WPA2 Enterprise – Username/Password-Prompt-Less Setup on Mixed Network

certificatefreeradiuswpa2

I asked a question recently about setting up WPA2 enterprise, and I have a couple of ancillary questions. First, regarding the use of the OpenSSL cnf files for the certificate generation. I have a number of them in /etc/raddb/certs, which came in part of my freeradius installation on my Gentoo box. I have a ca.cnf; server.cnf and client.cnf. My questions are as below:

If i want to set up username/password-prompt-less setup for WPA2 enterprise (I want the users file to use certificates)–can I do this following the same procedure I followed for "The windows XP client" in Step 1 of freeradius howto? I will add the eap.conf configuration as mentioned in the answer to my question above. Note that this is an issue I am facing in Mac OS X based systems. My windows XP/SP3 laptop does not seem to have this issue, as I added the ca.der file (double-click install), and the client.p12 file to it (see freeradius howto, under Step 1, "The windows XP client").
How do I import the specific keys onto iPhones and other personal devices such as iPads, Android tablets etc.?

Best Answer

After much poking around man pages for openssl.cnf and the configurations on the various iPhones and iPods at home, I have finally figured out the answer to the question I posed.

My solution achieves the following: (a) username/password-less logins in a secure manner using EAP-TLS via WPA2-enterprise, and (b) (maybe a teeny bit stronger security) password-less but username required login in a secure manner via WPA2-enterprise. The option (b) is really by uncommenting check_cert_cn in the eap.conf file, and requiring the username (there are a number of name attributes, be a little careful) is sent. A potential hacker could have your certificate, but she possibly does not have your username, but this is not exactly a security measure for a hacker who knows her way around certificates and WPA2 enterprise.

In a gist, the procedure is that you will change the client.cnf file for each client you want to add into the network and regenerate the keys using make client.pem, which produces the client.p12 file which you should download onto your client machines--this means each client gets its own key for the encryption, which implies one client in the network cannot spy on another's packets via promiscuous mode. If you have any issues during the creation of the client.pems: make client.pem bombs for any reason, then pay special attention to serial and serial.old, and index.txt and index.txt.old: specifically, mv serial.old serial and mv index.txt.old index.txt, and redo the make client.pem after the problem is fixed (e.g., incorrect cnf file due to typos--most likely due to the fact that special characters are sometimes not permitted for the passwords in the client.cnf file--I would appreciate anyone reading this to point me to resources regarding the use of special characters in *.cnf files).

Now the details: Windows machines need a different procedure: For each Windows XP client, you will need to use the techniques mentioned in the README file in /etc/raddb/certs/. Next, you should follow the steps in "Step 1: Create Certificates: On the Windows XP client" in the FreeRadius howto, and connect using Step 4 of the same howto in the FreeRadius site.

For all machines, before you do the above for each client, you should change the client.cnf file for usernames and passwords for each of the clients. My cnf files changed really only touched the [ req ] section of the client.cnf file to change distinguished_name, input_password and output_password. Note that the following section should describe the name of the client described as the value for the distinguished_name attribute. For example, if you had distinguished_name = beeblebrox in the [ req ] section, then the following section will start as [beeblebrox ]. Here, you will configure the attributes accordingly boringly (same for most clients in your network, except the emailAddress, which will change for each client).

At the end of this process, you are done generating the *.p12 digital profiles/personal information exchange file for each client. This file contains a private key which the client will use for communication in the network. Now you have to install these digital profiles on to the clients.

Windows machines will take the procedure for installation of the certificates and the connection to the WPA2 enterprise network as already mentioned above. All the other machines need the *.p12 file that was created for them (it is convenient to name them per client: xp1.p12, xp2.p12, ios1.p12, ios2.p12, macosx1.p12 etc.) to connect to the RADIUS server. How do you download the *.p12 file onto the machines securely? For laptops, the problem is trivially solved by the use of removable media or if you are connected via ethernet to the host network, an scp of the file. For iPhones and other devices, it is a tiny bit tricky. I am not sure if using insecure email is the way to go, considering the fact the *.p12 file contains the private key to be used by the clients. Perhaps you digitally encrypt your email so it is OK. But I solved it by hosting the *.p12 files locally on a webserver and downloading them onto the IOS devices.

On the MAC, you can follow the steps provided in here but make sure you add the *.p12 file to the keychain on your MAC before you do so (see here). The 802.1x authentication in your WPA2 enterprise configurations (you may have to explicitly check TLS in the configuration).

On the IOS devices, you first download the *.p12 file which will let you add this certificate as a profile (download of the *.p12 file starts the process automatically). Then, you go to settings->WiFi->add your WPA2 enterprise network, and specify the SSID, and then change the mode to EAP-TLS. Once you do that, the Identity option appears, which, when you click, offers the *.p12 profile option. Check the option, and return to the screen. Depending on whether or not you have chosen total username/password-less login to the enterprise system, or password-less login, you may have to enter the username from the corresponding client.cnf file used to generate the *.p12 file. Once you click join, you are in!

I'd appreciate someone adding the plug for wireless access via linux.

I'll pipe in once I can talk more on the number of times I have to re-login etc.--I might have seen this problem on my IOS devices, but I have to check again.

Related Solutions

How many user/supplicant certificates are needed for WPA2 enterprise on a small network

Sharing certificates is basically the same as sharing passwords. If the one certificate is compromised, you have to go and reconfigure all the clients in order to change the certificate, whereas if you have a certificate per client you can simply revoke the compromised certificate. Also, the shared certificate may mean that clients can decrypt traffic sent to and from other clients, whereas separate certificates means that clients can only decrypt their own traffic. If you're going to the effort of setting up WPA2 with certificates I suggest you do it properly and generate certificates for each client.

I'm assuming that you're using EAP-TLS here, in which case you don't specifically configure users in the users file. The fact that a client has a certificate and key signed by the CA (i.e. the CA_file parameter) and is not in the CRL means that it has access.

With EAP-TLS the user provides a username, certificate and private key (possibly protected with a password). Note that there is no password with which the username can be authenticated with (i.e. users can enter any username they want). If you want to use the username to make policy decisions you need to validate that the username which the user provided is correct. I think that this is done by setting the username you want to use as the Common Name in the certificate when it is generated, and enabling the check_cert_cn parameter. This will cause the server to reject the request if the Common Name in the certificate provided by the user does not match the username they provided. You can then add entries to the users file matching User-Name to define your policy.

Linux – FreeRADIUS certificate is going to expired

When I try to run "bootstrap" script or "make all", the end of running that return me this message (Just for 60 days):

openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key `grep output_password ca.cnf | 

sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config 

./server.cnf

Using configuration from ./server.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Sep 17 15:55:12 2014 GMT

            Not After : Nov 16 15:55:12 2014 GMT

        Subject:

            countryName               = FR

            stateOrProvinceName       = Radius

            organizationName          = Example Inc.

            commonName                = Example Server Certificate

            emailAddress              = admin@example.com

        X509v3 extensions:

            X509v3 Extended Key Usage: 

                TLS Web Server Authentication

Certificate is to be certified until Nov 16 15:55:12 2014 GMT (60 days)

Best Answer

Related Solutions

How many user/supplicant certificates are needed for WPA2 enterprise on a small network

Linux – FreeRADIUS certificate is going to expired

Related Topic