Wifi认证/会计与FreeRadius在CentOS 5

使用FreeRadius进行Wifi验证/会计在CentOS 5上

(日期:2008年6月2日)

本教程介绍如何在CentOS 5上设置具有Wifi身份验证和计费功能的FreeRadius服务器。此操作适用于新手。 生产部署也可以通过微调。 但像往常一样,如果发生错误,我不保证任何责任。

注意 :对于微弱的人,您可以使用此交钥匙解决方案 。https://www.youcl.com/how-to-set-up-an-aaa-server-with-ciitix-wifi

此配置已通过以下测试:

操作系统: CentOS 5.x(打补丁)

证书: Openssl 0.98b

Radius Sever: Freeradius版本1.1.7(由fc6 src.rpms构建)

(注意:本文档还假设您已经在同一子网上配置并运行了dhcp服务器。)

协议配置为:

  • WPA1 / 2企业
  • EAP / PEAP / TTLS

涉及以下过程:

1-安装操作系统

2-安装openssl

3-生成数字证书

4-安装/配置freeradius

5-配置接入点

6-配置终端wifi客户端

第1步

1-以最小模式安装操作系统(请参阅某些操作)。

第2步

2-安装openssl(如果尚未安装)

yum install openssl

第3步(*********** OpenSSL证书生成***********)

有许多方法可以生成基于ssl的证书。 您可以在另一台计算机或此服务器上创建证书。

以下是我采用的手动创建证书的方式。 但是建议您使用一些脚本来创建它们(如果您使用Freeradius 1.1.7和2.x版本,则会跳过此步骤),并附有不错的证书生成脚本,如果您是新增证书,请使用它们(在2.X脚本中通常在/ etc / radd / certs /中 ,在1.X中,它在untgz'ed freeradius的scripts /目录中)。

注意:以下过程还会创建您不需要使用EAP / PEAP的客户端证书。

3.1在/ etc / ssl中创建新的自签名证书颁发机构(如果尚未创建)

mkdir private
mkdir newcerts
touch index.txt
echo '01' > serial

编辑/etc/pki/tls/openssl.cnf&change

dir            = ../../CA              # Where everything is kept 

dir              = /etc/ssl
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650

密码:“letmein”是我选择的passwd。

以下是输出:

===========================================================================
[root@ciitwifi ssl]# openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650
Generating a 1024 bit RSA private key
..++++++
..++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:pk
State or Province Name (full name) [Berkshire]:pakhtoonkhwa
Locality Name (eg, city) [abbottabad]:abbottabad
Organization Name (eg, company) [ciit]:ciit
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ciitwifi
Email Address []:rnd@peace.not@ciit.net.pk
===========================================================================

3.2在/ etc / ssl中创建服务器证书请求(注意passwd“lettheserverin”)

openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730

输出:

===========================================================================
[root@ciitwifi ssl]# openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730
Generating a 1024 bit RSA private key
.......++++++
..................................++++++
writing new private key to 'server_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:pk
State or Province Name (full name) [Berkshire]:pakhtoonkhwa
Locality Name (eg, city) [abbottabad]:abbottabad
Organization Name (eg, company) [ciit]:ciit
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ciitwifi
Email Address []:rnd@peace.not
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:lettheserverin
An optional company name []:
[root@ciitwifi ssl]#
===========================================================================

3.3使用先前创建的证书颁发机构(使用XP扩展名)签名服务器证书:

在/ etc / ssl位置创建一个xpextensions文件,具有以下内容。

[root@centos5 ssl]# cat xpextensions 
[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
 


openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem

(注:密码短语在第3步中出现)

===========================================================================
[root@ciitwifi ssl]# openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 10 03:22:22 2008 GMT
Not After : Jun 10 03:22:22 2009 GMT
Subject:
countryName = pk
stateOrProvinceName = pakhtoonkhwa
localityName = abbottabad
organizationName = ciit
commonName = ciitwifi
emailAddress = rnd@peace.not
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Jun 10 03:22:22 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ciitwifi ssl]#
===========================================================================

3.4使用服务器密钥和服务器证书创建服务器文件:

cat server_key.pem server_cert.pem > server_keycert.pem

3.5在/ etc / ssl中创建客户端证书请求:

openssl req -new -keyout client_key.pem -out client_req.pem -days 730

“ciitwificlient”是我使用的PEM密码短语。

输出:

===========================================================================
[root@ciitwifi ssl]# openssl req -new -keyout client_key.pem -out client_req.pem -days 730
Generating a 1024 bit RSA private key
.........++++++
..............++++++
writing new private key to 'client_key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:pk
State or Province Name (full name) [Berkshire]:pakhtoonkhwa
Locality Name (eg, city) [abbottabad]:abbottabad
Organization Name (eg, company) [ciit]:ciit
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ciitwifi
Email Address []:rnd@peace.not
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:whateverdotwhat
An optional company name []:
[root@ciitwifi ssl]#
===========================================================================

3.6使用先前创建的证书颁发机构(使用XP扩展名)签署客户端证书:

openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem

“letmein”是我使用的密码。

===========================================================================
[root@ciitwifi ssl]# openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Jun 10 03:49:46 2008 GMT
Not After : Jun 10 03:49:46 2009 GMT
Subject:
countryName = pk
stateOrProvinceName = pakhtoonkhwa
localityName = abbottabad
organizationName = ciit
commonName = ciitwifi
emailAddress = rnd@peace.not
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
Certificate is to be certified until Jun 10 03:49:46 2009 GMT (365 days)
Sign the certificate? [y/n]:yes


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ciitwifi ssl]#
===========================================================================


3.7以XP客户端的相应格式(P12)导出客户端证书:

openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts

“ciitwificlient”是密码短语。

“Idontknow”是导出密码。 这是您将给予Windows XP客户端的密码,谁将在安装client_cert时使用它。

输出:

===========================================================================
[root@ciitwifi ssl]# openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts
Enter pass phrase for client_key.pem:
Enter Export Password:
Verifying - Enter Export Password:
[root@ciitwifi ssl]#
===========================================================================

3.8以XP客户端的相应格式(DER)导出服务器的根证书:

openssl x509 -setalias "ciitwifi@ciit" -outform DER -in cacert.pem -out cacert.der

3.9文件'client_cert.p12'和'cacert.der'现在可以安全地移动到一个文件夹,以便导入XP客户端。

赞(52) 打赏
未经允许不得转载:优客志 » 系统运维
分享到:

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