Apr 30
2008Setup Debian as Freeradius PEAP MSCHAPv2 Authentication Server
Filed Under (debian, linux) by Coni on 30-04-2008
Artikel ini melanjutkan dari artikel sebelumnya tentang Instalasi freeradius di Debian Etch. Freeradius akan menggunakan database MySQL. Langkah2nya sbb:
1. Membuat Sertifikat SSL. Pastikan openssl sudah terinstall. Copy file xpextensions dari direktori tempat source yg diekstrak jika filenya tidak ada didirektori /etc/freeradius/certs.
cp /direktori_source/freeradius-1.1.3/scripts/xpextensions /etc/freeradius/certs/
Masuk ke /etc/freeradius/certs/ dan buat script file untuk mengenerate sertifikat dengan nama CA.certs. File tersebut sebenernya sudah ada di /direktori_source/freeradius-1.1.3/scripts/CA.certs tetapi jika dipakai akan error sehingga perlu dimodifikasi seperti ini:
#!/bin/sh # # This is a NON-INTERACTIVE script to help generate certificates for # use with the EAP-TLS module. # # $Id: CA.certs,v 1.1 2004/01/23 17:02:31 aland Exp $ # # This environment variable should point to the SSL installation # [ "$SSL" = "" ] && SSL=/usr/lib/ssl export SSL # # Edit the following variables for your organization. # COUNTRY="ID" PROVINCE="Jawa Barat" CITY="Bandung" ORGANIZATION="yuniarko.net" ORG_UNIT=`hostname` PASSWORD="private_key_password" COMMON_NAME_CLIENT="FreeRadius Client certificate" EMAIL_CLIENT="coni@yuniarko.net" PASSWORD_CLIENT=$PASSWORD COMMON_NAME_SERVER="FreeRadius Server certificate" EMAIL_SERVER="coni@yuniarko.net" PASSWORD_SERVER=$PASSWORD COMMON_NAME_ROOT="FreeRadius Root certificate" EMAIL_ROOT="coni@yuniarko.net" PASSWORD_ROOT=$PASSWORD # # lifetime, in days, of the certs # LIFETIME=730 ###################################################################### # # Don't change anything below this line... # ###################################################################### # # Prefer the SSL configured above, over any previous installation. # PATH=${SSL}/bin/:${SSL}/misc:${PATH} LD_LIBRARY_PATH=${SSL}/lib export PATH LD_LIBRARY_PATH mv demoCA/serial . rm -rf demoCA roo* cert* *.pem *.der mkdir -p demoCA mv serial demoCA echo -e "" echo -e "\t\t##################" echo -e "\t\tcreate private key" echo -e "\t\tname : name-root" echo -e "\t\tCA.pl -newcert" echo -e "\t\t##################\n" (echo $COUNTRY echo $PROVINCE echo $CITY echo $ORGANIZATION echo $ORG_UNIT echo $COMMON_NAME_CLIENT echo $EMAIL_CLIENT ) | openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days $LIFETIME -passin pass:$PASSWORD_CLIENT -passout pass:$PASSWORD_CLIENT if [ "$?" != "0" ] then echo "Failed to create client certificate" exit 1 fi echo -e "" echo -e "\t\t##################" echo -e "\t\tcreate CA" echo -e "\t\tuse just created 'newreq.pem' private key as filename" echo -e "\t\tCA.pl -newca" echo -e "\t\t##################\n" echo "newreq.pem" | CA.pl -newca || exit 2 #ls -lg demoCA/private/cakey.pem echo -e "" echo -e "\t\t##################" echo -e "\t\texporting ROOT CA" echo -e "\t\tCA.pl -newreq" echo -e "\t\tCA.pl -signreq" echo -e "\t\topenssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.pem" echo -e "\t\topenssl pkcs12 -in root.cer -out root.pem" echo -e "\t\t##################\n" openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.p12 -cacerts -passin pass:$PASSWORD_ROOT -passout pass:$PASSWORD_ROOT openssl pkcs12 -in root.p12 -out root.pem -passin pass:$PASSWORD_ROOT -passout pass:$PASSWORD_ROOT openssl x509 -inform PEM -outform DER -in root.pem -out root.der echo -e "" echo -e "\t\t##################" echo -e "\t\tcreating client certificate" echo -e "\t\tname : name-clt" echo -e "\t\tclient certificate stored as cert-clt.pem" echo -e "\t\tCA.pl -newreq" echo -e "\t\tCA.pl -signreq" echo -e "\t\t##################\n" (echo $COUNTRY echo $PROVINCE echo $CITY echo $ORGANIZATION echo $ORG_UNIT echo $COMMON_NAME_SERVER echo $EMAIL_SERVER echo $PASSWORD_SERVER echo "testing" ) | openssl req -new -keyout newreq.pem -out newreq.pem -days $LIFETIME -passin pass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER if [ "$?" != "0" ] then echo "Failed to create server certificate" exit 1 fi (echo y echo y) | openssl ca -policy policy_anything -out newcert.pem -passin pass:$PASSWORD_SEREVER -key $PASSWORD_SERVER -extensions xpclient_ext -extfile xpextensions -infiles newreq.pem if [ "$?" != "0" ] then echo "Failed to do sign certificate" exit 1 fi openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-clt.p12 -clcerts -passin pass:$PASSWORD_CLIENT -passout pass:$PASSWORD_CLIENT || exit 8 openssl pkcs12 -in cert-clt.p12 -out cert-clt.pem -passin pass:$PASSWORD_CLIENT -passout pass:$PASSWORD_CLIENT || exit 9 openssl x509 -inform PEM -outform DER -in cert-clt.pem -out cert-clt.der || exit 10 echo -e "" echo -e "\t\t##################" echo -e "\t\tcreating server certificate" echo -e "\t\tname : name-srv" echo -e "\t\tserver certificate stored as cert-srv.pem" echo -e "\t\tCA.pl -newreq" echo -e "\t\tCA.pl -signreq" echo -e "\t\t##################\n" (echo $COUNTRY echo $PROVINCE echo $CITY echo $ORGANIZATION echo $ORG_UNIT echo $COMMON_NAME_ROOT echo $EMAIL_ROOT echo $PASSWORD_ROOT echo $ORG_UNIT ) | openssl req -new -keyout newreq.pem -out newreq.pem -days $LIFETIME -passin pass:$PASSWORD_ROOT -passout pass:$PASSWORD_ROOT if [ "$?" != "0" ] then echo "Failed to create root certificate" exit 1 fi (echo y echo y) | openssl ca -policy policy_anything -out newcert.pem -passin pass:$PASSWORD_ROOT -key $PASSWORD_ROOT -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem if [ "$?" != "0" ] then echo "Failed to sign root certificate" exit 1 fi openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-srv.p12 -clcerts -passin pass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER || exit 5 openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER || exit 6 openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der || exit 7 echo -e "\n\t\t#################################" echo -e "\t\tDONE. Thank you for your patience." echo -e "\t\t###################################\n"
2. Instalasi database Mysql.
Membuat database radius dan user radius
mysql -u root -p
> CREATE DATABASE radius;
> GRANT ALL PRIVILEGES ON radius.* to ‘radius’@'localhost’ IDENTIFIED BY ‘password’;
> FLUSH PRIVILEGES;
> EXIT
Import Skema freeradius MySQL
zcat /usr/share/doc/freeradius/examples/mysql.sql.gz | mysql -u radius -p radius
3. Konfigurasi radius. Masuk kedirektori /etc/freeradius lalu ubah beberapa file dibawah ini. Cukup disesuaikan saja. Yg ada disini berarti yg perlu diaktifkan.
radiusd.conf
mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } authorize { preprocess mschap suffix eap sql } accounting { sql } session { sql } post-auth { sql } authenticate { Auth-Type MS-CHAP { mschap } eap }
clients.conf
client 192.168.1.0./24 { secret = secret shortname = myhomewireless }
192.168.1.0./24 adalah alamat network AP atau bisa diganti dengan ip address AP.
eap.conf
eap { default_eap_type = peap tls { private_key_password = private_key_password private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random } peap { default_eap_type = mschapv2 } }
private_key_password sama dengan pada saat mengkonfigure script CA.cert untuk menggenerate sertifikat.
sql.conf
sql { driver = "rlm_sql_mysql" server = "localhost" login = "radius" password = "password" radius_db = "radius" }
4. Konfigurasi AP. AP yg saya pake LinkSys WAP54G. Kali ini pakai gambar saja karena sederhana
secret sama dengan yg ada pada file clients.conf