Howto:802.1X EAP-TLS With FreeRadius

From innovaphone-wiki

Revision as of 16:56, 8 August 2014 by Inno-mst (Talk | contribs)
Jump to: navigation, search

Contents

Introduction

From on version 11 innovaphone devices offer support[1] for wired port access authentication by means of 802.1X with EAP-TLS.

This article foccusses on FreeRadius. FreeRadius is an open source RADIUS server suitable to be utilized as an authentication server in terms of 802.1X.

Configuration

For the configuration of innovaphone devices refer to Reference11:Interfaces/ETH/802.1X.

Prerequisites

  • An innovaphone Linux AP, IP address 192.168.178.34
  • A NetGear Prosafe switch, e.g. GS110TP
  • An innovaphone end device. Ideally facilitated with:
    • An innovaphone CA certificate
      • This CA certificate is going to be deployed within a FreeRadius server
    • An innovaphone device certificate, signed by the CA from above

FreeRadius

  • Installation within a debian distribution
    sudo apt-get install freeradius
  • Edit /etc/freeradius/eap.conf
    eap {
    ..
    default_eap_type = tls
    ..
    tls {
    # Trusted Root CA list
    CA_file = ${cadir}/ca.crt
    }
    ..
    }
  • In order to include the innovaphone CA certificate into the list of trusted CAs
    • Download the innovaphone CA certificate as e.g. inno-ca.pem.crt from the innovaphone device
    • Append that certificate to the list of trusted CAs
      cat inno-ca.pem.crt >> ca.crt
      • I.e. the FreeRadius list of trusted CAs is a single file and must be enhanced by appending a CA certificate to the end of ca.crt.
  • Edit /etc/freeradius/clients.conf
    #IP address range, covering the Authenticator/NetGear switch
    client 192.168.0.0/16 {
    secret = testing123
    shortname = private-network-192-168
    }
    • secret This is the shared secret encrypting the RADIUS-traffic between FreeRadius and the NetGear switch.
    • shortname Just a nickname

Debugging

As recommended by the FreeRadius manual

  • kill the freeradius daemon
  • run freeradius in debugging mode
    freeradius -X

Known Issues

  • FreeRadius complains about certificate problems after starting for the 1st time and terminates
  • FreeRadius complains about a missing file dh
    • Create the Diffie Hellmann parameters file
      openssl dhparam -out /etc/freeradius/certs/dh 1024

NetGear

  • Security/Management Security/Server Configuration Global Radius Server Configuration
    • The server address is the one of the Linux AP, 192.168.178.34
    • The secret must be the one from above, i.e. testing123
  • Security/Port Authentication/Basic/802.1X Configuration Set Port Based Authentication State to enable
  • Security/Port Authentication/Advanced/Port Authentication For all 802.1X-restricted ports set Port Control to Auto
    • Set non-restricted ports(e.g. for management) to Authorized
Global Radius Server Configuration
Global Radius Server Configuration
Port Based Authentication
Port Based Authentication
Port Control
Port Control

Design Considerations

The NetGear switch GS110TP does not support 802.1X multi-host authentication. The switch's port can only be authenticated as a whole. It is therefore a considerable decision to permanently disable an IP phone's PC-port, in order to prevent traffic from unauthenticated stations.

Hand-crafted Certificates

This section isn't necessary for a successful deployment of 802.1X EAP-TLS with innovaphone devices. It just serves as a memory aid thereby sketching the required steps for a PKI based on an own private CA. The CA will be used in turn to sign a server certificate and one or more client certificates.

Creation Of A Self-Signed CA Certificate

  • Change into FreeRadius' certificates directory
    cd /etc/feeradius/certs
  • Generate the CA's pair of public and private key
    openssl genrsa -out ca.key 1024
    • Note: For an encrypted ca.key file the -des3 option is required
  • Prepare and generate a certificate signing request for the actual CA certificate
    • Firstly a small configuration file ca.conf needs to be created/edited
      [ req ]
      default_bits = 1024
      distinguished_name = req_DN
      string_mask = nombstr
       
      [ req_DN ]
      countryName = "1. Country Name (2 letter code)"
      countryName_default = DE
      countryName_min = 2
      countryName_max = 2
      stateOrProvinceName = "2. State or Province Name (full name) "
      stateOrProvinceName_default = Berlin
      localityName = "3. Locality Name (eg, city) "
      localityName_default = Berlin
      0.organizationName = "4. Organization Name (eg, company) "
      0.organizationName_default = Mustermann
      organizationalUnitName = "5. Organizational Unit Name (eg, section) "
      organizationalUnitName_default = Certificate Authority
      commonName = "6. Common Name (eg, CA name) "
      commonName_max = 64
      commonName_default = Mustermann CA
      emailAddress = "7. Email Address (eg, name@FQDN)"
      emailAddress_max = 40
      emailAddress_default = ca@mustermann.de
    • Generate the certificate signing request ca.csr
      openssl req -config ca.conf -new -key ca.key -out ca.csr
  • Generate the CA certificate
    • The certificate will receive a few extensions. Edit/create a new file ca.ext
      extensions = x509v3
       
