pl in order to complete this step. This may have come when you built OpenSSL, or as part of your distribution. In Fedora Core 1, this means installing the openssl-perl package.
Certificate Generation Scripts
The following shell scripts may be copied and pasted into the named files. Note that in all three, you will need to set some of the following parameters by hand. These scripts are derived from those in Raymond McKay's HOWTO (see Acknowledgments) with slight modifications.
Note These scripts are not in a ready-to-run state, and you will have to provide substitutions for the highlighted sections appropriate to your site. Also, please read the note on shell script variables in §§3.1.2, as some of the paths and program names may not be appropriate to your system.
Script Listings
First, the script to generate the root CA certificate.
Listing 3.1 CA.root
#!/bin/sh
OPENSSL=openssl
CAPL=<span class="comment hl">(path to your <span class="filename">CA.pl</span>)</span>
KEYGEN=<span class="comment hl">(your choice of key/password generator)</span>
PASSDIR=pass
DERDIR=der
P12DIR=p12
PEMDIR=pem
VALIDFOR=365
PASSWD=$1
mkdir -p $PEMDIR $P12DIR $DERDIR $PASSDIR
if [ -z "${PASSWD}" ]; then
echo "No root password specified, trying $PASSDIR/root.pass."
if [ -a $PASSDIR/root.pass ]; then
PASSWD=`cat $PASSDIR/root.pass`
else
echo "Not found. Generating password, see $PASSDIR/root.pass for contents."
PASSWD=`$KEYGEN | head -c 32`
cat /dev/null > $PASSDIR/root.pass
echo $PASSWD >> $PASSDIR/root.pass
fi
fi
rm -rf demoCA
$OPENSSL req -new -x509 -days $VALIDFOR -keyout $PEMDIR/newreq.pem -out \
$PEMDIR/newreq.pem -passin pass:$PASSWD -passout pass:$PASSWD
echo "${PEMDIR}/newreq.pem" | $CAPL -newca >/dev/null
$OPENSSL pkcs12 -export -in demoCA/cacert.pem -inkey $PEMDIR/newreq.pem -out \
$P12DIR/root.p12 -cacerts -passin pass:$PASSWD -passout pass:$PASSWD
$OPENSSL pkcs12 -in $P12DIR/root.p12 -out $PEMDIR/root.pem -passin \
pass:$PASSWD -passout pass:$PASSWD
$OPENSSL x509 -inform PEM -outform DER -days $VALIDFOR -in $PEMDIR/root.pem \
-out $DERDIR/root.der -passin pass:$PASSWD
rm -rf $PEMDIR/newreq.pem
Next, the script to generate the server certificate.
Listing 3.2 CA.server
#!/bin/sh
OPENSSL=openssl
KEYGEN=<span class="comment hl">(your choice of key/password generator)</span>
PASSDIR=pass
DERDIR=der
P12DIR=p12
PEMDIR=pem
VALIDFOR=365
SNAME=$1
PASSWD=$2
ROOTPASSWD=$3
mkdir -p $PEMDIR $P12DIR $DERDIR $PASSDIR
if [ -z "${SNAME}" ]; then
echo "WARNING: server name not specified. Using \"server\"."
SNAME=server
fi
if [ -z "${PASSWD}" ]; then
echo "No password specified, trying $PASSDIR/$SNAME.pass."
if [ -a $PASSDIR/$SNAME.pass ]; then
PASSWD=`cat $PASSDIR/$SNAME.pass`
else
echo "Not found. Generating password, see $PASSDIR/$SNAME.pass for contents."
PASSWD=`$KEYGEN | head -c 32`
cat /dev/null > $PASSDIR/$SNAME.pass
echo $PASSWD >> $PASSDIR/$SNAME.pass
fi
fi
if [ -z "${ROOTPASSWD}" ]; then
echo "No root password specified, trying $PASSDIR/root.pass."
if [ -a $PASSDIR/root.pass ]; then
ROOTPASSWD=`cat $PASSDIR/root.pass`
else
echo "FATAL: No root certification password."
