WPA Wireless Authentication with eDirectory and FreeRADIUS

The following is an old article that I wrote that some people were asking me about. Here you go.

Introduction

The goal of this article is to allow you to have your wireless access protected by WPA and have users authenticate to eDirectory for access to the wireless network.

What is WPA?

WPA  is a wireless authentication standard used for controlling access to wireless networks. WPA can operate in a pre-shared key mode(router and client both know a secret password), or authentication can take place with a RADIUS server.

What is RADIUS?

RADIUS  is a standard for controlling remote access to a network. It has been around for many years and has a consistent implementation in a broad range of devices and software. RADIUS servers receive a username and password and simply respond if that user is permitted to access the resource or not. It can lookup the user in many different ways, but in this article we are going to make it use eDirectory.

What is eDirectory?

Novell's [http://www.novell.com/products/edirectory/  eDirectory

is an amazing directory service to manage all different type of objects. It's an LDAP server also, which let's it integrate with almost anything.

Prerequisites

  • Novell Open Enterprise Server SP1
  • Novell eDirectory 8.7.3
  • Wireless Access Point/Router that supports WPA RADIUS

Installation

First off I am assuming you have Open Enterprise Server and eDirectory installed and working properly. If you do not know how to do that, I suggest you first learn how to do that. You can find out how on Novell's site, under documentation.

FreeRADIUS

FreeRADIUS  is the open source RADIUS server we will be using. First we will install the FreeRADIUS version that comes with SLES9 with YasT, so it can handle all the dependencies. YasT is Suse's package management/setup tool. After this we will upgrade it to version 1.0.2 which allows it to work with eDirectory.

  1. Login to your machine and run yast as root.
 
 # su
 # yast
 
  1. Under Software select Install and Remove Software.
  2. Tab over to the Filter menu item, hit enter, and choose Search.
  3. Type freeradius into the search box and hit enter.
  4. Select the package freeradius and hit enter until it shows a plus sign(this means install).
  5. Tab over to Accept and YasT will install freeradius.
  6. After FreeRADIUS and it's dependencies are installed, we need to download the newer version that supports eDirectory and install it.
# wget <a href="http://forge.novell.com/modules/xfcontent/private.php/edirfreeradius/SLES%209/freeradius-1.0.2-0.i586.rpm" >http://forge.novell.com/modules/xfcontent/private.php/edirfreeradius/SLES%209/freeradius-1.0.2-0.i586.rpm&nbsp;</a>
 # rpm -Uvh freeradius-1.0.2-0.i586.rpm
 

We have now successfully installed FreeRADIUS. Our next step is to prepare eDirectory to be used with RADIUS.

Server Configuration

eDirectory

Extend Schema

The first we are going to do is add a special LDAP attribute that will tell our FreeRADIUS server whether the user is permitted to access the wireless network.

  1. Go to Novell's iManager and login.
  2. Under Roles and Tasks, select Schema and then Create Attribute.
  3. For Attribute Name, type wirelessAccess in the box. Hit Next.
  4. For the Syntax, select Boolean. This means that the attribute will contain a true/false value. Hit Next.
  5. At Attribute Flags, we don't need to change anything. Hit next.
  6. Hit finish. The attribute has been created, now we need to add it to the User class.
  7. Back under Schema, select Add Attribute.
  8. For the class we want to add the attribute to, select User. Hit Next.
  9. Under Available optional attributes, select wirelessAccesss and hit the right arrow which will move it over to the Add these optional attributes box. Hit OK.

Allow wireless access for a user

Now that each user has an attribute named wirelessAccess, we can control access to our wireless network by setting this value for each user to be true or false. Let's start by adding our login to have wireless access.

  1. Go to Novell's iManager and login.
  2. Under Roles and Tasks, select eDirectory Administration.
  3. Select Modify Object and choose the user you would like to give wireless access to.
  4. Click on the drop down box that says Identification and select Other.
  5. Under Unvalued attributes select wirelessAccess and then hit the left arrow. You will then have a window popup that has wirelessAccess and a checkbox next to it. Check the box if you would like to allow wireless access for this user. Then hit OK.
  6. Hit Apply to save changes.

Add a RADIUS Administrator user

The next step is to add an administrator user for our RADIUS server that will allow the RADIUS server to query LDAP and get user and password information.

Create user

First we will create our RADIUS user.

  1. Go to Novell's iManager and login.
  2. Under Roles and Tasks, select Users, and then click on Create User.
  3. For Username, use something like radiusAdmin.
  4. For Last Name just put anything you like.
  5. For context, choose a context that works with your current eDirectory Tree layout. For me The context I used was home.themoos, themoos is the organization, and home is an organizational unit(I divide my organizational units by location).
  6. Specify a password.
  7. Hit OK to create the user.

