Monday, February 21, 2011

WPA2 Enterprise on Ubuntu: Configuring an 802.1x FreeRADIUS Server

This howto describes setting up the FreeRADIUS server v2.1.10 on Ubuntu Maverick v10.10 including properly signed certificates for server identification. The setup is known to work for clients running Windows 7, Ubuntu, Android, iPhone etc.

Background:

It has been known for many years that Wired Equivalent Privacy (WEP) encryption is broken. Pre-shared WEP keys can be cracked in a matter of minutes. Its replacement, Wi-Fi Protected Access II (WPA2) is now shipped on most consumer devices. WPA2 can use either pre-shared encryption keys (WPA2 Personal), or managed keys with an 802.1X authentication server (WPA2 Enterprise).

While WPA2 Personal may be suitable for home-use, it is often not emphasised that knowing the pre-shared keys (PSK) enables all wireless traffic to be decrypted. Given the PSK and a capture of the first 4 packets during the authentication process the remainder of all encrypted traffic can be readily decrypted. An example of this is described in the Wireshark documentation.

This point should be stressed more since it occurs quite frequently. Giving your neighbour access to your Internet using your PSK allows them to decrypt all of the data that you send over your wireless network! Combining a bit of friendly Internet sharing with tools such as Firesheep and your private web-browsing is very easily compromised. Note also that WPA Personal TKIP encryption is now potentially compromised with packet injection techniques. It is recommended to use WPA2 AES.

I recently upgraded the wireless network for an organisation with a large number of untrusted users that share the same Internet connection. It previously used WEP encryption (=fail) and the simplest upgrade would have been to change to WPA2 Personal. This upgrade would have prevented outsiders from being able to crack the pre-shared key. However given the points above a pre-shared key (PSK) still represents a considerable risk of compromise from within the group of untrusted users. Also if a neighbour happens to gain access to the PSK once, he can then decrypt all users' data until the PSK is changed.

Currently the only practical solution for this network of untrusted users is WPA2 Enterprise. Every user is given their own username/identity and password which are used to establish encrypted sessions. If a user's password is compromised, the rest of the users and network remain secure. WPA2 Enterprise is now widely deployed in organisations and on larger scales including the worldwide service Eduroam. The downside of WPA2 Enterprise is that it requires an 802.1x authentication server and the potential cost and complexity is preventative for most home and small-office users.

However, the FreeRADIUS server is now relatively easy to configure on Ubuntu Linux and most recent consumer wi-fi access points support forwarding authentication to an 802.1x RADIUS server.

Prerequisites:
  • Wireless access point (AP) supporting WPA2 Enterprise (also labelled 802.1x or RADIUS server). IP address used in this example is 10.1.1.1. 
  • Server running Ubuntu Maverick v10.10. IP address used in this example is 10.1.1.10.
  • Wired network connecting the PC and AP
  • Wireless device for testing, eg. a laptop.
Access Point Configuration:

The wireless access point (AP) forwards authorisation requests to the RADIUS server. It communicates using UDP packets encrypted with a shared key. First generate a random shared key (eg. `dmesg | md5sum`). Login to the AP's web interface and configure it for WPA2 Enterprise security. The security option may be labelled WPA2 Enterprise, 802.1x or RADIUS. Configure the server name/IP (eg. 10.1.1.10) and the port to 1812. Paste the random shared key (eg. 6f2dbebf60fd1e5989052a060c53d8f9) into the AP, save and apply the new settings.

FreeRADIUS Installation:

FreeRADIUS is typically available as a standard Ubuntu server package that can be installed very easily with apt. Unfortunately the FreeRADIUS v2.1.9 that is shipped with Maverick includes an issue in the TLS code that performs session resumption. See the issue explained here, and the fix described in v2.1.10. The new version 2.1.10 is due to be shipped in Ubuntu Natty 11.04. Fortunately the version from Natty has very few additional dependencies and can easily be added to Maverick.