exit
fi
fi
$OPENSSL req -new -keyout $PEMDIR/newreq.pem -out $PEMDIR/newreq.pem -passin \
pass:$PASSWD -passout pass:$PASSWD
$OPENSSL ca -policy policy_anything -out $PEMDIR/newcert.pem -key $ROOTPASSWD \
-extensions xpserver_ext -extfile xpextensions -days $VALIDFOR -infiles $PEMDIR/newreq.pem
$OPENSSL pkcs12 -export -in $PEMDIR/newcert.pem -inkey $PEMDIR/newreq.pem -out \
$P12DIR/$1.p12 -clcerts -passin pass:$PASSWD -passout pass:$PASSWD
$OPENSSL pkcs12 -in $P12DIR/$SNAME.p12 -out $PEMDIR/$SNAME.pem -passin \
pass:$PASSWD -passout pass:$PASSWD
$OPENSSL x509 -inform PEM -outform DER -in $PEMDIR/$SNAME.pem -out $DERDIR/$SNAME.der
rm -rf $PEMDIR/newcert.pem $PEMDIR/newreq.pem
Finally, the client certificate.
Listing 3.3 CA.client
#!/bin/sh
OPENSSL=openssl
KEYGEN=<span class="comment hl">(your choice of key/password generator)</span>
PASSDIR=pass
DERDIR=der
P12DIR=p12
PEMDIR=pem
VALIDFOR=365
CLNAME=$1
PASSWD=$2
ROOTPASSWD=$3
mkdir -p $PEMDIR $P12DIR $DERDIR $PASSDIR
if [ -z "${CLNAME}" ]; then
echo "WARNING: client name not specified. Using \"client\"."
CLNAME=client
fi
if [ -z "${PASSWD}" ]; then
echo "No password specified, trying $PASSDIR/$CLNAME.pass."
if [ -a $PASSDIR/$CLNAME.pass ]; then
PASSWD=`cat $PASSDIR/$CLNAME.pass`
else
echo "Not found. Generating password, see $PASSDIR/$CLNAME.pass for contents."
PASSWD=`$KEYGEN | head -c 16`
cat /dev/null > $PASSDIR/$CLNAME.pass
echo $PASSWD >> $PASSDIR/$CLNAME.pass
fi
fi
if [ -z "${ROOTPASSWD}" ]; then
echo "No root password specified, trying $PASSDIR/root.pass."
if [ -a $PASSDIR/root.pass ]; then
ROOTPASSWD=`cat $PASSDIR/root.pass`
else
echo "FATAL: No root certification password."
exit
fi
fi
$OPENSSL req -new -keyout $PEMDIR/newreq.pem -out $PEMDIR/newreq.pem -passin \
pass:$PASSWD -passout pass:$PASSWD
$OPENSSL ca -policy policy_anything -out $PEMDIR/newcert.pem -passin \
pass:$PASSWD -key $ROOTPASSWD -extensions xpclient_ext -days $VALIDFOR \
-extfile xpextensions -infiles $PEMDIR/newreq.pem
$OPENSSL pkcs12 -export -in $PEMDIR/newcert.pem -inkey $PEMDIR/newreq.pem -out \
$P12DIR/$CLNAME.p12 -clcerts -passin pass:$PASSWD -passout pass:$PASSWD
$OPENSSL pkcs12 -in $P12DIR/$CLNAME.p12 -out $PEMDIR/$CLNAME.pem -passin \
pass:$PASSWD -passout pass:$PASSWD
$OPENSSL x509 -inform PEM -outform DER -in $PEMDIR/$CLNAME.pem -out \
$PEMDIR/$CLNAME.der
rm -rf $PEMDIR/newcert.pem $PEMDIR/newreq.pem
The following file is also needed to handle extensions to SSL for Windows XP.
Listing 3.4 xpextensions
[ xpclient_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1
Notes on the Shell Script Variables
The following variables appear in one or more of the above scripts.
- OPENSSL - the name of (or path to) your OpenSSL executable (obviously)
- CAPL - the name of (or path to) CA.pl. In Fedora Core, this is /usr/share/misc/CA.pl
- KEYGEN - the path to a program used to generated random passwords (e.g. sequences of ASCII characters). For this, I use the dns-keygen program for the generation of DNSSEC keys that comes with BIND 9. Automatic password generation is discussed more below.
- PASSDIR - the path to where files for the various certificate passwords reside (see below).
- DERDIR, P12DIR, PEMDIR - directories for the output of various types of files generated by the process.
- VALIDFOR - specifies the time in days for which the certificate is to be valid.