Add user as a trustee

Now that we have created the user, we need to give it access to the tree.

  1. Go to Novell's iManager and login.
  2. Under Roles and Tasks, select Rights, and then click on Modify Trustees.
  3. Select the object whose access you want the RADIUS administrator user to have access to. For me, I selected home.themoos, because this is where all my users will be.
  4. Click on the Add Trustee button and select our RADIUS administrator user. For me this is radiusAdmin, under home.themoos.
  5. After you have added the user as a trustee, select Assigned Rights for the RADIUS admin user.
  6. For All Attribute Rights check the box for Supervisor and hit Done.
  7. Hit the button Apply to save the changes.

Enable Universal Passwords

The final thing we need to with eDirectory is to enable Universal Passwords. This allows a single password for eDirectory.

  1. Go to Novell's iManager and login.
  2. Under Roles and Tasks, select Passwords, and then click on Password Policies.
  3. Click New to create a new Password Policy.
  4. For Password Policy Name, use something descriptive like Universal password policy. Hit Next.
  5. Check the radio item for Yes to enable Universal passwords. Uncheck the box for Enable the advanced password rules.
  6. Select No for the Forgotten Password Feature. Hit next.
  7. Under the assign the password policy, choose the object that you would like to apply the policy to. This should be where all your users are that will be accessing the wireless network with RADIUS. I chose home.themoos. Hit Next.
  8. Hit Finish to finalize the policy.

FreeRADIUS

Now it's time to setup FreeRADIUS to connect to eDirectory. The first file we need to modify is /etc/raddb/radiusd.conf. But before we do this we need to export the root certificate and the server certificate that we generated during the installation of Open Enterprise Server. The certificates will be used for TLS security for the RADIUS server.

Export Certificates

First off you need to understand how certificates work and how they build a chain of trust for security. If you aren't very familiar with them, please read here: Public Key Certificates . Now we need to export the Root CA and the server certificate. We will use YasT which will make this relatively easy.

  1. First login to your machine as root and open up YasT.
  2. Select Security and Users and under that select CA Management.
  3. Under CA Selection choose your default CA and then hit Enter CA. For me my default CA is YasT_Default_CA.
  4. If you get prompted for a password enter the password you set when you installed Open Enterprise Server and setup the Root CA.
  5. Select Advanced and choose Export to File.
  6. Under the Export CA to File dialog, select the option that says Only the certificate in PEM format.
  7. For file name, type /etc/raddb/certs/rootcert.pem. Hit OK to export it.
  8. Now that we have exported the Root CA, let's also export the server certificate. To do this you need to select the Certificates button.
  9. You should see a certificate in the list with the common name containing your server name/ip. Select that and select Export, then Export to File.
  10. Select the option that says Certificate and the key in encrypted PEM format. This will export our private key as well as the certificate.
  11. Enter the password for the certificate(most likely same one that we used above for Root CA). For file name enter /etc/raddb/certs/servercert.pem. Hit OK to finish exporting.
  12. Select Finish and exit YasT.

radiusd.conf

First thing we need to do is open up /etc/raddb/radiusd.conf with a text editor of your choice. The section we need to modify first is the ldap { } section, under modules { }.

ldap

Under the ldap section we will specify how to connect to our eDirectory server. Change the following parameters below.

server = "ldap.your.domain"
This should be the name of your server and should match the server name on the server certificate we exported.
identity = "cn=admin,o=My Org,c=UA"
This should be the context for the RADIUS administrator user we created in eDirectory. For me I used cn=radiusAdmin,ou=home,o=themoos.
password = mypass
This should contain the password you set for the RADIUS administrator user.
basedn = "o=My Org,c=UA"
This should be the context that we want FreeRADIUS to search when authenticating a user. This means that it will look under this context when users try to login to the wireless network. For me I used ou=home,o=themoos.
start_tls = no
Set this option equal to yes. This tells the RADIUS server to use secure communcations to the LDAP server(eDirectory).
tls_cacertfile = /path/to/cacert.pem
Set this to the file we exported the Root CA certificate to. I used /etc/raddb/certs/rootcert.pem.
access_attr = "dialupAccess"
Set this to wirelessAccess. This is the attribute that is looked up for each user to see if they are allowed to access the resource. If you recall we added a new LDAP attribute and set it true for each user we want to have access.
password_attribute = nspmPassword
Place this in the ldap section. This specifies the LDAP attribute where the password is stored.

ldap {
    server = "192.168.20.11"
    identity = "cn=radiusAdmin,ou=home,o=themoos"
    password = pass
    basedn = "ou=home,o=themoos"
    filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
    start_tls = yes
    tls_cacertfile  = /etc/raddb/certs/rootcert.pem
    access_attr = "wirelessAccess1"
        password_attribute = nspmPassword
    dictionary_mapping = ${raddbdir}/ldap.attrmap
    ldap_connections_number = 5
    timeout = 4
    timelimit = 3
    net_timeout = 1
    }

authorize

Go down to the authorize section towards the end of the file. Uncomment ldap in this section. To uncomment you remove the # sign from the beginning of the line.

