4.10 Authenticating Clients to FreeRADIUS - BrainDump

Problem

Now that you have your access point and FreeRADIUS server ready to go to work, how do your clients talk to it?

Solution

All clients need a copy of ca.crt. Mac and Linux clients get their own [hostname].crt and [hostname].key files. Windows clients use [hostname].p12.

Your Windows and Mac clients have built-in graphical tools for importing and managing their certificates, and configuring their supplicants. What do you do on Linux? I haven’t found anything that makes the job any easier than editing plain old text files. Go back to Recipe 4.7, and start with the configuration for /etc/wpa_supplicant.conf. Change it to this:

  ## /etc/wpa_supplicant.conf
  network={
      ssid="alrac-net"
      scan_ssid=1
      key_mgmt=WPA-EAP
      pairwise=CCMP TKIP
      group=CCMP TKIP
      eap=TLS
      identity="alice sysadmin"
      ca_cert="/etc/cert/ca.crt"
      client_cert="/etc/cert/stinkpad.crt"
      private_key="/etc/cert/stinkpad.key"
      private_key_passwd= "verysuperstrongpassword"
  }

The value for identity comes from /etc/raddb/users on the FreeRADIUS server. Certificates and keys can be stored anywhere, as long as wpa_supplicant.conf is configured correctly to point to them.

Continue with the rest of Recipe 4.7 to test and finish configuring wpa_supplicant.

Discussion

Be sure that .key files are mode 0400, and owned by your Linux user. .crt files are 0644, owned by the user.

You can have multiple entries in wpa_supplicant.conf for different networks. Be sure to use the:

  network{
  }

format to set them apart.

NetworkManager (http://www.gnome.org/projects/NetworkManager/) is the best Linux tool for painlessly managing multiple network profiles. It is bundled with Gnome, and is available for all Linux distributions.

See Also

1. man 8 wpa_supplicant
   
2. man 5 wpa_supplicant.conf

Please check back for the next part of this article.