Invoking the Scripts
These scripts needn't be invoked on the machine that's going to be the RADIUS server, but I did because it was the machine at hand with the faculty to do so.
First, a note on certificate passwords.
- The scripts are designed to accept certificate protection passwords as the first, second and third arguments for root, server and client, respectively.
- If no passwords are given, the scripts next look to the contents of pass/root.pass, pass/server-name.pass and pass/client-name.pass to source a passwords. If you wish to set pre-existing passwords, place them here.
- If this fails, $KEYGEN is invoked and its output used. For the server and root certificates, only the first 32 characters are used; for clients, the first 16 (Windows XP doesn't seem to like really long passwords here). Note that any automatically-generated passwords are stored in pass/root.pass, pass/server-name.pass or pass/client-name.pass, depending on the script invoked. You will need these later when using the certificates.
First, generate the root certificate:
$ ./CA.root [password]
The password argument is optional. You will be asked a variety of questions about who you are, what organisation this certificate is for, etc. When asked for a common name, leave the field blank.
Next, the server's:
$ ./CA.server server-name [password [root-password]]
where server-name could be the host-name of the RADIUS server. password and root-password are optional arguments: the first is that of the client certificate; the second is that of the root certificate given previously. server-name name will form the basename of all certificate and key files associated with this machine. You will again be asked a variety of questions about who you are, but when asked for a common name, enter the fully-qualified domain-name of the RADIUS server.
Finally, for the client:
$ ./CA.client client-name [password [root-password]]
where client-name could be the host-name (or better still, the fully-qualified domain-name) of the certified client. When asked for a common name, enter the same as for client-name.
Obviously, you will need to repeat this last step for every other client you wish to authenticate.
Installing the Certificates
You should now have several files in the sub-directories der/, p12/ and pem/.
On the Windows XP Client
Copy the files der/root.der and p12/client-name.p12 to the XP box.
First, install the root certificate to establish ourselves as an authority.
- Double-click on root.der.
- In the "Certificate" property box, click .
- In the Wizard, click .
- Choose , and choose "Trusted Root Certification Authorities".
- Click to finish.
Next, install the client certificate.
- Double-click on client-name.p12.
- In the Wizard, click and again.
- You will be asked for a password. This is the certificate password specified either when you invoked CA.client, or can be found in pass/client-name.pass.
- Choose .
- Click to finish.
On the RADIUS Server
First, we need to make a certificate store. For this purpose, I chose /etc/wireless-auth/. Elevate yourself to the superuser, and:
# mkdir /etc/wireless-auth
Copy the private keys.
# cp pem/root.pem pem/server-name.pem /etc/wireless-auth
Lock up the keys as appropriate. I intend to run radiusd with username and group radiusd, so I allow the superuser rw permissions on the file, and the group radiusd r permissions.
# chown root:radiusd /etc/wireless-auth/*.pem # chmod 0640 /etc/wireless-auth/*.pem
Step 2: Configure FreeRADIUS
Before You Proceed
You'll need to create some files and know some parameters before proceeding to configure FreeRADIUS.
Random Files
The TLS element of FreeRADIUS's EAP module (the bit that does the real authentication, EAP itself is just a wrapper) requires two files with random data: /etc/wireless-auth/DH and /etc/wireless-auth/random. Any random data will do for this, and I use the dns-keygen program.
# /usr/sbin/dns-keygen > /etc/wireless-auth/DH # /usr/sbin/dns-keygen > /etc/wireless-auth/random # chown root:radiusd /etc/wireless-auth/DH /etc/wireless-auth/random # chmod 0640 /etc/wireless-auth/DH /etc/wireless-auth/random
Keys and Shared Secrets
You will need to know the password for the server's private key. This was established in §3.2, where you either passed the password to the scripts as arguments or it was found or generated and stored in pass/server-name.pass.
In addition, you will need a shared secret known only to the RADIUS server and the AP allowing the latter to identify itself to the former. This can be up to 31 characters long and anything you like, but obviously the longer and crazier the better. So I used:
$ /usr/sbin/dnskeygen | head -c 31
Configuration Files
The following scheme assumes you will be using FreeRADIUS exclusively for WPA authentication, and as such it's pretty minimal (FreeRADIUS gurus in all likelihood won't be reading this HOWTO). I arrived at it by taking the advice in McKay's HOWTO, and then deleting bits until it broke FreeRADIUS.