Change this:

   #
    #  The ldap module will set Auth-Type to LDAP if it has not
    #  already been set
#  ldap
to this:
   #
    #  The ldap module will set Auth-Type to LDAP if it has not
    #  already been set
    ldap

authenticate

Under the authenticate section, below the authorize section, we need to uncomment Auth-Type LDAP.

Change this:

# Auth-Type LDAP {
#      ldap
#  }
to this:
   Auth-Type LDAP {
        ldap
    }

post-auth

Under the post-auth section we need to uncomment ldap and chage the Post-Auth-Type.

Change this:

# ldap
    #
    #  Access-Reject packets are sent through the REJECT sub-section of the
    #  post-auth section.
    #  Uncomment the following and set the module name to the ldap instance
    #  name if you have set 'edir_account_policy_check = yes' in the ldap
    #  module sub-section of the 'modules' section.
    #
#  Post-Auth-Type REJECT {
#      insert-module-name-here
#  }
to this:
   ldap
    #
    #  Access-Reject packets are sent through the REJECT sub-section of the
    #  post-auth section.
    #  Uncomment the following and set the module name to the ldap instance
    #  name if you have set 'edir_account_policy_check = yes' in the ldap
    #  module sub-section of the 'modules' section.
    #
    Post-Auth-Type REJECT {
        ldap
    }

eap.conf

This file contains the configuration for EAP . EAP, or Extensible Authentication Protocol, is how the RADIUS server communicates for authentication. We will be using TLS in conjuction with EAP for encryption.

eap

Under the eap section, we want to change the default_eap_type.

We want to change this:

default_eap_type = md5
to this:
default_eap_type = peap

tls

Under the tls section, first thing to do is uncomment the section. This means remove the # from before tls { and before the ending } bracket. After this we will modify the following parameters.

private_key_password = whatever
Change this to the password to your private key. This is the password we specified when exporting the server certificate & private key.

private_key_file = ${raddbdir}/certs/cert-srv.pem
Set this to the location of the file that has our private key. Recall us exporting the private key and server certificiate from YasT. The file we exported it to was /etc/raddb/certs/servercert.pem.

certificate_file = ${raddbdir}/certs/cert-srv.pem
Set this to the same thing as above. We exported our certificate and private key to the same file. I used /etc/raddb/certs/servercert.pem.

CA_file = ${raddbdir}/certs/demoCA/cacert.pem
Set this to the file that contains the Root CA's certificate. We exported this from YasT to /etc/raddb/certs/rootcert.pem.

#dh_file = ${raddbdir}/certs/dh
#random_file = ${raddbdir}/certs/random
Uncomment the lines above.

The final section should look like this:

   tls {
            private_key_password = pass
            private_key_file = /etc/raddb/certs/servercert.pem

            #  If Private key &amp; Certificate are located in
            #  the same file, then private_key_file &amp;
            #  certificate_file must contain the same file
            #  name.
            certificate_file = /etc/raddb/certs/servercert.pem

            #  Trusted Root CA list
            CA_file = /etc/raddb/certs/rootcert.pem

            dh_file = ${raddbdir}/certs/dh
            random_file = ${raddbdir}/certs/random
        }

peap

Under this section we need to uncomment the line for default_eap_type.

Change this:

       # peap {
            #  The tunneled EAP session needs a default
            #  EAP type which is separate from the one for
            #  the non-tunneled EAP module.  Inside of the
            #  PEAP tunnel, we recommend using MS-CHAPv2,
            #  as that is the default type supported by
            #  Windows clients.
            #default_eap_type = mschapv2
        #}
to this:
       peap {
            #  The tunneled EAP session needs a default
            #  EAP type which is separate from the one for
            #  the non-tunneled EAP module.  Inside of the
            #  PEAP tunnel, we recommend using MS-CHAPv2,
            #  as that is the default type supported by
            #  Windows clients.
            default_eap_type = mschapv2
        }

clients.conf

In this file we specify the subnet that our wireless network uses and the secret password that both the RADIUS server and the wireless router know.