      [ x509v3 ]
      basicConstraints = CA:true,pathlen:0
      crlDistributionPoints = URI:http://www.mustermann.de/ca/mustermann.crl
      nsCertType = sslCA,emailCA,objCA
      nsCaPolicyUrl = "http://www.mustermann.de/ca/policy.htm"
      nsCaRevocationUrl = "http://www.mustermann.de/ca/heimpold.crl"
      nsComment = "Mustermann CA"
    • The actual CA certificate is going to be created
      openssl x509 -days 1095 -extfile ca.ext -signkey ca.key -in ca.csr -req -out ca.crt
      • The result is a self-signed CA certificate ca.crt

Creation Of A Server Certificate

  • The envisaged server certificate needs a public/private key
    openssl genrsa -out server.key 1024
  • A config file server.conf needs to be prepared
    [ req ]
    default_bits = 1024
    distinguished_name = req_DN
    string_mask = nombstr
     
    [ req_DN ]
    countryName = "1. Country Name (2 letter code)"
    countryName_default = DE
    countryName_min = 2
    countryName_max = 2
    stateOrProvinceName = "2. State or Province Name (full name) "
    #stateOrProvinceName_default =
    localityName = "3. Locality Name (eg, city) "
    localityName_default = Berlin
    0.organizationName = "4. Organization Name (eg, company) "
    0.organizationName_default = Mustermann
    organizationalUnitName = "5. Organizational Unit Name (eg, section) "
    organizationalUnitName_default = Server
    commonName = "6. Common Name (eg, CA name) "
    commonName_max = 64
    commonName_default = www.mustermann.de
    emailAddress = "7. Email Address (eg, name@FQDN)"
    emailAddress_max = 40
    emailAddress_default = webmaster@mustermann.de
  • Some certificate extensions can be specified in server.ext
    extensions = x509v3
     
    [ x509v3 ]
    nsCertType = server
    keyUsage = digitalSignature,nonRepudiation,keyEncipherment
    extendedKeyUsage = msSGC,nsSGC,serverAuth
  • A certificate serial number will be maintained in ca.serial
    echo -ne '01' > ca.serial
    • Note: ca.serial will be auto-incremented on later invokations by openssl
  • The signing request for the server certificate is generated by
    openssl req -config server.conf -new -key server.key -out server.csr
  • The siging request is executed by
    openssl x509 -days 730 -extfile server.ext -CA ca.crt -CAkey ca.key -CAserial ca.serial -in server.csr -req -out server.crt
    • Note: Server.crt is signed by the CA from above.

Creation Of A Client Certificate

The following steps need to be repeated, if endpoint devices shall receive individual unique certificates.

  • The envisaged client certificate needs a public/private key
    openssl genrsa -out client.key 1024
  • client.conf
    [ req ]
    default_bits = 1024
    distinguished_name = req_DN
    string_mask = nombstr
     
    [ req_DN ]
    countryName = "1. Country Name (2 letter code)"
    countryName_default = DE
    countryName_min = 2
    countryName_max = 2
    stateOrProvinceName = "2. State or Province Name (full name) "
    stateOrProvinceName_default = Berlin
    localityName = "3. Locality Name (eg, city) "
    localityName_default = Berlin
    0.organizationName = "4. Organization Name (eg, company) "
    0.organizationName_default = Mustermann
    organizationalUnitName = "5. Organizational Unit Name (eg, section) "
    #organizationalUnitName_default =
    commonName = "6. Common Name (eg, CA name) "
    commonName_max = 64
    commonName_default = Max Mustermann
    emailAddress = "7. Email Address (eg, name@FQDN)"
    emailAddress_max = 40
    emailAddress_default = max@mustermann.de
  • client.ext
    extensions = x509v3
     
    [ x509v3 ]
    nsCertType = client,email,objsign
    keyUsage = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
  • Certificate signing request
    openssl req -config client.conf -new -key client.key -out client.csr
  • Actual client certificate
    openssl x509 -days 730 -extfile client.ext -CA ca.crt -CAkey ca.key -CAserial ca.serial -in client.csr -req -out client.crt
  • Before deploying the client certificate on an innovaphone device, the key needs to be appended
    cat client.crt client.key > client.pem.crt

Notes

  1. Reference11:Interfaces/ETH/802.1X
Personal tools