[HowTO] WPA2 Enterprise EAP-TTLS,PAP

[krabs]

[!] - Only for mipsel devices, like RT-N16, RT-N66U/R, RT-AC66U/R

Follow complete tutorial on the WIKI

In this tutorial we're gonna install freeradius2 (EAP-TTLS,PAP) from entware.

I still haven't tested this on the 5Ghz freq because I'm not using it, it should also work so if you are gonna using it plz report status.

We have several authentication methods to choose from like EAP-TLS,EAP-PEAP, ... I think EAP-TTLS is one of the better options and it doesn't require client certs but still uses a secure tunnel (server certificates) before inner client authentication is taking place.
Here are some more detailed descriptions:

Juniper
Wikipedia

The only disadvantage with EAP-TTLS is that there's no native support for it in Windows 7 and earlier but there's still an free third party solution for pc not sure about windows phone 8 if you cannot upgrade to 8.1.

Instead of using RSA keys, I have used elliptic curve keys and this does work extremly well on freeradius and clients.

Prerequisites: a wired device with telnet,ssh for debugging and some basic linux skills recommended.

[1] - Setup entware from Wiki

[2] - Install required packages

opkg install freeradius2 \
freeradius2-common \
freeradius2-mod-eap \
freeradius2-mod-eap-tls \
freeradius2-mod-eap-ttls \
freeradius2-mod-files \
freeradius2-mod-pap

[3] - I have created a very stripped version of the needed config files & missing one after testing. For making things a bit easier we're gonna use that one.

cd /opt/etc/ && cp -r freeradius2 freeradius2.bak
cd freeradius2 && rm -rf *
opkg install wget
/opt/bin/wget --no-check-certificate -O - http://goo.gl/Ykov6H | tar -xzC /opt/etc/freeradius2

[4] - Generating Certificates

cd /opt/etc/freeradius2/certs
/opt/bin/wget --no-check-certificate http://goo.gl/kNg6Ms -O openssl.cnf
mkdir -p CA/private new export

Private Key & CA Cert
When generating the CA Certificate Request do not leave fields blank, we can use that as an extra check of the validity of the certificate & enter a password to protect the privatekey
Example of mine: C=BE, ST=Limburg, L=Hoeselt, O=Last-Name, OU=IT Department, CN=Certificate Authority Last-Name

openssl ecparam -name secp521r1 -genkey -noout | openssl ec -aes256 -out CA/private/ec-cakey.pem
openssl req -new -x509 -out CA/ec-cacert.pem -outform PEM -SHA512 -key CA/private/ec-cakey.pem -keyform PEM  -days 3650 -extensions v3_ca -config ./openssl.cnf

Export PEM to DER (So we can import the key on Windows machines)

openssl x509 -outform DER -in CA/ec-cacert.pem -out export/ec-cacert.der

Export ec-cacert.pem to p12 (So we can install the certificate on android phones)
You will be asked for the private key password earlier and to create an export password. You will need the export password when installing the certificate on your phone. Replace X with a name for your certificate

openssl pkcs12 -export -in CA/ec-cacert.pem -inkey CA/private/ec-cakey.pem -out export/ec-cacert.p12 -name "X" -cacerts

Server
When generating Server Certificate Request do not enter an challenge password & optional company name
Example of mine: C=BE, ST=Limburg, L=Hoeselt, O=Last-Name, OU=IT Department, CN=Server

openssl req -nodes -SHA512 -newkey ec:CA/ec-cacert.pem -new -days 3650 -out new/ec-server_req.pem -keyout new/ec-server_key.pem -config ./openssl.cnf

Encrypt Server key en generate server certificate

mv new/ec-server_key.pem new/ec-server_key_temp.pem && openssl ec -in new/ec-server_key_temp.pem -aes256 -out new/ec-server_key.pem && rm -rf new/ec-server_key_temp.pem
openssl x509 -req -extfile openssl.cnf -out new/ec-server_cert.pem -SHA512 -CA CA/ec-cacert.pem -CAkey CA/private/ec-cakey.pem -in new/ec-server_req.pem -days 3650 -set_serial 0x01

Move ec-server_cert.pem ec-server_key.pem to certs directory and remove new directory

mv new/ec-server_cert.pem  new/ec-server_key.pem ./ && rm -rf new
chmod 0400 ec-server_cert.pem && chmod 0400 ec-server_key.pem

Remove openssl.cnf

rm openssl.cnf

Generate Diffie Hellman (takes some time on router)

openssl dhparam -check -text -2 2048 -out dh 
chmod 0600 dh

Move & Store CA & export dirs on a secure place. You will need a samba share or scp or winscp to copy them to your pc.
You will need ec-cacert.pem on linux as CA certificate
ec-cacert.der or p12 on windows as CA certificate
ec-cacert.p12 on android -> place it on the root of the sdcard
Now you should only have ec-server_cert.pem, ec-server_key.pem and dh in your certs directory

