# Wired 802.1x with EAP/TLS


Authentication server (Freeradius)

# apt-get install freeradius openssl
# mkdir /etc/ssl/CA
# mkdir /etc/ssl/newcerts
# echo '01' > /etc/ssl/CA/serial
# touch /etc/ssl/CA/index.txt
# cat /etc/ssl/openssl.cnf
...
[ CA_default ]

dir             = /etc/ssl
database        = $dir/CA/index.txt
certificate     = $dir/certs/cacert.pem
serial          = $dir/CA/serial
private_key     = $dir/private/cakey.pem
...
# cd /etc/ssl/CA
# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Generating a 1024 bit RSA private key
.................++++++
.........++++++
writing new private key to 'cakey.pem'
Enter PEM pass phrase:MY_SECRET
Verifying - Enter PEM pass phrase:MY_SECRET
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:CAT
Locality Name (eg, city) []:BCN
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCA
Organizational Unit Name (eg, section) []:AAA
Common Name (e.g. server FQDN or YOUR name) []:ca.lab.net
Email Address []:root@lab.net
# mv cakey.pem /etc/ssl/private/.
# mv cacert.pem /etc/ssl/certs/.
# cat >> /etc/ssl/CA/xpextensions << eof
> [xpclient_ext]
> extendedKeyUsage=1.3.6.1.5.5.7.3.2
>
> [xpserver_ext]
> extendedKeyUsage=1.3.6.1.5.5.7.3.1
> eof
# openssl req -new -nodes -keyout freeradiuskey.pem -out freeradius.csr -days 3650
Generating a 1024 bit RSA private key
......++++++
..................++++++
writing new private key to 'freeradiuskey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:CAT
Locality Name (eg, city) []:BCN
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCA
Organizational Unit Name (eg, section) []:AAA
Common Name (e.g. server FQDN or YOUR name) []:freeradius.lab.net
Email Address []:root@lab.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# openssl ca -in freeradius.csr -config /etc/ssl/openssl.cnf
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:MY_SECRET
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jan 15 18:28:48 2013 GMT
            Not After : Jan 15 18:28:48 2014 GMT
        Subject:
            countryName               = ES
            stateOrProvinceName       = CAT
            organizationName          = MyCA
            organizationalUnitName    = AAA
            commonName                = freeradius.lab.net
            emailAddress              = root@lab.net
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                78:3A:A1:E4:7E:69:FC:71:CD:45:22:AF:52:C0:4A:D8:E1:1F:99:20
            X509v3 Authority Key Identifier:
                keyid:14:75:4E:1F:6B:E3:FD:5A:88:77:71:93:60:32:81:6C:D5:AD:10:C4

Certificate is to be certified until Jan 15 18:28:48 2014 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=ES, ST=CAT, L=BCN, O=MyCA, OU=AAA, CN=ca.lab.net/emailAddress=root@lab.net
        Validity
            Not Before: Jan 15 18:28:48 2013 GMT
            Not After : Jan 15 18:28:48 2014 GMT
        Subject: C=ES, ST=CAT, O=MyCA, OU=AAA, CN=freeradius.lab.net/emailAddress=root@lab.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:d1:7a:a6:74:ce:cd:b1:96:1b:5b:f1:21:8b:45:
                    fe:52:a0:c4:ac:84:8a:ad:05:65:97:5e:fd:af:bb:
                    7d:1d:e9:9a:91:8d:46:48:16:83:88:90:da:03:b3:
                    5d:32:e2:e4:e3:2f:73:18:41:26:73:26:f3:32:03:
                    c0:02:a5:be:04:9e:36:40:99:cc:1b:52:03:4d:8a:
                    2a:9c:9f:65:10:56:0c:09:a9:26:fb:6e:09:78:e1:
                    00:28:b1:c6:b0:97:e3:87:78:ea:fe:89:24:8a:86:
                    5d:44:8f:70:bf:43:a4:a2:d0:23:b9:f7:ee:ae:48:
                    d1:fb:98:1e:61:d8:6c:87:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                78:3A:A1:E4:7E:69:FC:71:CD:45:22:AF:52:C0:4A:D8:E1:1F:99:20
            X509v3 Authority Key Identifier:
                keyid:14:75:4E:1F:6B:E3:FD:5A:88:77:71:93:60:32:81:6C:D5:AD:10:C4

