Versions Compared

Old Version 13

changes.mady.by.user Stefan Paetow

Saved on

compared with

New Version 14

changes.mady.by.user Alex Perez Mendez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Change into the /etc/raddb/certs directory

    Code Block
    languagebash
    $ cd /etc/raddb/certs


  2. Edit the certificate generation properties in client.cnfserver.cnf, and ca.cnf as follows:

    1. In the ca.cnf file:
      1. In the [ req ] section, add encrypt_key = no

      2. In the [CA_default] section, change the default_days from 60 to a higher number (this is how long the certificates you create will be valid for). When the certificates expire, you will have to recreate them.

      3. in the [ certificate_authority ] section, change all of the parameters to match those of your organisation. e.g.

        Code Block
        linenumberstrue
        [certificate_authority]
countryName             = GB
stateOrProvinceName     = England
localityName            = Camford
organizationName        = Camford University
emailAddress            = support@camford.ac.uk
commonName              = "Camford University FR Certificate Authority"


    2. In the server.cnf file:

      1. In the [ req ] section, add encrypt_key = no
      2. In the [CA_default] section, change the default_days from 60 to a higher number (this is how long the certificates you create will be valid for). When the certificates expire, you will have to recreate them.

      3. in the [ server ] section, change all of the parameters to match those of your organisation. e.g.

        Code Block
        linenumberstrue
        [server]
countryName             = GB
stateOrProvinceName     = England
localityName            = Camford
organizationName        = Camford University
emailAddress            = support@camford.ac.uk
commonName              = "Camford University FR Server Certificate"


        Warning

        When changing passwords in the [ req ] section of the server.cnf file, you must also update the private_key_password option in the FreeRADIUS mods-available/eap file with the same password.

        We recommend that you do not change these defaults.


    3. In the client.cnf file:

      1. In the [ req ] section, add encrypt_key = no
      2. In the [CA_default] section, change the default_days from 60 to a higher number (this is how long the certificates you create will be valid for). When the certificates expire, you will have to recreate them.

      3. in the [ client ] section, change all of the parameters to match those of your organisation. e.g.

        Code Block
        linenumberstrue
        [client]
countryName             = GB
stateOrProvinceName     = England
localityName            = Camford
organizationName        = Camford University
emailAddress            = support@camford.ac.uk
commonName              = "Camford University FR Client Certificate"


        Note
        All of the organisation parameters (countryName, localityName, etc) need to match in the three .cnf files but the commonName must be unique in each file)


  3. Clear out any old certificates in the directory:

    Code Block
    languagebash
    $ make destroycerts


  4. Run the bootstrap script to generate the certificates

    Code Block
    languagebash
    $ ./bootstrap


  5. Create a file that is the concatenation of the certificate and private key of the client.

    1. Create the file

      Code Block
      languagebash
      $ openssl x509 -in client.crt > client.pem ; cat client.key >> client.pem


    2. Verify that the client.pem file starts with "-----BEGIN CERTIFICATE-----".

     


  6. Because the above command was run as root, the keys and certificates created will not be readable by the FreeRADIUS user by default, and FreeRADIUS will not be able to start. To fix this, reset the group for the files:
Code Block
languagebash
$ chgrp radiusd {client,server,ca,dh}*

OpenSSL settings (CentOS 6 only)

By default, FreeRADIUS attempts to detect the version of OpenSSL that is installed to block vulnerable versions. However, RedHat/CentOS/Scientific Linux patch existing versions, which may lead FreeRADIUS to believe that the installed version is unsafe. This setting overrides the check.

  1. Open /etc/raddb/radiusd.conf for editing:
    1. Search for the allow_vulnerable_openssl setting in the security { } section.

    2. Edit it like so:

      Code Block
              # allow_vulnerable_openssl = no
        allow_vulnerable_openssl = 'CVE-2016-6304'


RadSec

Next, we need to configure RadSec. We do this by creating a file at /etc/radsec.conf with the following:

Code Block
linenumberstrue
realm gss-eap {
	type = "TLS"
	cacertfile = "/etc/raddb/certs/ca.pem"
	certfile = "/etc/raddb/certs/client.pem"
	certkeyfile = "/etc/raddb/certs/client.key"
	disable_hostname_check = yes
	server {
		hostname = "127.0.0.1"
		service = "2083"
		secret = "radsec"
	}
}

Dynamic Realm support

We need to tell your FreeRADIUS server to support dynamic lookup of realms.

  1. Open /etc/raddb/proxy.conf for editing:
    1. Towards the top of the file is a stanza beginning "proxy server {". Find this.

    2. Below this, add dynamic = yes, like so:

      Code Block
      linenumberstrue
      proxy server {
        dynamic = yes