You will need the following files in /etc/raddb/ (or wherever your FreeRADIUS is configured to search for its boot files):
- radiusd.conf - the core FreeRADIUS configuration, given below
- clients.conf - controls which APs can access this RADIUS server, given below
- users - a list of client users, given below
- dictionary - this can be left as it is
- acct_users, db.daily, preproxy_users, hints, huntgroups - can be empty files
FreeRADIUS Core Configuration
Please note that there are several settings in this file you will have to enter in accordance with your local network.
Listing 4.1 - /etc/raddb/radiusd.conf
# radiusd.conf
# Configuration of this RADIUS server.
#
# IMPORTANT: THIS FILE CONTAINS SECRETS.
# This file should have -rw-r----- root:radiusd permissions.
# Various directories
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
# Libraries, modules, etc.
libdir = /usr/lib
# The pid file
pidfile = ${run_dir}/radiusd.pid
# User/group config of the RADIUS server
user = radiusd
group = radiusd
# Request handling
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
# bind_address: we need only listen on the wireless subnet.
bind_address = (IP address to listen on)
port = 0
hostname_lookups = no
# How the server conducts itself
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
# Logging behaviour
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
# User handling
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
# RADIUS Checker
checkrad = ${sbindir}/checkrad
# Security options
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
# DON'T proxy requests
proxy_requests = no
# CLIENTS CONFIGURATION
# Include the clients here.
$INCLUDE ${confdir}/clients.conf
# Don't use SNMP.
snmp = no
# Thread-pooling
thread pool {
start_servers = 2
max_servers = 10
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
# MODULE CONFIGURATION
modules {
# This is an EAP-based operation.
eap {
default_eap_type = tls
timer_expire = 60
tls {
private_key_password = (server's private key password, e.g. in pass/server-name.pass)
private_key_file = /etc/wireless-auth/server-name.pem
certificate_file = /etc/wireless-auth/server-name.pem
CA_file = /etc/wireless-auth/root.pem
dh_file = /etc/wireless-auth/DH
random_file = /etc/wireless-auth/random
fragment_size = 1024
include_length = yes
}
}
# Preprocess the incoming RADIUS request
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
# The users file
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
# Write a detailed log of all accounting records received
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
expr {
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-3 = (starting IP address)
range-stop = (ending IP address)
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
}
}
# MODULE INSTANTIATION
instantiate {
expr
daily
}
# AUTHORISATION PROCESS
authorize {
preprocess
eap
files
}
# AUTHENTICATION PROCESS
authenticate {
eap
}
# ACCOUNTING
preacct {
preprocess
files
}
accounting {
acct_unique
detail
radutmp
}
session {
radutmp
}
post-auth {
}
The Access Point Database
Here you will need the shared secret mentioned in §§4.1.2. Also, try looking in the FreeRADIUS README file to see if there is a known NAS type for your AP. If it's not listed, try a NAS type of other, or keep trying different ones to see which works best (I find the USR 9106 seems to be OK with either other or tc).
Listing 4.2 - /etc/raddb/clients.conf
# clients.conf
# Network access points that authenticate through RADIUS specified here.
#
# IMPORTANT: THIS FILE CONTAINS SECRETS.
# This file should have -rw-r----- root:radiusd permissions.
# The wireless access point
client "(the AP's IP address)" {
secret = (RADIUS shared secret)
shortname = (a name for logging, etc.)
nastype = (your AP's NAS type; if unknown, try "other")
}
The Users’ (Supplicant) Database
In the following, you should have an entry of the form of the first active line for each client machine you wish to permit onto the wireless network. Note the DEFAULT entry makes RADIUS automatically drop client machines not listed here — a handy way to disable unauthorised clients without having to revoke and re-issue all the certificates!
Listing 4.3 - /etc/raddb/users
# users
# A list of users and their authentication types.
"client-name" Auth-Type := EAP
# This is important: it makes RADIUS reject users not found above
DEFAULT Auth-Type := Reject
Reply-Message = "(colourful note of rejection)"
Starting radiusd
Starting as a Service
If you are confident in this configuration, you can start the radiusd service as normal:
# /sbin/service radiusd start
Directly with Debugging Options
If not, or this fails, invoke radiusd directly with the debugging options enabled to see what's going on:
# /usr/sbin/radiusd -X -A
Step 3: Configure the AP
This is perhaps the easiest step, but because APs vary in their configuration, the one I can talk on the least. However, most APs I've seen claim to have a web-based interface for configuration, and I assume you've accessed yours on a number of occasions when installing the device or bored. Here I'll try and describe things in terms as broad as possible.