    Signature Algorithm: sha1WithRSAEncryption
         b9:41:6b:0e:57:88:a2:aa:a6:d1:5d:55:f0:1c:48:3f:c8:4f:
         97:09:65:1a:f7:08:45:f0:e4:10:e6:32:67:14:2f:6e:4f:b0:
         a0:21:56:96:32:90:5b:4c:78:01:40:05:92:4a:d3:2c:c2:11:
         77:a8:0d:3b:49:cb:2f:e4:22:99:44:0d:2a:0d:1e:6a:d1:3d:
         2e:72:19:46:9d:0e:3c:a3:3e:bf:a6:1e:2f:5c:f0:71:8a:b7:
         09:11:97:e1:0d:0e:29:5d:30:aa:87:e9:9d:37:86:13:c6:bd:
         8b:05:d5:c1:ec:c1:31:f8:79:a2:c2:16:92:c2:13:bd:aa:a6:
         89:37
-----BEGIN CERTIFICATE-----
MIIC2zCCAkSgAwIBAgIBATANBgkqhkiG9w0BAQUFADB4MQswCQYDVQQGEwJFUzEM
MAoGA1UECAwDQ0FUMQwwCgYDVQQHDANCQ04xDTALBgNVBAoMBE15Q0ExDDAKBgNV
BAsMA0FBQTETMBEGA1UEAwwKY2EubGFiLm5ldDEbMBkGCSqGSIb3DQEJARYMcm9v
dEBsYWIubmV0MB4XDTEzMDExNTE4Mjg0OFoXDTE0MDExNTE4Mjg0OFowcjELMAkG
A1UEBhMCRVMxDDAKBgNVBAgMA0NBVDENMAsGA1UECgwETXlDQTEMMAoGA1UECwwD
QUFBMRswGQYDVQQDDBJmcmVlcmFkaXVzLmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEW
DHJvb3RAbGFiLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0XqmdM7N
sZYbW/Ehi0X+UqDErISKrQVll179r7t9HemakY1GSBaDiJDaA7NdMuLk4y9zGEEm
cybzMgPAAqW+BJ42QJnMG1IDTYoqnJ9lEFYMCakm+24JeOEAKLHGsJfjh3jq/okk
ioZdRI9wv0OkotAjuffurkjR+5geYdhsh8sCAwEAAaN7MHkwCQYDVR0TBAIwADAs
BglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
VR0OBBYEFHg6oeR+afxxzUUir1LAStjhH5kgMB8GA1UdIwQYMBaAFBR1Th9r4/1a
iHdxk2AygWzVrRDEMA0GCSqGSIb3DQEBBQUAA4GBALlBaw5XiKKqptFdVfAcSD/I
T5cJZRr3CEXw5BDmMmcUL25PsKAhVpYykFtMeAFABZJK0yzCEXeoDTtJyy/kIplE
DSoNHmrRPS5yGUadDjyjPr+mHi9c8HGKtwkRl+ENDildMKqH6Z03hhPGvYsF1cHs
wTH4eaLCFpLCE72qpok3
-----END CERTIFICATE-----
Data Base Updated
# cp /etc/ssl/newcerts/01.pem freeradius.pem
# cat freeradiuskey.pem > freeradiuskeycert.pem
# grep -A 100 BEGIN freeradius.pem >> freeradiuskeycert.pem
# openssl req -new -nodes -keyout wxpkey.pem -out wxp.csr -days 3650
Generating a 1024 bit RSA private key
.........................++++++
...++++++
writing new private key to 'wxpkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:CAT
Locality Name (eg, city) []:BCN
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCA
Organizational Unit Name (eg, section) []:AAA
Common Name (e.g. server FQDN or YOUR name) []:wxp.lab.net
Email Address []:root@lab.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# openssl ca -in wxp.csr -config /etc/ssl/openssl.cnf -extensions xpclient_ext -extfile /etc/ssl/CA/xpextensions
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:MY_SECRET
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Jan 15 18:34:05 2013 GMT
            Not After : Jan 15 18:34:05 2014 GMT
        Subject:
            countryName               = ES
            stateOrProvinceName       = CAT
            organizationName          = MyCA
            organizationalUnitName    = AAA
            commonName                = wxp.lab.net
            emailAddress              = root@lab.net
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
Certificate is to be certified until Jan 15 18:34:05 2014 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=ES, ST=CAT, L=BCN, O=MyCA, OU=AAA, CN=ca.lab.net/emailAddress=root@lab.net
        Validity
            Not Before: Jan 15 18:34:05 2013 GMT
            Not After : Jan 15 18:34:05 2014 GMT
        Subject: C=ES, ST=CAT, O=MyCA, OU=AAA, CN=wxp.lab.net/emailAddress=root@lab.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c3:b9:f0:f7:09:c4:89:85:30:b4:e8:83:99:39:
                    c3:19:49:c6:b5:9e:df:28:88:6a:4c:f9:7f:9d:45:
                    92:a3:e3:22:18:9a:3b:ff:49:20:f9:63:97:59:d8:
                    b4:49:73:ea:0e:76:e0:62:d2:6b:25:35:fa:14:c3:
                    31:26:7d:33:db:7f:42:5d:ad:a6:48:11:32:a7:e0:
                    0b:9b:77:45:4d:cb:68:66:28:30:48:fd:43:8b:d7:
