使用FreeRadius进行Wifi验证/会计在CentOS 5上
(日期:2008年6月2日)
本教程介绍如何在CentOS 5上设置具有Wifi身份验证和计费功能的FreeRadius服务器。此操作适用于新手。 生产部署也可以通过微调。 但像往常一样,如果发生错误,我不保证任何责任。
( 注意 :对于微弱的人,您可以使用此交钥匙解决方案 。https://www.youcl.com/how-to-set-up-an-aaa-server-with-ciitix-wifi )此配置已通过以下测试:
操作系统: CentOS 5.x(打补丁)
证书: Openssl 0.98b
Radius Sever: Freeradius版本1.1.7(由fc6 src.rpms构建)
(注意:本文档还假设您已经在同一子网上配置并运行了dhcp服务器。)
协议配置为:
- WPA1 / 2企业
- EAP / PEAP / TTLS
涉及以下过程:
1-安装操作系统
2-安装openssl
3-生成数字证书
4-安装/配置freeradius
5-配置接入点
6-配置终端wifi客户端
第1步
1-以最小模式安装操作系统(请参阅某些操作)。
第2步
2-安装openssl(如果尚未安装)
yum install openssl
第3步(*********** OpenSSL证书生成***********)
有许多方法可以生成基于ssl的证书。 您可以在另一台计算机或此服务器上创建证书。
以下是我采用的手动创建证书的方式。 但是建议您使用一些脚本来创建它们(如果您使用Freeradius 1.1.7和2.x版本,则会跳过此步骤),并附有不错的证书生成脚本,如果您是新增证书,请使用它们(在2.X脚本中通常在/ etc / radd / certs /中
,在1.X中,它在untgz'ed freeradius的scripts /
目录中)。
注意:以下过程还会创建您不需要使用EAP / PEAP的客户端证书。
3.1在/ etc / ssl中创建新的自签名证书颁发机构(如果尚未创建)
mkdir private
mkdir newcerts
touch index.txt
echo '01' > serial
编辑/etc/pki/tls/openssl.cnf&change
dir = ../../CA # Where everything is kept
至
dir = /etc/ssl
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650
密码:“letmein”是我选择的passwd。
以下是输出:
===========================================================================
[root@ciitwifi ssl]# openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650
Generating a 1024 bit RSA private key
..++++++
..++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:pk
State or Province Name (full name) [Berkshire]:pakhtoonkhwa
Locality Name (eg, city) [abbottabad]:abbottabad
Organization Name (eg, company) [ciit]:ciit
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ciitwifi
Email Address []:rnd@peace.not@ciit.net.pk
===========================================================================
3.2在/ etc / ssl中创建服务器证书请求(注意passwd“lettheserverin”)
openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730
输出:
===========================================================================
[root@ciitwifi ssl]# openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730
Generating a 1024 bit RSA private key
.......++++++
..................................++++++
writing new private key to 'server_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:pk
State or Province Name (full name) [Berkshire]:pakhtoonkhwa
Locality Name (eg, city) [abbottabad]:abbottabad
Organization Name (eg, company) [ciit]:ciit
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ciitwifi
Email Address []:rnd@peace.not
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:lettheserverin
An optional company name []:
[root@ciitwifi ssl]#
===========================================================================
3.3使用先前创建的证书颁发机构(使用XP扩展名)签名服务器证书:
在/ etc / ssl位置创建一个xpextensions文件,具有以下内容。
[root@centos5 ssl]# cat xpextensions
[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem
(注:密码短语在第3步中出现)
===========================================================================
[root@ciitwifi ssl]# openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 10 03:22:22 2008 GMT
Not After : Jun 10 03:22:22 2009 GMT
Subject:
countryName = pk
stateOrProvinceName = pakhtoonkhwa
localityName = abbottabad
organizationName = ciit
commonName = ciitwifi
emailAddress = rnd@peace.not
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Jun 10 03:22:22 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ciitwifi ssl]#
===========================================================================
3.4使用服务器密钥和服务器证书创建服务器文件:
cat server_key.pem server_cert.pem > server_keycert.pem
3.5在/ etc / ssl中创建客户端证书请求:
openssl req -new -keyout client_key.pem -out client_req.pem -days 730
“ciitwificlient”是我使用的PEM密码短语。
输出:
===========================================================================
[root@ciitwifi ssl]# openssl req -new -keyout client_key.pem -out client_req.pem -days 730
Generating a 1024 bit RSA private key
.........++++++
..............++++++
writing new private key to 'client_key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:pk
State or Province Name (full name) [Berkshire]:pakhtoonkhwa
Locality Name (eg, city) [abbottabad]:abbottabad
Organization Name (eg, company) [ciit]:ciit
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ciitwifi
Email Address []:rnd@peace.not
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:whateverdotwhat
An optional company name []:
[root@ciitwifi ssl]#
===========================================================================
3.6使用先前创建的证书颁发机构(使用XP扩展名)签署客户端证书:
openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem
“letmein”是我使用的密码。
===========================================================================
[root@ciitwifi ssl]# openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Jun 10 03:49:46 2008 GMT
Not After : Jun 10 03:49:46 2009 GMT
Subject:
countryName = pk
stateOrProvinceName = pakhtoonkhwa
localityName = abbottabad
organizationName = ciit
commonName = ciitwifi
emailAddress = rnd@peace.not
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
Certificate is to be certified until Jun 10 03:49:46 2009 GMT (365 days)
Sign the certificate? [y/n]:yes
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ciitwifi ssl]#
===========================================================================
3.7以XP客户端的相应格式(P12)导出客户端证书:
openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts
“ciitwificlient”是密码短语。
“Idontknow”是导出密码。 这是您将给予Windows XP客户端的密码,谁将在安装client_cert时使用它。
输出:
===========================================================================
[root@ciitwifi ssl]# openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts
Enter pass phrase for client_key.pem:
Enter Export Password:
Verifying - Enter Export Password:
[root@ciitwifi ssl]#
===========================================================================
3.8以XP客户端的相应格式(DER)导出服务器的根证书:
openssl x509 -setalias "ciitwifi@ciit" -outform DER -in cacert.pem -out cacert.der