- Point your web-browser to the AP's configuration page.
- Choose the page that deals with "Wireless Security", "Network Authentication", or similar.
- If you are presented a list of authentication methods, select "WPA".
- Enter the RADIUS settings:
- RADIUS Server IP Address: Self-explanatory: the IP address of your RADIUS server.
- RADIUS Port: This is normally 1812.
- RADIUS Key: Enter the shared secret used in this AP's block in the FreeRADIUS clients.conf file.
- Choose an encryption method (typically one of WEP, TKIP or AES).
- I chose AES, although unlike TKIP this is not strictly part of the WPA specification. AES is expected to form part of WPA 2. I attribute having mutually compatible hardware strictly to serendipity, and you may not have AES available to you.
- Tell the AP to accept the changes.
Note that any given AP will be wildly different from this. For instance, some place authentication methods and RADIUS configuration may be in separate pages in your AP's configurator application; there are also things like WPA rekeying intervals (I use 3600 seconds) and perhaps other options in APs I've not had a chance around with which to play.
Step 4: Configure the Client
This section assumes that you have:
- installed and configured your 802.11 wireless hardware
- configured the wireless interface's TCP/IP settings to your liking (e.g. DHCP, firewalling, etc.)
- installed Windows XP SP1 and Hotfix Q815485 (available via http://download.microsoft.com) for WPA Authentication, plus any of the necessary tools provided by your wireless interface manufacturer.
Note Hotfix Q815485 does not provide WPA support and wireless encryption through TKIP and AES. As far as I understand, this provides the mechanisms for Windows XP to configure and manage such features (as opposed to manufacturer-specific utilities). You'll still need WPA support from your wireless hardware drivers.
As an example of this, I normally use a built-in Broadcom 54g MaxPerformance 802.11g with my notebook. The drivers for this provide WPA support with WEP, TKIP and AES encryption, and this can be configured either with the standard Windows XP property boxes, or through Broadcom's own utility.
Establishing the Connection
The configuration of a WPA-authenticated connection can normally be carried out in in two ways. Firstly, many wireless adapter manufacturers provide utilities to manage wireless connections on their hardware. As this method depends on exactly what card one is using, it is not covered here; furthermore, I guess that those who plan on taking this route will probably not need to read this section!
The second route is to let Windows XP manage the authentication. This I can describe.
- Plug in and/or activate your wireless hardware. A "two monitors" icon may appear in the Notification Area for the interface.
- Right-click on the wireless interface's "two monitors" icon in the Notification Area, and choose View Available Wireless Networks. At this point, you will be presented with a list of available networks. If you configured your AP with "Disable SSID Broadcast" (or similar), you might not see any networks at all. In either case,
- Click Advanced... in the box that opens. The wireless interface's properties box will open.
- Check Use Windows to configure my wireless network settings.
- In the "Preferred networks" group, choose the network with WPA authentication and click Properties. If its not listed, click Add.... At this point, the "Wireless network properties" box appears.
- If it is absent, enter the network's SSID (Association tab).
- Under the Association tab, in the "Wireless network key" group, set the following:
- Network Authentication: WPA
- Data Encryption: choose one of either AES or TKIP to reflect the settings on your AP.
- Under the Authentication tab, set:
- Check Authenticate as computer...
- Uncheck Authenticate as guest...
- EAP Type: Smart Card or Other Certificate.
- Click Properties (under the Authentication tab).
- In the "Smart Card or other Certificate Properties" box, set the following:
- Choose Use a certificate on this computer
- Check Use simple certificate selection
- Check Validate server certificate
- Uncheck Connect to these servers:
- In the list of trusted root CAs, check only the CA that corresponds to the certificate you have generated
- Uncheck Use a different user name for the connection
- Click OK in all three boxes to set the connection properties.
If all is well-configured, everything should be working in minutes. (The process could take a minute or longer from cold; I find that activating the connection on my notebook before logging in seems to work the quickest.) To check progress, open up the Network Connections pseudo-folder from Control Panel. The status of the wireless connection should go from "Wireless connection unavailable" to "Attempting authentication" and then "Authentication succeeded" (along with an informative speech bubble from the Notification Area). If you use DHCP, check that the interface has acquired an IP address.