                    d3:c3:36:a6:bd:9a:83:76:2f:34:65:a5:aa:53:97:
                    e8:fc:e8:83:74:6e:a7:84:74:8c:0b:36:b6:f3:9a:
                    d5:d8:6d:39:ba:e2:2b:27:a5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
    Signature Algorithm: sha1WithRSAEncryption
         25:3b:75:12:2b:d0:9f:bd:02:e3:9b:8f:b3:04:ee:82:80:60:
         08:0c:1e:60:19:e0:3b:10:5d:0f:6c:4e:50:29:1a:50:0f:1d:
         3c:a5:a1:af:ce:73:42:c7:d7:81:b8:68:3a:40:c6:88:4e:cd:
         fa:b8:f4:65:34:44:6b:6a:85:6e:8a:5e:34:19:4f:3a:5f:45:
         8b:4f:ac:35:5d:26:55:bf:eb:4c:b7:fa:83:25:cd:62:78:07:
         4c:48:3d:e1:51:5d:21:26:33:9f:05:8b:fc:8a:99:6b:cf:70:
         ce:23:ae:f4:04:d8:aa:20:f7:11:02:c0:3f:dc:b1:24:f2:1b:
         0d:f5
-----BEGIN CERTIFICATE-----
MIICcDCCAdmgAwIBAgIBAjANBgkqhkiG9w0BAQUFADB4MQswCQYDVQQGEwJFUzEM
MAoGA1UECAwDQ0FUMQwwCgYDVQQHDANCQ04xDTALBgNVBAoMBE15Q0ExDDAKBgNV
BAsMA0FBQTETMBEGA1UEAwwKY2EubGFiLm5ldDEbMBkGCSqGSIb3DQEJARYMcm9v
dEBsYWIubmV0MB4XDTEzMDExNTE4MzQwNVoXDTE0MDExNTE4MzQwNVowazELMAkG
A1UEBhMCRVMxDDAKBgNVBAgMA0NBVDENMAsGA1UECgwETXlDQTEMMAoGA1UECwwD
QUFBMRQwEgYDVQQDDAt3eHAubGFiLm5ldDEbMBkGCSqGSIb3DQEJARYMcm9vdEBs
YWIubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDufD3CcSJhTC06IOZ
OcMZSca1nt8oiGpM+X+dRZKj4yIYmjv/SSD5Y5dZ2LRJc+oOduBi0mslNfoUwzEm
fTPbf0JdraZIETKn4Aubd0VNy2hmKDBI/UOL19PDNqa9moN2LzRlpapTl+j86IN0
bqeEdIwLNrbzmtXYbTm64isnpQIDAQABoxcwFTATBgNVHSUEDDAKBggrBgEFBQcD
AjANBgkqhkiG9w0BAQUFAAOBgQAlO3USK9CfvQLjm4+zBO6CgGAIDB5gGeA7EF0P
bE5QKRpQDx08paGvznNCx9eBuGg6QMaITs36uPRlNERraoVuil40GU86X0WLT6w1
XSZVv+tMt/qDJc1ieAdMSD3hUV0hJjOfBYv8iplrz3DOI670BNiqIPcRAsA/3LEk
8hsN9Q==
-----END CERTIFICATE-----
Data Base Updated 
# cp /etc/ssl/newcerts/02.pem wxp.pem
# openssl pkcs12 -export -in wxp.pem -inkey wxpkey.pem -certfile /etc/ssl/certs/cacert.pem -name "Wired-dot1x" -out wxp.p12
Enter Export Password:MY_EXPORT
Verifying - Enter Export Password:MY_EXPORT
# cp /etc/ssl/certs/cacert.pem /etc/freeradius/certs/.
# cp /etc/ssl/CA/freeradiuskeycert.pem /etc/freeradius/certs/.
# cp /etc/freeradius/eap.conf /etc/freeradius/eap.conf.orig
# cat /etc/freeradius/eap.conf
        eap {
                default_eap_type = tls
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                max_sessions = 4096
                md5 {
                }
                leap {
                }
                gtc {
                        auth_type = PAP
                }
                tls {
                        certdir = ${confdir}/certs
                        cadir = ${confdir}/certs
                        private_key_file = ${certdir}/freeradiuskeycert.pem
                        certificate_file = ${certdir}/freeradiuskeycert.pem
                        CA_file = ${cadir}/cacert.pem
                        dh_file = ${certdir}/dh
                        random_file = /dev/urandom
                        fragment_size = 1024
                        include_length = yes
                        CA_path = ${cadir}
                        cipher_list = "DEFAULT"
                        make_cert_command = "${certdir}/bootstrap"
                        cache {
                              enable = no
                              max_entries = 255
                        }
                        verify {
                        }
                }
                ttls {
                        default_eap_type = md5
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no
                        virtual_server = "inner-tunnel"
                }
                peap {
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no
                        virtual_server = "inner-tunnel"
                }
                mschapv2 {
                }
        }
# /etc/init.d/freeradius stop
# freeradius -X