First we pin apt's configuration to Maverick. Edit or create the file: sudo nano /etc/apt/apt.conf and paste the line:
APT::Default-Release "maverick";
Manually add the Ubuntu "main" source for Natty: sudo nano /etc/apt/sources.list. Find the line with "maverick main" and copy it:
#maverick main line eg:
deb http://ftp.iinet.net.au/pub/ubuntu/ maverick main restricted
#copy and change maverick to natty:
deb http://ftp.iinet.net.au/pub/ubuntu/ natty main

Update apt and force install Natty's version of FreeRADIUS:
apt-get update
apt-get install -t natty freeradius

FreeRADIUS Configuration: 

Configure FreeRADIUS to accept the AP as a client. Edit the file /etc/freeradius/clients.conf. Add the following text to the bottom of the file:
client 10.1.1.1 {
    shortname = home1
    secret = 6f2dbebf60fd1e5989052a060c53d8f9
                 #generated using `dmesg | md5sum`
                 #make sure this matches the key set
                 #in the AP's RADIUS configuration
}

Configure the EAP settings. Here many the default settings are fine. Most importantly set the default EAP type to Protected EAP. Edit /etc/freeradius/eap.conf and change only the parameters in each section as indicated below:
eap {
   default_eap_type = peap
   tls {
      private_key_password = #blank, no point since the key is local
      private_key_file = ${certdir}/server.key
      certificate_file = ${certdir}/server.pem
      #CA_file = ${cadir}/ca.pem ##comment this line out
      cache {
         enable = yes
      }   
   }
   ttls {
      use_tunneled_reply = yes
   }
   peap {
      use_tunneled_reply = yes
   }
}

FreeRADIUS Users:

Configure FreeRADIUS to accept a single test user. Edit the file /etc/freeradius/users. Add a line like the following to the bottom of the file:
testuser       Cleartext-Password := "testpassword"
FreeRADIUS Server Certificate:

The cheapest source I found for a valid signed certificate is the intermediatary RapidSSL, using Geotrust Global CA as a root certificate authority. I purchased the single-domain certificate through ClickSSL for about $10/year. By bundling the intermediate certificate in the server's server.pem file clients can immediately verify the chain back to the widely accepted root Geotrust Global CA.

Make sure your certificate supports the "Extended Key Usage" fields:
TLS WWW Server Authentication (OID.1.3.6.1.5.5.7.3.1)
TLS WWW Client Authentication (OID.1.3.6.1.5.5.7.3.2)

Firstly remove the default "snake-oil" certificates in /etc/freeradius/certs/:
sudo rm /etc/freeradius/certs/server.key
sudo rm /etc/freeradius/certs/server.pem

Now generate the server private key and certificate signing request. For RapidSSL only the /C /O and /CN fields are preserved in the signed certificate. Make sure the /CN field matches your wi-fi SSID name:
# sudo openssl req -newkey rsa:2048 -nodes -keyout /etc/freeradius/certs/server.key -out /etc/freeradius/certs/server.csr -subj "/C=AU/O=rrfx.net/CN=rrfx.net"

Generating a 2048 bit RSA private key
............+++
.....................+++
writing new private key to '/etc/freeradius/certs/server.key'
-----

View the /etc/freeradius/certs/server.csr file. Ctrl+C copy all of the text, Eg:
-----BEGIN CERTIFICATE REQUEST-----
MIIDBzCCAe8...
...
...+blYEg=
-----END CERTIFICATE REQUEST-----

Purchase a SSL certificate and paste all of the CSR text into your CA's certificate request page. Hit go and you should be presented with, or emailed, your signed certificate. Copy and paste the signed certificate into the file: /etc/freeradius/certs/server.pem. To allow clients to establish the chain of trust on-the-spot, the intermediate CA and root CA certificates should be bundled also. Add them to the server.pem file. Eg. my server.pem contains the certificate bundle chaining rrfx.net > RapidSSL CA > GeoTrust Global CA, listed in that order:

#sudo cat /etc/freeradius/certs/server.pem
-----BEGIN CERTIFICATE-----
MIIEuDCCA6CgAwIBAgICfq4wDQYJKoZIhvcNAQEFBQAwPDELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDkdlb1RydXN0LCBJbmMuMRQwEgYDVQQDEwtSYXBpZFNTTCBDQTAe
Fw0xMTAxMjcwMjE2NTZaFw0xNjAxMjkwMjI0NTRaMIHXMSkwJwYDVQQFEyBDZGQ5
S1B6NXp5NlhPRUVxZkFKdGl1cUdIWEsxSXNHMTELMAkGA1UEBhMCQVUxETAPBgNV
BAoTCHJyZngubmV0MRMwEQYDVQQLEwpHVDUwOTYyODI3MTEwLwYDVQQLEyhTZWUg
d3d3LnJhcGlkc3NsLmNvbS9yZXNvdXJjZXMvY3BzIChjKTExMS8wLQYDVQQLEyZE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQgLSBSYXBpZFNTTChSKTERMA8GA1UEAxMI
cnJmeC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtjmE65C+c
AHj5hzr+hcGIPh9UB7duR4A+xMD7hmFjUi0EVu5tkcqc2mCNgVTwCXYsops4aYKr
vWsyulC1UlAkIqipIHjRojVgBzel3MxD/gaPkYsj/WITGQQkMC8NdSLOnAUuycY1
1n2O5QYXfPDTwH8i1URYVV36JFDmEooFKNlC1J7aY0tCVsUH2opsQYBM6vN9PfcP
fpy9vuaYS5BMqTPE6KYvxDXwNoRHTDi2SPTZUAz7Y0bZBDVFRKrLrLXgEMiZgKtd
LAoIb66bvyAnB3yWya1Zlg6GNRDq4yA46gQ+bLr29uoIHy/DrxJsVxgmFWNrkYIG
9+SLV4t6Zq/tAgMBAAGjggEmMIIBIjAfBgNVHSMEGDAWgBRraT1qGEJK3Y8CZTn9
NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMBMGA1UdEQQMMAqCCHJyZngubmV0MEMGA1UdHwQ8MDowOKA2oDSGMmh0
dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRzc2wuY3Js
MB0GA1UdDgQWBBS/+1Yh+Zk0Xd+6fGSJ8/nyxv7/UzAMBgNVHRMBAf8EAjAAMEkG
CCsGAQUFBwEBBD0wOzA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3NsLWFpYS5n
ZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MA0GCSqGSIb3DQEBBQUAA4IBAQBH1GvI
GpscqnKTfyJW+QNVXWem8vC78i6xVv2InqwWQIFA3T7xKuFKnT2+rw1HaAbU1uQx
TTzTnHbwMIZClQuuSyp2C+fWEh7osAhKZDNZYRpS8gBH0B7MSv+1LoQjwGq+Cl1Z
jItmnNT6dUhi+bt3EgaPQUSprAbfYux8bRXUZEWKBI1jhlaYMbKyizxRscYcRDGq
jV8spqbbetU4LdRkFC4tYhBVtOZ3biTA9phSna0m/ly2+vMFdXzJK6LMjxSGf2XO
Nf8GozJ9zYADJv7ehD5L9dlUCRRdWRSmCJ76WdK6om6I+fg7a0qma7iunc416tIq
OsvNoZHF5Pj0jygD
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwMjE4MjI0NTA1WjA8MQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NM
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0
l6P7oeYLUF9QqjraD/w9KSRDxhApwfxVQHLuverfn7ZB9EhLyG7+T1cSi1v6kt1e
6K3z8Buxe037z/3R5fjj3Of1c3/fAUnPjFbBvTfjW761T4uL8NpPx+PdVUdp3/Jb
ewdPPeWsIcHIHXro5/YPoar1b96oZU8QiZwD84l6pV4BcjPtqelaHnnzh8jfyMX8
N8iamte4dsywPuf95lTq319SQXhZV63xEtZ/vNWfcNMFbPqjfWdY3SZiHTGSDHl5
HI7PynvBZq+odEj7joLCniyZXHstXZu8W1eefDp6E63yoxhbK1kPzVw662gzxigd
gtFQiwIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUa2k9ahhC
St2PAmU5/TUkhniRFjAwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4w
EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js
Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAq7y8Cl0YlOPBscOoTFXWvrSY8e48HM3P8yQkXJYDJ1j8Nq6iL4/x
/torAsMzvcjdSCIrYA+lAxD9d/jQ7ZZnT/3qRyBwVNypDFV+4ZYlitm12ldKvo2O
SUNjpWxOJ4cl61tt/qJ/OCjgNqutOaWlYsS3XFgsql0BYKZiZ6PAx2Ij9OdsRu61
04BqIhPSLT90T+qvjF+0OJzbrs6vhB6m9jRRWXnT43XcvNfzc9+S7NIgWW+c+5X4
knYYCnwPLKbK3opie9jzzl9ovY8+wXS7FXI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK
LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----

