EAPTLS
44 pág.

EAPTLS


DisciplinaRedes sem Fio759 materiais26.012 seguidores
Pré-visualização12 páginas
generated files must 
either be copied or be networked to the Windows XP client for certificate installation. 
 
File Purpose 
root.der CA Root Certificate 
cert-clt.p12 Client certificate with private key 
 
Directions for installing these certificates can be found in §4.3.1 and §4.3.2. 
4.3 Microsoft Management Console Use 
From the Start-Run menu run mmc. The window shown in Figure 4 opens. 
 
 
Figure 4: Microsoft Management Console (MMC) - initial 
Select \u201cFile->Add/Remove Snap-in\u2026\u201d. The following dialog will appear. 
 
Version 1.0, April 17, 2002 
 - 7 -
 
Figure 5: MMC - Adding a Snap-in 
Click the \u201cAdd\u201d button. The following dialog will appear. 
 
Version 1.0, April 17, 2002 
 - 8 -
 
Figure 6: MMC - Selecting Certificates Snap-in 
Select the \u201cCertificates\u201d Snap-in and click \u201cAdd\u201d. The following dialog will appear. 
 
Version 1.0, April 17, 2002 
 - 9 -
 
Figure 7: MMC - Specifying Certificate Management for User Accounts 
Select \u201cMy user account\u201d and click \u201cFinish\u201d. The following dialog will appear. 
 
 
Version 1.0, April 17, 2002 
 - 10 -
 
Figure 8: MMC - Specifying Local Computer is to be managed 
 
Select \u201cLocal computer\u201d and hit \u201cFinish\u201d 
 
4.3.1 Installing CA Root Certificate 
To install the CA Root Certificate, open the \u201croot.der\u201d file created in §4.2. Windows will then display the 
following dialog. Click \u201cInstall Certificate\u201d. 
 
Version 1.0, April 17, 2002 
 - 11 -
 
Figure 9: Installing CA Root Certificate - Initial Screen 
Version 1.0, April 17, 2002 
 - 12 -
 
Figure 10: Installing CA Root Certificate - Selecting Certificate Store, Step 1 
For the dialog in Figure 10, select \u201cPlace all certificates in the following store\u201d, the click \u201cBrowse\u2026\u201d. The 
following dialog will appear. Select \u201cTrusted Root Certification Authorities\u201d and click \u201cOK\u201d. 
 
 
Figure 11: Installing CA Root Certificate - Selecting Certificate Store, Step 2 
 
Version 1.0, April 17, 2002 
 - 13 -
 
Figure 12: Installing CA Root Certificate - Selecting Certificate Store, Step 3 
When the dialog in Figure 12 appears, click \u201cFinish\u201d. 
 
Figure 13: Installing CA Root Certificate - Success 
Version 1.0, April 17, 2002 
 - 14 -
 
Figure 14: Installing CA Root Certificate - Final confirmation 
Click \u201cYes\u201d at this final dialog box. 
 
4.3.2 Installing Client Certificate 
To install the Client (User) Certificate, open the \u201ccert-clt.p12\u201d file created in §4.2. Installation is similar to 
the CA Root certificate but this time you\u2019ll be prompted to enter the password for the private key which is 
\u201cwhatever\u201d if you accepted the default when creating the certificates. 
 
 
Figure 15: Installing Client Certificate - Pass phrase prompt 
 
Version 1.0, April 17, 2002 
 - 15 -
 
Figure 16: Installing Client Certificate - Selecting Certificate Store, Step 1 
 
Leave the defaults. This will be placed in the User Certificates area. 
 
Open the MMC and the client certificate should look like the following figure. 
 
Version 1.0, April 17, 2002 
 - 16 -
 
Figure 17: Display of Client Certificate - General 
 
Version 1.0, April 17, 2002 
 - 17 -
 
Figure 18: Display of Client Certificate - Details 
Be certain the Enhanced Key Usage shows Client Authentication. 
 
Version 1.0, April 17, 2002 
 - 18 -
 
Figure 19: Display of Client Certificate \u2013 Certification Path 
Certification path should go back to the trusted root certificate you installed previously 
Version 1.0, April 17, 2002 
 - 19 -
5. FreeRADIUS log 
The following is a FreeRADIUS log when the XP client is successfully authenticated. 
 