Authenticator/NAS (Cisco Catalyst 2960)

Switch(config)# aaa new-model
Switch(config)# radius server freeradius
Switch(config-radius-server)# address ipv4 192.168.0.100 auth-port 1812 acct-port 1813
Switch(config-radius-server)# key MYSECRET
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# aaa authorization network default group radius
Switch(config)# aaa accounting dot1x default start-stop group radius
Switch(config)# radius-server vsa send accounting
Switch(config)# radius-server vsa send authentication
Switch(config)# interface FastEthernet0/10
Switch(config-if)# switchport mode access
Switch(config-if)# authentication event fail retry 0 action authorize vlan 30
Switch(config-if)# authentication event no-response action authorize vlan 20
Switch(config-if)# authentication port-control auto
Switch(config-if)# mab eap
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# dot1x timeout tx-period 1
Switch(config-if)# spanning-tree portfast
Switch# !debug dot1x


Supplicant (Windows XP)

Copy cacert.pem and wxp.p12 to the windows xp client.
Rename cacert.pem to cacert.der.

C:\> net start "Wired Autoconfig"
C:\> mmc
File > Add/Remove Snap-in... > Add > Certificates > Add > Computer account > Next > Finish > Close > OK
- Certifcates (Local Computer) > Personal > Certificates > All Tasks > Import... > wxp.p12 > key (MY_EXPORT)
- Certifcates (Local Computer) > Trusted Root Certification Authorities > Certificates > All Tasks > Import... > cacert.der
C:\> netsh lan export profile folder=C:\
C:\> type nic.xml
<?xml version="1.0"?>
<LANProfile xmlns="http://www.microsoft.com/networking/LAN/profile/v1">
        <MSM>
                <security>
                        <OneXEnforced>false</OneXEnforced>
                        <OneXEnabled>true</OneXEnabled>
                        <OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
                                <cacheUserData>false</cacheUserData>
                                <authMode>machineOrUser</authMode>
                                <EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><ConfigBlob>020000002A0000001D0000001400000037689DD23A688A3C5CFF726F9407DC30F999752F000001000000</ConfigBlob></EapHostConfig></EAPConfig>
                        </OneX>
                </security>
        </MSM>
</LANProfile>
Change 'machineOrUser' for 'machine'.
C:\> netsh lan add profile filename=nic.xml
NIC > Properties > Authentication
- Enable IEEE 802.1x authentication for this network
-- EAP type: Smart Card or other Certificate
-- Settings
--- Use a certificate on this computer > Use simple certificate selection
--- Validate server certificate
--- Trusted Root Certification Authorities > ca.lab.net


References

http://en.wikipedia.org/wiki/IEEE_802.1X
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Dot1X_Deployment/Dot1x_Dep_Guide.html

Posted by t0n1
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)