Generate the SSL certs

Sat Apr 12 18:35:38 CEST 2008

Hello all,

There should be a place on the net that hosts official tutorials for
FreeRadius that are up-to date.

Then many problems would disappear.

I was about to follow this post to get "EAP/TTLS" to work:
http://www.felipe-alfaro.org/blog/2005/11/01/wpa-enterprise/

Can anyone help me sort out what not to follow in his guide, since it has
been posted 2005:

The SSL create certificate steps that tutorial mentions is the same for all
versions, and still up to date? 

1. Generate a new unsigned certificate and its corresponding private key:

openssl req -new -days 365 -newkey rsa:1024 \
  -keyout /etc/pki/CA/sslkey.pem
  -out /etc/pki/CA/sslcert.pem

2. To sign this certificate:

openssl ca -in /etc/pki/CA/sslcert.pem -out /etc/pki/CA/cert.pem

3. Installing the RADIUS X.509 certificate

The certificate and its corresponding private key, plus the CA certificate,
must be installed into /etc/raddb/certs in order to use EAP-TLS or EAP-TTLS:

Install the RADIUS private key:

mv /etc/pki/CA/sslkey.pem /etc/raddb/certs/RADIUS-key.pem
Install the RADIUS signed X.509 certificate:

mv /etc/pki/CA/cert.pem /etc/raddb/certs/RADIUS-cert.pem
Install the CA certificate:

cp /etc/pki/CA/cacert.pem /etc/raddb/certs/cacert.pem
/etc/pki/CA/sslcert.pem holds the unsigned X.509 RADIUS certificate, so it
can be safely removed:

rm /etc/pki/CA/sslcert.pem

Best regards,
Johan Nyman

Media Vision Group | MVG
Stureplan 4C, 4tr
114 35 Stockholm
Sweden

Tfn: +46-8-463 10 58
Cell:+46-70-992 31 51
Fax: +46-8-463 10 10
E-mail: Johan at mediavisiongroup.se
Web: http://www.mediavisiongroup.se

----------------------------------------------------------------------------
------------------------

CONFIDENTIALITY AND DISCLAIMER NOTICE

This e-mail, including any attachments, is confidential and intended only
for
the addressee. If you are not the intended recipient, please notify us 
immediately and delete this e-mail from your system. Any use or disclosure
of
the information contained herein is strictly prohibited.

----------------------------------------------------------------------------
------------------------

-----Original Message-----
From:
freeradius-users-bounces+johan=mediavisiongroup.se at lists.freeradius.org
[mailto:freeradius-users-bounces+johan=mediavisiongroup.se at lists.freeradius.
org] On Behalf Of Alan DeKok
Sent: den 12 april 2008 17:45
To: FreeRadius users mailing list
Subject: SPAM-LOW: SPAM(5.0) Re: EAP/TTLS

Johan Nyman wrote:
> - I'm going to copy back the default "eap.conf" "radiusd.conf" and "users"
> files, so I can start over again with clean files. 

  Good idea.

> - Some tutorials I have followed are old, compared to the new version that
I
> have 2.0.3.

  I wish all old tutorial disappeared off of the net.  Since most
started out wrong, getting rid of them isn't a bad idea.

> - Can you give me an example on how I should configure these three files
> "users" "eap.con" "radius.conf". 
> 
> - The authentication method I am looking for to use is "EAP/TTLS" 

  You do nothing.  See doc/ChangeLog, for version 2.0.0.

> - I have all the certificates ready to go.

  Put them in raddb/certs, in the files mentioned in eap.conf.  Or, edit
eap.conf to point to your certificates.

  The whole point of 2.0 is that you start the server... and almost
everything works.  The tutorials that described endless steps to
configure things were usually wrong to begin with, and are completely
unnecessary in 2.0.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html