The server.pem certificate bundle can be verified:
# sudo openssl verify -CAfile /etc/freeradius/certs/server.pem /etc/freeradius/certs/server.pem
/etc/freeradius/certs/server.pem: OK


Start the FreeRADIUS server:

The FreeRADIUS server is automatically started by init.d. Stop it manually:
/etc/init.d/freeradius stop
And then start FreeRADIUS in debug mode:
freeradius -X
Your configuration should scroll pass and the server pause waiting for requests:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.


Client testing:

Attempt to connect with a wifi device such as a laptop. Use the testuser and testpassword values set in the /etc/freeradius/users file. As the device connects you should see debug information printed, finishing with:
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok

Windows 7/Vista users may be presented with a strong message asking to verify the server's certificate. By default they don't trust any root CA's.

If you have a DHCP server on the network the device will obtain an IP address and then be able to access the network.

After testing use Ctrl+C to stop the server. Restart FreeRADIUS as a service with:
/etc/init.d/freeradius start

Please let me know if this works for you, helps you out, or if I have missed anything!
Cheers, Rob.

5 comments:

  1. Hi,
    Thanks for this! Worked like a charm. BTW, you've mentioned that the CN needs to be the same as the SSID. I find that even if it is different it works and rightly so, because if the SSID is hidden, it would be different anyways ;)

    ReplyDelete
  2. FreeRADIUS (in the comments in the Debian version of eap.conf, at least) say not to use a globally known CA, so a ClickSSL cert seems like perhaps not the greatest choice.

    ReplyDelete
  3. Hi Stuart, the certificate is only used to identify the FreeRADIUS server. The trusted root CA list parameter 'CA_file' is commented out, preventing client certificates from being used to authenticate.

    ReplyDelete
  4. Sorry, I know this post is a little old - but I just set up a radius server at home and I was having issues with the 'freeradius -X' not wanting to start. It was complaining about not being able to read the certificates.

    I was able to 'fix' the problem (I say 'fix' because it works, but I probably didn't do it correctly or safely) by changing the permissions on /etc/ssl/private to 755 and /etc/ssl/private/ssl-cert-snakeoil.key to 777. You may also need to change /etc/ssl/certs/ssl-cert-snakeoil.pem to 777 as well.

    Like I said, this is for my house, so I'm not really *that* worried about security - it's more for me to just play around. If you are in a production environment, you may want to do it 'right' (add the proper users to the proper groups, etc) and not just blanket change the permissions to your certificates.

    ReplyDelete
  5. Hi pconwell,
    I had the same problem too. I solved it by changing the files' owner to 'freerad'.
    Permissions '600' should be ok.

    ReplyDelete