[5] - Edit eap.conf

cd /opt/etc/freeradius2 && vi eap.conf

Change private key pass to the password you have used to encrypt the ec-server_key.pem
Open an other terminal and go to the certs directory.

cd /opt/etc/freeradius2/certs
openssl x509 -noout -in ec-server_cert.pem -issuer

Replace this DN with the one at check_cert_issuer

[6] - Edit clients.conf (/opt/etc/freeradius2/clients.conf)

Change network range, mask at client line.
I'm assuming that the IP-address of the router = 192.168.1.1 if this is not the case change it here and also change it /opt/etc/freeradius2/sites/inner-tunnel
For the secret AP I recommended a 32 chars key, It is possible to use longer keys then 32 chars but I found that the WiFi became slower. (copy this to a text editor for later )
Use a site like this one to generate the key, do not use strange punctations, etc I'm not sure which one are allowed and which one not.

[7] - Edit users file (/opt/etc/freeradius2/users)
Change User1, etc to the name you want to use and password.
You also can add, change attributes like session-timeout to a more approriate value for you.

[8] - Let's run a test if the server initialized correctly & set max request in radiusd.conf (/opt/etc/freeradius2/radiusd.conf)

max_requests: This should be 256 multiplied by the number of clients.

radiusd -XX

If server server is listening for requests you're good to otherwise plz check error and report it here.
press ctrl-c to exit

# Start the server

/opt/etc/init.d/S55radiusd start

[9] - Configure router wireless settings
Use the wired device now if you are not using it and login to the routers webinterface and go to the wireless page, change authentication method to WPA2 enterprise for 2.4Ghz and 5Ghz if you use that band also.

Go to the "Radius Setting" tab and change the servers IP address to the routers IP address.
Change port 1812
Enter the Secret from the clients.conf which we still have in the texteditor or open clients.conf in a telnet,ssh session to copy,pasta it.
Do the same thing for the other band if you are using it.

[10] - Now we must configure the clients.

On Windows 7,8 first import the ec-cacert.der.
Place ec-cacert.der on a USB stick or something that you could copy the cert over to the wireless clients.

1. Open mmc as administrator -> File Add/Remove snap-in -> certificates -> add -> computer account -> local computer -> finish -> ok 
2. Open certificates, Open Trusted Root Certification Authorities.
3. Right click on certificates -> all task -> import -> next -> browse to ec-cacert.der , ...
4. Close console1 do not save settings.

Windows 8 users can skip next step.
For Windows 7 there's an old alternative called SecureW2 which was free until version 1.13. But there's even a better alternative which does works correctly with ec keys. It's eap-ttls software especially for intel wireless cards but it does also works for broadcom devices. Assuming all of you Windows 7 users also have an "intel" card here's the link EAP-TTLS driver

Now we need to create the network

Go to Network and sharing server -> manage wireless networks
Add Manually create network profile -> Network name your ssid -> security type WPA-enterprise AES -> next -> change connection settings -> security tab -> (for windows 8 eap-ttls windows 7 use intel-eap-ttls) -> settings

Windows 7 select PAP
	-Username
	-Domain leave blank
	-Password 
	-Roaming identiy anonymous

Check Validate Server Certificate
	-Certificate Issuer (Select your certificate)

Check Specify Server or Certificate Name
	-Server name must match the specified entry exactly (Your server CN)

Windows 8
[URL="http://adamsync.wordpress.com/2012/05/08/eap-ttls-on-windows-2012-build-8250/#comments"]configure eap-ttls[/URL]

Android

For android place the .p12 file on your sdcard.
On my phone 4.1.1, to install a certificate go to security -> install from storage.
You will be asked for the export password enter it if you have and install the certificate.  When connecting to the network	
Choose EAP-TTLS as eap-method	
Choose PAP as Phase 2 verification
Identity 
Password 
Enable advanced options
CA certificate the one you installed
Anonymous identity just enter anonymous.
That's it you should be able to connect successfully.

 

[krabs]

EDIT: At step [6] you also must change the IP-address of the router in radiusd.conf (/opt/etc/freeradius2/radiusd.conf) if it's not 192.168.1.1

Install certificate on iOS Device
iOS support for EAP-TTLS,PAP


PS: [tutorial in testing state until someone confirms everything works without errors because I haven't retest it from scratch and I'm also not running it as a standard user]
-> confirmed

 

[ryzhov_al]

Very impressive! Can you place it to Wiki?

 

[krabs]

Very impressive! Can you place it to Wiki?

