Freeradius: Generate Certificates for Client and Server Authentication
Overview
When using WPA2-Enterprise with 802.1X authentication, both the client and the RADIUS server can use certificates to verify their identities to each other and perform mutual authentication. Below are the steps for generating certificates for client and server authentication in freeradius.
Note: The files and file paths referenced in this guide are using Ubuntu Server 12.04.2. The commands can be run with sudo or from the root user.
Steps to Generate Certificates
1. Install openvpn: sudo apt-get install openvpn
2. Make target directory to copy easy-rsa files to: sudo mkdir /etc/openvpn/easy-rsa
3. Copy easy-rsa files to openvpn directory: sudo cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
4. Move to openvpn directory for certificate creation: cd /etc/openvpn/easy-rsa
5. Edit the "vars" file to reflect your organization. Below is an example of a file with the comments and empty lines removed. Note: The three comment lines included have been commented out from the default.
6. Create the necessary certificates. These will be moved and freeradius pointed to them at a later time. The below should be done as root in order to set the source properly.
*If you get an error "No /etc/openvpn/easy-rsa/openssl.cnf: file could not be found", run the following command: cp openssl-1.0.0.cnf openssl.cnf
source ./vars
./clean-all
./pkitool --initca
#This command will create your CA cert
./pkitool --server radius
#This command will create radius cert
./pkitool --pkcs12 client
#You will need to enter a password when creating this file, this will be used later when installing on the client.
7. Remove testing certificates generated when freeradius is installed:
sudo cd /etc/freeradius/certs
sudo rm ca.pem server.key server.pem
8. Copy certificates generated to new location:
sudo cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/freeradius/certs/ca.crt
sudo cp /etc/openvpn/easy-rsa/keys/radius.crt /etc/freeradius/certs/radius.crt
sudo cp /etc/openvpn/easy-rsa/keys/radius.key /etc/freeradius/certs/radius.key