That's it!
Troubleshooting
radiusd Won't Start
Start radiusd directly with the debugging options, as per §§4.3.2. When setting up FreeRADIUS, I found I made the following common errors:
- Unmatched { or } in the configuration files. - radiusd normally reports a message to the effect of "file ended early" in this case.
- Can't access configuration/key files. - If you're running radiusd as non suid-root, make sure that the files' permissions are correct. (radiusd will tell you "permission denied" and the filename.)
- Files not found. Check that all the null files (see §4.2) exist.
Can't Authenticate
You've done all the steps above, and after about five minutes of waiting, Windows XP has popped up a little bubble (or put a flag in the "Network Connections" pseudo-folder) saying "Cannot log onto the network" (or "Authentication failed"). Maybe, if you're using DHCP, it's even gone ahead with that crazy "Zero Configuration" business.
First, try setting up a "dummy account" to test authentication. Add the following group to /etc/raddb/clients.conf:
Listing 7.1 - Added to /etc/raddb/users
- client "127.0.0.1" {
- secret = test-secret
- shortname = localhost
- }
Add the following line to /etc/raddb/users before the DEFAULT entry:
Listing 7.2 - Added to /etc/raddb/users
- "test" Auth-Type := Local, User-Password == "test"
Start radiusd directly (see §§4.3.2), and test this configuration using:
$ radtest test test localhost 0 test-secret
Amongst the reams of RADIUSspeak produced, you should see a message informing you that an Accept-Accept message has been returned. If not, go through the configuration files again. Some things that could go wrong include:
- Unmatched passwords/keys - This could be in the EAP/TLS configuration in /etc/raddb/radiusd.conf (when accessing the server's private key), or a mismatch between your /etc/raddb/clients.conf and AP's settings.
- Typos in IP addresses
- User names spelt incorrectly
You should, at this point, feel quite patronised. But if this solves the problem, the test lines of Listings 7.1 and 7.2 above should be removed.
Still not working? Take a look at the client. Windows XP clearly wasn't designed with the dollar-prompt-and-dot-conf type in mind — things break, and you're lucky if you get an error message telling you even vaguely what has gone wrong. Try:
- Rebooting and try activating your wireless hardware before you log in.
- I don't know why this expedites the process on my machine; perhaps it prevents the XP supplicant from attempting to authenticate as the user, and authenticate as the machine instead.
- Checking the logs. These can be found in the Event Viewer:
- Click Start, Run....
- Enter eventvwr.msc /s.
- Click OK.
- From here on in it's down to your own sysadmin's intuition. The "System" and "Application" logs will be of particular interest. In my experience, the messages given are very earnest, descriptive and long-winded, but more often than not seem to omit everything useful.
- Reinstalling all the software for your wireless adapter.
Miscellaneaous
Questions, Answers and Cry-For-Helps
How can I add more APs?
Easily. Simply configure the additional APs as described herein, and add corresponding blocks for their IP addresses in the FreeRADIUS clients.conf file. In the interest of security, I advise you use a different shared secret for each.
Can I use something other than WPA?
Yes. In the properties box for a given wireless network in Windows XP, you can choose from Open, Shared, WPA and WPA Pre-Shared Key. Provided you choose some from of encryption, you will be able to use 802.1x authentication in conjunction with it. As far as I have played with this, no adjustments need to be made with RADIUS, but you might need to adjust your AP's encryption settings and tell it to use 802.1x.
I can't find any mention of WPA in the Windows XP property boxes!
Check the following:
- Are you up to date with Windows XP Service Packs, Hotfixes and Patches?
- Have you tried the utilities that came with your wireless adapter?
- Are you using the latest drivers and configuration utilities? Perhaps your adapter doesn't support WPA yet.
I've found that XP doesn't present the WPA options for a network unless it has confirmed that the network requires WPA authentication. So you should also check that
- the wireless interface is activated (i.e., radio on); and
- you've spelt the SSID correctly (if broadcast is disabled).
Windows XP will also not present WPA options if your wireless network interface does not support WPA. This is the case with a number of Acer laptops.
If this is of no help, you could try using something other than WPA in the meantime (see above).