Done

Did you have tried the tutorial ? If so can you confirm that it's also working correct on the 5 Ghz and that there are no errors, missing parts in the tutorial so everything works out of the box for you then I can remove "testing" state from the tutorial.

 

[sinshiva]

found an error;

freeradius-mod-pap should be freeradius2-mod-pap

 

[krabs]

found an error;

freeradius-mod-pap should be freeradius2-mod-pap

thnx changed it , also overlooked it on github

 

[ryzhov_al]

Did you have tried the tutorial ?

No, I'm on vacation, too far from my router
I'm glad you proved it's working! Did you faced with this issue?

 

[krabs]

No, I'm on vacation, too far from my router
I'm glad you proved it's working! Did you faced with this issue?

Actually I don't know specific if it was segmention fault or something else because I have had this setup running a month of two before cleaning up and stripping things down to an absolute minimal but I had to comment out a couple of things that are not supported like interface = br-lan which is default enabled in a clean radiusd.conf. I did a quick search on an openwrt thread which I have followed in an earlier stage where they mention the problems I had. Well I think it may be module, configuration related because some settings may not be supported, included. Strange is that I just added the line back in mine radiusd.conf file to check what the error was and this time it doesn't throw an error in debugging mode but I'm sure freeradius2 doesn't start if you do not disable it with the default config.

 

[sinshiva]

few things to note while i am generating a DH key (WHY OH WHY DID I NOT DO THIS FROM A COMPUTER),

- do everything one line at a time, after the initial installation. lots of things require user input.

- change "Name of Your Certificate" to whatever

openssl dhparam -check -text -2 2048 -out dh (takes some time on router)

some people may accidentally copy/paste the comment there if left inside the code tags

 

[sinshiva]

i had to create the folder /opt/var/run/radius or it would fail to start from init.d

 

[krabs]

@ryzhov-al

Actually looking closer at the issue I think it is configuration related.
Not sure how eap is configured (which method) (we cannot say for sure because we do not get so far in starting radius) but there are no other modules included
Which modules (and submodules) from eap have you installed.
How did you have configure eap.conf
Are you sure you have disabled all other authentication methods in sites-default because there are no other authentication modules installed?
Why is sites-default not included in debug output like mine example? This line should do that in radiusd.conf

$INCLUDE sites/

This is a part of mine debug output

Fri Aug  8 21:34:11 2014 : Debug: including configuration file /opt/etc/freeradius2/radiusd.conf
Fri Aug  8 21:34:11 2014 : Debug: including configuration file /opt/etc/freeradius2/clients.conf
Fri Aug  8 21:34:11 2014 : Debug: including files in directory /opt/etc/freeradius2/modules/		
Fri Aug  8 21:34:11 2014 : Debug: including configuration file /opt/etc/freeradius2/modules/pap
Fri Aug  8 21:34:11 2014 : Debug: including configuration file /opt/etc/freeradius2/modules/files
Fri Aug  8 21:34:11 2014 : Debug: including configuration file /opt/etc/freeradius2/eap.conf
Fri Aug  8 21:34:11 2014 : Debug: including files in directory /opt/etc/freeradius2/sites/		-> where is this
Fri Aug  8 21:34:11 2014 : Debug: including configuration file /opt/etc/freeradius2/sites/default	-> and this 
Fri Aug  8 21:34:11 2014 : Debug: including configuration file /opt/etc/freeradius2/sites/inner-tunnel

In sites-default authenticate section the only module I have enabled for authentication is eap.
Here things go wrong for you are you sure you only have enabled eap in the authenticate section as this is the only possibility you have.(seeing from perspective of the debug output). I also have disabled everything except eap because I can only choose between eap and pap.

I can choose for PAP also but I'm using that for inner authentication only so not needed in the outer authenticate section as it returns [noop]

Fri Aug  8 21:34:11 2014 : Debug: server { # from file /opt/etc/freeradius2/radiusd.conf
Fri Aug  8 21:34:11 2014 : Debug:  modules {
Fri Aug  8 21:34:11 2014 : Debug:  Module: Checking authenticate {...} for more modules to load
Fri Aug  8 21:34:11 2014 : Debug:     (Loaded rlm_eap, checking if it's valid)
Fri Aug  8 21:34:11 2014 : Debug:  Module: Linked to module rlm_eap
Fri Aug  8 21:34:11 2014 : Debug:  Module: Instantiating module "eap" from file /opt/etc/freeradius2/eap.conf

Fri Aug  8 21:34:13 2014 : Debug: server inner-tunnel { # from file /opt/etc/freeradius2/sites/inner-tunnel
Fri Aug  8 21:34:13 2014 : Debug:  modules {
Fri Aug  8 21:34:13 2014 : Debug:  Module: Checking authenticate {...} for more modules to load
Fri Aug  8 21:34:13 2014 : Debug:     (Loaded rlm_pap, checking if it's valid)
Fri Aug  8 21:34:13 2014 : Debug:  Module: Linked to module rlm_pap

 

[krabs]

i had to create the folder /opt/var/run/radius or it would fail to start from init.d

thnx again , does everything works now ?