Use something like this:

client 192.168.20.0/24 {
        secret          = somepassword
        shortname       = themoos
}

192.168.20.x is my wireless subnet. shortname is the name of the AP.

Wireless Access Point

Configuring the access point is relatively easy compared to everything else we've done. I am using a Linksys wireless router so I will show you how to set WPA RADIUS on that.

  1. Login to your router's configuration page. Usually something like 192.168.1.1.
  2. Select the Wireless security tab, and under that select Wireless security.
  3. Set the following options:
 # Security Mode: <strong>WPA RADIUS</strong>
 # WPA Algorithms: <strong>TKIP</strong>
 # RADIUS Server Address: IP of your RADIUS server. (Mine is 192.168.20.11)
 # RADIUS Port: <strong>1812</strong>
 # Shared Key: the secret password you specified in radiusd.conf.

Apply changes and we are done with configuring the wireless router.

RADIUS Server Startup Scripts

The last thing we need to do is setup a startup script for our SLES box. This will make the radius server startup on boot. I'm assuming you are running your server with the default runlevel set to 3, which is multi-user text based. If you have a different default runlevel just substitute the 3 for whatever runelvel is the default one. Issue the following commands to set up the startup script.

 
# cd /etc/rc.d/rc3.d
 # ln -s /etc/rc.d/radiusd S19radiusd
 

Client Configuration

Windows XP

The first thing we need to do is install the Root CA certificate that we created earlier. This will be the basis of trust between the client and the RADIUS server. That means that when we talk to the RADIUS server we know it is really the real one and not someone trying to fake a server to get our password.

Convert Root CA certificate from pem to cer

Edit: 02-05-2010
We need to convert our pem certificate, /etc/raddb/certs/rootcert.pem to DER (which is used for .cer).

openssl x509 -outform der -inform pem -in /etc/raddb/certs/rootcert.pem -out /home/chris/cert.cer

Install Root CA Certficiate

  1. Copy the .cer file you created on your SLES box to the windows xp machine. For me the file was located on my linux box at /home/chris/cert.cer.
  2. Once you have it copied to the windows xp machine, double click on the file.
  3. Windows will ask if you want to open this file, choose Open.
  4. Click the button that says Install Certificate to install the certificate to your computer.
  5. A dialog will pop up that says Certificate Import Wizard. Hit Next. Select the radio box that says Place all certificates in the following store.. Hit the browse button and select Trusted Root Certification Authorities. Hit OK, then next. Hit Finish.
  6. A security warning pops up asking again if you are sure you want to install the certificate. Select Yes to install it.

Wireless Network Properties

Now we need to modify the properties for when we connect to our Wireless Access Point. Pull up the choose a wireless network dialog to locate the wireless AP you want to connect to.

  1. Double click on the wireless AP in the Choose a wireless network dialog.
  2. Windows will try to authenticate using your windows login credentials.
  3. Now click on Change advanced settings and go to the Wireless networks tab.
  4. In the preferred networks list choose your wireless AP and click Properties.
  5. Set Network Authentication to WPA.
  6. Set Data encryption to TKIP.
  7. Click the Authentication tab and select EAP Type: Protected EAP(PEAP).
  8. Uncheck the box that says Authenticate as computer when computer information is available..
  9. Click the properties button.
  10. Uncheck the box that says Validate server certificate.
  11. Click the Configure button and uncheck the box that says Automatically use my Windows logon name.... Hit OK. Hit OK again.
  12. Keep hitting OK until all the windows have closed.
  13. Right mouse click on your wireless connection and choose View Available Wireless Networks.
  14. Double click on the AP you want to connect to.
  15. You will see a balloon popup in the bottom right asking you to verify your credentials. Click on that.
  16. Type your eDirectory username and password, and watch it authenticate ;).

Testing

Wow, we finally finished editing all those config files. Now it's time to fire up the RADIUS server, and test it out with a wireless computer. Issue the following command to start up the RADIUS server.

# /etc/init.d/radiusd start

Now our RADIUS server should be running. Next go to your client computer. For me I am using Windows XP SP2. Pull up the available wireless networks, double click on your AP, and watch it connect. ;)

Conclusion

Now you should have your wireless network protected with WPA and authenticating to eDirectory. I hope that you all have learned something from this article. If you have any questions/comments/fixes please let me know at xoclipse@cox.net. The only thing left that I need to add to this article is to get windows xp to validate the server certificate. For some reason I was having some problems with it so I will continue to work on it and update this article when I get it working.

External Links

http://www.novell.com/coolsolutions/tip/15922.html  

http://www.novell.com/documentation/edir_radius/index.html  


Written on February 5, 2009