Using FreeRadius to authenticate your WPA enterprise mobile users is comparatively easy especially if you use daloRadius to manage your users however setting up the certificates that you need for it to work with more recent android phones is poorly documented and if you only have a hazy idea of how certificates work can be frustrating.
In this short article I’ll try and explain how to set up FreeRadius with PEAP authentication including what to do to install the Certification Authority certificate on your android mobile.
I’m not going to explain how to install FreeRadius or daloRadius. There are good tutorials out on the web and it is comparatively simple to set up your server. What is less obvious is setting up the certificates you need for your phone to accept that the radius server you are running is the one that it expects. Consider why this is important. In a corporate setting, or something like a university campus it is quite possible for a bad character to set up a wireless access point (WAP) that masquerades as the official network. If a user can be fooled into connecting to this bogus network then all his data is available for inspection: credit card numbers, passwords and corporate data. Somehow the user needs a means of being confident that the WAP he is connected to is a real one. And this is where certificates come into play.
The protocol used to authenticate a user onto the network is called RADIUS, short for Remote Authentication Dial-In User Service. The reference to dial-in gives a clue as to how old it is, it dates back to the early days of the internet when a common means of connection was to dial in over a phone line. RADIUS allows for a centralised management of usernames and passwords to connect to networks. These days it is very commonly used to authenticate users onto wifi networks and an opensource implementation of RADIUS is the FreeRadius software package.
I’m assuming that you are running a Linux server and that you have installed FreeRadius and got it to authenticate users onto your wifi network using a simple password. However, users with an android phone will have found recently that they can no longer connect because the option to ignore network credentials has been greyed out. This was a conscious decision by the android developers to try and improve overall network security but it has left a whole set of users and network administrators with non-functional network connections. Fortunately FreeRadius has all the tools to create and install self-signed certificates to get connected again. So, lets go…
First this to do is go to the certificates directory on your FreeRadius server
$ cd /etc/freeradius/3.0/certs
There are all the tools you need in this directory.
Generating a CA certificate
You are going to generate a self signed Certification Authority (CA) certificate and then use it to generate a signed server certificate. Let’s start with the CA certificate.
Look for the file ca.cnf in this directory and open it for editing
$ sudo nano ca.cnf
Your now need to find the section that is describing your organisation
[certificate_authority]
countryName = FR
stateOrProvinceName = Radius
localityName = Somewhere
organizationName = Example Inc.
emailAddress = admin@example.org
commonName = “Example Certificate Authority”
This is the default information and you will want to update it with your real data
[certificate_authority]
countryName = US
stateOrProvinceName = Wisconsin
localityName = Whitewater
organizationName = Purple Skyhooks Inc.
emailAddress = admin@purple-skyhooks.com
commonName = “Purple Skyhooks Certificate Authority”
You will also want to choose a password for accessing this certificate for when you want to sign something and you need to add this into the password section of the ca.cnf file
[ req ]
prompt = no
distinguished_name = certificate_authority
default_bits = 2048
input_password = whatever
output_password = whatever
x509_extensions = v3_ca
giving you something like
[ req ]
prompt = no
distinguished_name = certificate_authority
default_bits = 2048
input_password = hqa7ara4mcr@zqk3WNA
output_password = hqa7ara4mcr@zqk3WNA
x509_extensions = v3_ca
Finally you may want to extend the life of your certificate by editing
default_days = 60
To something more lengthy. Choose a period that balances security (short life) against convenience (long life). I tend to choose something like 400 days otherwise you will spend the whole of your life generating and distributing CA certificates.
Now you are ready to generate your CA certificates
$ sudo make ca.pem
This will generate a private key file ca.key and a public certificate file ca.pem. The private key file must remain private and secure and generally will not leave your server. It will be used to sign the server certificate that you will generate in the next step.
Generating a server certificate
Now we will edit the server.cnf in a similar way to describe our FreeRadius server. We start by modifying the [server] section to describe our radius server
[server]
countryName = US
stateOrProvinceName = Delaware
localityName = New Castle
organizationName = Grabitt Radius Services
emailAddress = dodgy_radius@grabbit-radius.com
commonName = “server1.grabbit-radius.com”
The important attribute here is the commonName value which should be set to a fully qualified domain name FQDN. This name does not have to actually exist in the DNS but you will use it later when setting up your phone. But it makes sense to set it to something reasonable.
You will also have to set up the password values and the default-days value to give the certificate a reasonable life. Same security/convenience trade-off as above.
Now generate the server certificate and key by typing
$ sudo make server.pem
This will generate a private key file server.key and a certificate file server.pem.
The last thing to do is to change the ownership of the files to the freeradius user so that the radius server can read them
$ sudo chown freerad.freerad server.key server.pem ca.pem
Configuring the FreeRadius server
Now it’s time to tell the FreeRadius server about the certificates you’ve just generated. Go to the EAP module configuration file
$ cd ../mods-enabled
$ sudo nano eap
and find the tls-config tls-common section
Edit the following lines
private_key_password = whatever
private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
and change them to
private_key_password = <the password you chose for server.cnf>
private_key_file = ${certdir}/server.key
Then find the line
certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
and replace it with
certificate_file = ${certdir}/server.pem
Find the line
ca_file = /etc/ssl/certs/ca-certificates.crt
and replace it with
ca_file = ${certdir}/ca.pem
and save the file.
You now need to restart the FreeRadius server
$ sudo service freeradius restart
and your WPA Enterprise wifi network will be running with a self-signed certificate.
Configuring your Android phones
Install the CA certificate
You phone now needs to be told to trust the certificate that the RADIUS server is presenting. This is actually fairly simple except for the first part. You are about to encounter at first hand one of the most difficult parts of establishing a trusted connection. Somehow you have to get the ca.pem CA certificate onto your phone and you have to do it in a trusted fashion. There are several possible ways to do this:
- Link your phone to your computer via a USB cable and transfer the file
- Write the certificate file to an SD card
- Use a trusted messaging service such as Signal or WhatsApp to transfer the file.
Once you have it over to your phone go to your settings menu and select
Security -> Advanced -> Encryption and Credentials -> Install a certificate -> Wi-Fi certificate
All being well you will then be presented with a file chooser with your ca.pem in it. Select the file and give the certificate a name when asked by the pop-up. Choose something obvious like “Corporate Wifi”. Click on OK. You should get a message telling you that the certificate has been installed. Your phone will now trust certificates signed by your Certification Authority.
Connect to your wi-fi
Yes! We’re nearly there.
Go your network configuration section and select the wi-fi section. You should see the wi-fi network you want displayed (assuming that the network side of things is all set up). Click on this network. You will be presented with a screen with a number of incomprehensible questions:
- For “EAP method” select “PEAP”
- For “Phase 2 authentication method” select “MSCHAPV2”
- For “CA certificate” select the name you gave the CA certificate above (“Corporate Wifi”)
- For “Domain” select the commonName value you set in the server.cnf file (“server1.grabbit-radius.com”).
- Fill in your username and password under “Identity” and “Password”.
- Press “Save”
All being well you will connect securely to the wifi. Subsequent connections will be automatic.