$ ./radiusd -X 
Starting - reading configuration files ... 
reread_config: reading radiusd.conf 
Config: including file: /home/freeradius/cvs0415/etc/raddb/proxy.conf 
Config: including file: /home/freeradius/cvs0415/etc/raddb/clients.conf 
Config: including file: /home/freeradius/cvs0415/etc/raddb/snmp.conf 
Config: including file: /home/freeradius/cvs0415/etc/raddb/sql.conf 
 main: prefix = "/home/freeradius/cvs0415" 
 main: localstatedir = "/home/freeradius/cvs0415/var" 
 main: logdir = "/home/freeradius/cvs0415/var/log/radius" 
 main: libdir = "/home/freeradius/cvs0415/lib" 
 main: radacctdir = "/home/freeradius/cvs0415/var/log/radius/radacct" 
 main: hostname_lookups = no 
read_config_files: reading dictionary 
read_config_files: reading clients 
read_config_files: reading realms 
read_config_files: reading naslist 
 main: max_request_time = 30 
 main: cleanup_delay = 5 
 main: max_requests = 1024 
 main: delete_blocked_requests = 0 
 main: port = 0 
 main: allow_core_dumps = no 
 main: log_stripped_names = no 
 main: log_auth = yes 
 main: log_auth_badpass = yes 
 main: log_auth_goodpass = yes 
 main: pidfile = "/home/freeradius/cvs0415/var/run/radiusd.pid" 
 main: user = "root" 
 main: group = "root" 
 main: usercollide = no 
 main: lower_user = "no" 
 main: lower_pass = "no" 
 main: nospace_user = "no" 
 main: nospace_pass = "no" 
 main: proxy_requests = yes 
 proxy: retry_delay = 5 
 proxy: retry_count = 3 
 proxy: synchronous = no 
 proxy: default_fallback = yes 
 proxy: dead_time = 120 
 security: max_attributes = 200 
 security: reject_delay = 1 
 main: debug_level = 0 
read_config_files: entering modules setup 
Module: Library search path is /home/freeradius/cvs0415/lib 
Module: Loaded System 
 unix: cache = no 
 unix: passwd = "/etc/passwd" 
 unix: shadow = "(null)" 
 unix: group = "/etc/group" 
 unix: radwtmp = "/home/freeradius/cvs0415/var/log/radius/radwtmp" 
 unix: usegroup = no 
 unix: cache_reload = 600 
Module: Instantiated unix (unix) 
Module: Loaded eap 
 eap: default_eap_type = "tls" 
 eap: timer_expire = 60 
 tls: rsa_key_exchange = no 
 tls: dh_key_exchange = yes 
 tls: rsa_key_length = 512 
 tls: dh_key_length = 512 
Version 1.0, April 17, 2002 
 - 20 -
 tls: verify_depth = 0 
 tls: CA_path = "(null)" 
 tls: pem_file_type = yes 
 tls: private_key_file = "/home/ker/certificates/cert-srv.pem" 
 tls: certificate_file = "/home/ker/certificates/cert-srv.pem" 
 tls: CA_file = "/home/ker/certificates/demoCA/cacert.pem" 
 tls: private_key_password = "whatever" 
 tls: dh_file = "/etc/1x/adamcert/random" 
 tls: random_file = "/etc/1x/adamcert/dh" 
 tls: fragment_size = 1024 
 tls: include_length = yes 
rlm_eap_tls: conf N ctx stored 
rlm_eap: Loaded and initialized the type tls 
Module: Instantiated eap (eap) 
Module: Loaded preprocess 
 preprocess: huntgroups = "/home/freeradius/cvs0415/etc/raddb/huntgroups" 
 preprocess: hints = "/home/freeradius/cvs0415/etc/raddb/hints" 
 preprocess: with_ascend_hack = no 
 preprocess: ascend_channels_per_line = 23 
 preprocess: with_ntdomain_hack = no 
 preprocess: with_specialix_jetstream_hack = no 
 preprocess: with_cisco_vsa_hack = no 
Module: Instantiated preprocess (preprocess) 
Module: Loaded realm 
 realm: format = "suffix" 
 realm: delimiter = "@" 
Module: Instantiated realm (suffix) 
Module: Loaded files 
 files: usersfile = "/home/freeradius/cvs0415/etc/raddb/users" 
 files: acctusersfile = "/home/freeradius/cvs0415/etc/raddb/acct_users" 
 files: compat = "no" 
Module: Instantiated files (files) 
Module: Loaded detail 
 detail: detailfile = "/home/freeradius/cvs0415/var/log/radius/radacct/%{Client-IP-
Address}/detail" 
 detail: detailperm = 384 
 detail: dirperm = 493 
Module: Instantiated detail (detail) 
Module: Loaded radutmp 
 radutmp: filename = "/home/freeradius/cvs0415/var/log/radius/radutmp" 
 radutmp: username = "%{User-Name}" 
 radutmp: perm = 384 
 radutmp: callerid = yes 
Module: Instantiated radutmp (radutmp) 
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. 
Ready to process requests. 
rad_recv: Access-Request packet from host 192.168.123.2:4261, id=73, length=119 
 User-Name = "KEN" 
 NAS-IP-Address = 192.168.123.2 
 Called-Station-Id = "004096431d06" 
 Calling-Station-Id = "000625039e69" 
 NAS-Identifier = "AP340-431d06" 
 NAS-Port = 29 
 Framed-MTU = 1400 
 NAS-Port-Type = Wireless-802.11 
 EAP-Message