I think I changed the default location not sure about that you would have to check the radiusd.conf in freeradius2.bak folder
I do not have the original one's, as I don't need them anymore

If you find something not clear on the wiki you're allowed to edit it on the fly if you want.

 

[sinshiva]

thnx again , does everything works now ?

I think I changed the default location not sure about that you would have to check the radiusd.conf in freeradius2.bak folder
I do not have the original one's, as I don't need them anymore

If you find something not clear on the wiki you're allowed to edit it on the fly if you want.

well, everything works great with my phone over 2.4ghz. i had to reboot my phone first or it wouldn't see the cert, kinda weird, but otherwise worked quickly and easily. but FFS, win8 is being such a pain in the butt. i will try using my 5ghz usb card on a win7 machine next, must run an errand first

 

[ryzhov_al]

Is there any way to give different users their login\password pairs without giving them a certificate file?

…I had to comment out a couple of things that are not supported like interface = br-lan which is default enabled in a clean radiusd.conf.

As long as Entware stays firmware independent, it will be always some mess with interface names.

i had to create the folder /opt/var/run/radius or it would fail to start from init.d

I'll fix that after returning from my vacation. Thanks for report.

 

[krabs]

Is there any way to give different users their login\password pairs without giving them a certificate file?

You can do that for testing but I don't wouldn't do that security related in a production environment. One of these modules as standalone wouldn't be secure as they are broken.

PAP, CHAP, MS-CHAP, EAP-MD5, EAP-MSCHAPv2, Cisco LEAP are some of them.
Inside a secure TLS it doesn't matter so I choosed the simplest one which is supported on most devices inside TTLS -> PAP. It does make use of cleartext passwords however you can encrypt with md5,sha but we're already using a secure TLS tunnel.

The advantages from eap-peap,eap-ttls,eap-fast over the default eap-tls is that they don't require client server certificates which make things a little easier.
The reason I have choosed for eap-ttls from these 3 is that they're is good native support for it on modern devices except for windows 7 and earlier.

Well I had a nice scheme with all ( alot) possible authentication methods, how long it should take to setup, how secure it is, on what devices it should work but crap cannot find that anymore on google

 

[owine]

Despite multiple setups from clean, I am unable to install the .p12 certificate on any of my iOS devices. I email the .p12 to myself and get an error stating "The container "Identify Certificate" must contain only one certificate and its private key." Any ideas? I am running iOS 8 which may, but I doubt, contributes. I am also unable to import the .p12 on my Mac computers with a nondescript error. Trying a Windows 7 machine to see if I get different results.

 

[sinshiva]

well, i missed the bit that this only works with win7 using Intel cards.

i gave up on using my usb linksys 5ghz usb card in the win8 desktop and have tried using an intel centrino N-2230 (2.4ghz), but apparently i fail at windows. my settings appear to be correct. when i try to connect, i enter a user/pass, but it fails

 

[krabs]

Despite multiple setups from clean, I am unable to install the .p12 certificate on any of my iOS devices. I email the .p12 to myself and get an error stating "The container "Identify Certificate" must contain only one certificate and its private key." Any ideas? I am running iOS 8 which may, but I doubt, contributes. I am also unable to import the .p12 on my Mac computers with a nondescript error. Trying a Windows 7 machine to see if I get different results.

I do not own an iOs device but from your error message I found this site.
They are saying that there's no privatekey that corresponds to your certificate huh ?
On Windows 7 you must get this

Check your cert with openssl pkcs12 -info -in ec-cacert.p12

 

[krabs]

well, i missed the bit that this only works with win7 using Intel cards.

Wait, what do you mean ? The Intel driver also works for broadcom devices, etc its just universal created by intel.
I'm using it for an packerd bell tk81 (windows 7) which has an broadcom bcm43227.

i gave up on using my usb linksys 5ghz usb card in the win8 desktop and have tried using an intel centrino N-2230 (2.4ghz), but apparently i fail at windows. my settings appear to be correct. when i try to connect, i enter a user/pass, but it fails

Go to a wired PC run the radius server in debug mode -XX reconnect check,post log.

 

[owine]

I do not own an iOs device but from your error message I found this site.
They are saying that there's no privatekey that corresponds to your certificate huh ?
On Windows 7 you must get this

Check your cert with openssl pkcs12 -info -in ec-cacert.p12

What is the expected output? I am prompted for import password, displays CERTIFICATE. Then prompted for PEM pass phrase and it displays ENCRYPTED PRIVATE KEY.