<div dir="ltr"><div id="result_box" dir="ltr">the truth is that follow in the footsteps of the file certs / readme <br><br>
I looked at the howto -> <a href="http://freeradius.org/doc/EAPTLS.pdf">http://freeradius.org/doc/EAPTLS.pdf</a> and
says nothing of the buildup of certificates. I follow these steps:</div><br><br>README<br>***********************************************************************************************<br><br> This directory contains scripts to create the server certificates.<br>
To make a set of default (i.e. test) certificates, simply type:<br><br>$ ./bootstrap<br><br> The "openssl" command will be run against the sample configuration<br>files included here, and will make a self-signed certificate authority<br>
(i.e. root CA), and a server certificate. This "root CA" should be<br>installed on any client machine needing to do EAP-TLS, PEAP, or<br>EAP-TTLS.<br><br> The Microsoft "XP Extensions" will be automatically included in the<br>
server certificate. Without those extensions Windows clients will<br>refuse to authenticate to FreeRADIUS.<br><br> In general, you should use self-signed certificates for 802.1x (EAP)<br>authentication. When you list root CAs from other organizations in<br>
the "CA_file", you permit them to masquerade as you, to authenticate<br>your users, and to issue client certificates for EAP-TLS.<br><br> If FreeRADIUS was configured to use OpenSSL, then simply starting<br>the server in root in debugging mode should also create test<br>
certificates, i.e.:<br><br>$ radiusd -X<br><br> That will cause the EAP-TLS module to run the "bootstrap" script in<br>this directory. The script will be executed only once, the first time<br>the server has been installed on a particular machine. This bootstrap<br>
script SHOULD be run on installation of any pre-built binary package<br>for your OS. In any case, the script will ensure that it is not run<br>twice, and that it does not over-write any existing certificates.<br><br> If you already have CA and server certificates, rename (or delete)<br>
this directory, and create a new "certs" directory containing your<br>certificates. Note that the "make install" command will NOT<br>over-write your existing "raddb/certs" directory, which means that the<br>
"bootstrap" command will not be run.<br><br><br> NEW INSTALLATIONS OF FREERADIUS<br><br><br> We suggest that new installations use the test certificates for<br>initial tests, and then create real certificates to use for normal<br>
user authentication. See the instructions below for how to create the<br>various certificates. The old test certificates can be deleted by<br>running the following command:<br><br>$ rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*<br>
<br> Then, follow the instructions below for creating real certificates.<br><br> Once the final certificates have been created, you can delete the<br>"bootstrap" command from this directory, and delete the<br>
"make_cert_command" configuration from the "tls" sub-section of<br>eap.conf.<br><br> If you do not want to enable EAP-TLS, PEAP, or EAP-TTLS, then delete<br>the relevant sub-sections from the "eap.conf" file.<br>
<br><br> MAKING A ROOT CERTIFICATE<br><br><br>$ vi ca.cnf<br><br> Edit the "input_password" and "output_password" fields to be the<br> password for the CA certificate.<br><br> Edit the [certificate_authority] section to have the correct values<br>
for your country, state, etc.<br><br>$ make ca.pem<br><br> This step creates the CA certificate.<br><br>$ make ca.der<br><br> This step creates the DER format of the self-signed certificate,<br> which is can be imported into Windows.<br>
<br><br> MAKING A SERVER CERTIFICATE<br><br><br>$ vi server.cnf<br><br> Edit the "input_password" and "output_password" fields to be the<br> password for the server certificate.<br><br>
Edit the [server] section to have the correct values for your<br> country, state, etc. Be sure that the commonName field here is<br> different from the commonName for the CA certificate.<br><br>$ make server.pem<br><br>
This step creates the server certificate.<br><br> If you have an existing certificate authority, and wish to create a<br> certificate signing request for the server certificate, edit<br> server.cnf as above, and type the following command.<br>
<br>$ make server.csr<br><br> You will have to ensure that the certificate contains the XP<br> extensions needed by Microsoft clients.<br><br><br> MAKING A CLIENT CERTIFICATE<br><br><br> Client certificates are used by EAP-TLS, and optionally by EAP-TTLS<br>
and PEAP. The following steps outline how to create a client<br>certificate that is signed by the server certificate created above.<br>You will have to have the password for the server certificate in the<br>"input_password" and "output_password" fields of the server.cnf file.<br>
<br><br>$ vi client.cnf<br><br> Edit the "input_password" and "output_password" fields to be the<br> password for the client certificate. You will have to give these<br> passwords to the end user who will be using the certificates.<br>
<br> Edit the [client] section to have the correct values for your<br> country, state, etc. Be sure that the commonName field here is<br> the User-Name that will be used for logins!<br><br>$ make client.pem<br><br> The users certificate will be in "commonName.pem",<br>
i.e. "user@example.com.pem".<br><br> To create another client certificate, just repeat the steps for<br> making a client certificate, being sure to enter a different login<br> name for "commonName", and a different password.<br>
<br><br> PERFORMANCE<br><br><br> EAP performance for EAP-TLS, TTLS, and PEAP is dominated by SSL<br> calculations. That is, a normal system can handle PAP<br> authentication at a rate of 10k packets/s. However, SSL involves<br>
RSA calculations, which are very expensive. To benchmark your system,<br> do:<br><br>$ openssl speed rsa<br><br> or<br><br>$ openssl speed rsa2048<br><br> to test 2048 bit keys.<br><br> A 1GHz system will likely do 30 calculations/s. A 2Ghz system may<br>
do 50 calculations/s, or more. That number is also the number of<br> authentications/s that can be done for EAP-TLS (or TTLS, or PEAP).<br><br>***************************************************************************************************<br>
<div id="result_box" dir="ltr"><br><br>What is the password that this wrong?<br><br>thank you!!<br><br><br><br></div><br clear="all"><br>-- <br>--<br><br>
</div>