Creating EAP certificates for FreeRADIUS

EAP Configuration: Article 4 of 5

Once the initial EAP testing has been performed, it is time to create the real certificates to use in your production network. These certificates will be configured on the end hosts that will be doing PEAP, TTLS, or EAP-TLS authentication.

Production Certificates

The FreeRADIUS certificate configuration files are located in /etc/raddb/certs/*.cnf. Most of the contents of those files can be ignored, as they configure various OpenSSL parameters. Some fields (highlighted in bold below) should be edited to meet your local requirements.

ca.cnf

...
[ req ]
prompt = no
distinguished_name = certificate_authority
default_bits = 2048
input_password = whatever
output_password = whatever
x509_extensions = v3_ca 
[certificate_authority] countryName = FR stateOrProvinceName = Radius localityName = Somewhere organizationName = Example Inc. emailAddress = admin@example.com commonName = "Example Certificate Authority" ...

server.cnf

...
[ req ] prompt = no
distinguished_name = server
default_bits = 2048
input_password = whatever
output_password = whatever  
[server] countryName = FR stateOrProvinceName = Radius localityName = Somewhere organizationName = Example Inc. emailAddress = admin@example.com commonName = "Example Server Certificate" ...

You need to edit client.cnf only if you are using EAP-TLS. If not, then that file can be left as-is.

Once the ca.cnf and server.cnf files have been edited, re-create the CA and Server certificates as before in the EAP howto. This process will destroy any existing certificates, so you should make a backup of this directory before continuing.

 
$ cd /etc/raddb/certs
$ make 

Depending on the version of FreeRADIUS, the output may be make: Nothing to be done for 'all'. In that case, you will have to remove some files manually, and then re-create the certificates:

$ rm -f *csr *key
$ make 

Otherwise, you should see OpenSSL creating the keys and certificates, as shown below:

openssl req -new -x509 -keyout ca.key -out ca.pem -config ./ca.cnf Generating a 2048 bit RSA private key
...................................................
etc. 

Once the new certificates have been generated, re-start the server in debugging mode, and repeat the tests given in the EAP howto. That is, leave the Validate Server Certificate box (or equivalent) un-checked, and try to login using the same username and password as in the PAP howto.

If the authentication succeeds (and it should, if the EAP howto succeeded), then you can proceed to the next step, importing the root CA onto the client machines.

Client Certificates

Creating a client certificate is similar to the above steps. Just edit client.cnf, and set the appropriate fields in the [client] section at the bottom of the file. Save the file, and run the following command:

$ make client 

It will create a new client certificate in client.pem. This certificate can be imported into a client, and used for EAP-TLS authentication.

You can create a second client certificate by repeating the above steps. Be sure to use different values for the fields emailAddress and commonName. OpenSSL needs to create unique certificates for each client, and will complain if you try to create two different certificates which re-use those fields.

Need more help?

Network RADIUS has been helping clients around the world design and deploy their RADIUS infrastructure for 20 years. We specialize in complex systems and have seen pretty much every variation and problem out there. If you want help from the people who wrote FreeRADIUS, visit our quote page to contact us for a consultation.

Read more...

EAP configuration articles

Getting started with FreeRADIUS

FreeRADIUS and Active Directory

Additional resources