Sunday, March 21, 2010

Misc 10

(This uses the topology found in Misc 3)
Now that you've installed FreeRadius with OpenSSL support, it's time to set it up. First of all, we'll need to generate a keypair. To do this, type:
cd /etc/freeradius/certs/
/usr/lib/ssl/misc/CA.pl -newcert

This procedure should be quite familiar to you if you've set up for Apache2 HTTPS support.

Now, you'll need to generate the DH ciphers for use in TLS. To do this, remain in the certs folder and type:
openssl dhparam -out certs/dh 1024

You do not need to memorize that line. You can refer to it from the eap.conf file at the DH section.

Now, it's time to point the server to use PEAP. Modify /etc/freeradius/eap.conf and change the default EAP type to peap:
default_eap_type = peap

Scroll to the TLS section and make changes similar to this:
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs

private_key_password = cisco
private_key_file = ${certdir}/newkey.pem
certificate_file = ${certdir}/newcert.pem
CA_file = ${cadir}/newcert.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/dh

Now your server should be able to start and read all the certificates and ciphers properly.

Do note that changing the default_eap_type to PEAP doesn't restrict it to only using PEAP. It just tries to use PEAP first. If a client specifies MD5, authentication would still go through.

To truly remove MD5, you'll have to comment out MD5 in sites-available/default in the authorize{} and authenticate{} tags.

No comments :

Post a Comment