Blog

Prototyping RADIUS Server Policies: Part 3

Written by IPTel Solutions | 25 November 2024 2:21:20 AM

This is part 3 of my blog series on rapid prototyping in ISE without requiring any networking equipment.

This time we're going to perform EAP-TLS (X.509 certificate based) authentication. 

There is a wealth of information on the internet about configuring Radius Servers (Cisco ISE or Aruba Clearpass) to perform a multitude of operations.

This blog series aims to help the network administrator in configuring their RADIUS Server policies.

ASSOCIATED BLOGS:

Introduction

This scenario is very similar to EAP-PEAP which we discussed in Part 2, but now in addition to the Radius server presenting its certificate, the client will present its certificate to the Radius server.

This is called mutual certificate authentication. The trickiest part of this process is the client certificate creation this puts off many people due to perceived complexity.

To create a client certificate for rapid prototyping testing, I believe you have three options: Ask an expert to deliver one on a silver platter for you (e.g. a Microsoft PKI security admin) Build your own Windows 2012 R2 lab VM and invest time understanding this - most enterprises use this. Use openssl tools and do it all via cli or xca (GUI front end to openssl http://xca.sourceforge.net/).

We will use the openssl command line to create a Root CA. Using that Root CA we shall issue a client certificates for our wpa_supplicant testing purposes.

Using your Linux terminal session, create a directory called 'ca' and use it as your current directory. For the purpose of illustration I have used /home/abier/ca I chose two relatively simple and weak pass phrases for illustration purposes and also to guide you when openssl prompts for passwords.

In practice, please use stronger passwords! Please note that text shown in bold text is user input.

ASSOCIATED BLOGS:

Root CA certificate

Please note that text shown in bold text is user input.

Create a Root CA private key
openssl genrsa -aes256 -out ca.key.pem 4096
Generating RSA private key, 4096 bit long modulus
Enter pass phrase for ca.key.pem: MyCertPr1vateKey
Verifying - Enter pass phrase for ca.key.pem: MyCertPr1vateKey

Create the Root CA self-signed certificate
openssl req -key ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out ca.cert.pem
Enter pass phrase for ca.key.pem: MyCertPr1vateKey
Country Name (2 letter code) [XX]:AU
State or Province Name (full name) []:QLD
Locality Name (eg, city) [Default City]:BNE
Organization Name (eg, company) [Default Company Ltd]:Acme
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:AcmeCorp
Email Address []:

You can install the above Root CA certificate in your Radius server.

ASSOCIATED BLOGS:

Client Certificate

Create the Client private key
openssl genrsa -aes256 -out client.key.pem 2048
Generating RSA private key, 2048 bit long modulus
Enter pass phrase for client.key.pem: MyCl1entKey
Verifying - Enter pass phrase for client.key.pem: MyCl1entKey
Create a CSR (certificate signing request)

The CSR is submitted to the issuing CA, which is our Root CA we just created above.

<strong>openssl req -key client.key.pem -new -sha256 -out client.csr.pem
Enter pass phrase for client.key.pem: <strong>MyCl1entKey
Country Name (2 letter code) [XX]:<strong>AU
State or Province Name (full name) []:<strong>QLD
Locality Name (eg, city) [Default City]:<strong>BNE
Organization Name (eg, company) [Default Company Ltd]:<strong>Acme
Organizational Unit Name (eg, section) []:<strong>IT
Common Name (eg, your name or your server's hostname) []:<strong>jsmith
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []: An optional company name []:
Prepare the CA for certificate creation duties

This requires a directory structure, because when a CA creates certificates, it must maintain them as well, which means, a little bit of administrative data - but this is easily done. Please note that you will need to be root user because there are files written to the /etc system directory. The following commands will prepare the CA infrastructure (the final 'exit' will exit the root mode)

<strong>touch /etc/pki/CA/index.txt
<strong>echo '1000' > /etc/pki/CA/serial
<strong>touch /etc/pki/CA/serial.new
<strong>touch /etc/pki/CA/index.txt.new
<strong>touch /etc/pki/CA/index.txt.attr.new
<strong>exit

In your 'ca' working directory you need to create a small file called extensions.txt containing the certificate extensions you need. In the example below the EKU is client auth (Extended Key Usage).

<strong>[ext]
<strong>basicConstraints=CA:FALSE
<strong>nsCertType = client
<strong>keyUsage = digitalSignature, keyEncipherment
<strong>extendedKeyUsage = clientAuth
Create the client certificate

Finally we are ready to create the client certificate. Since I am using all the defaults here, openssl wants to write in directories that need root access - it's easier to run the command with sudo to allow it to write in the /etc/pki/CA directory.

 <strong>sudo openssl ca -extfile extensions.txt  -extensions ext -days 365 -notext -md sha256 -in 
client.csr.pem -cert ca.cert.pem -keyfile ca.key.pem -outdir . -out client.cert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key.pem: <strong>MyCertPr1vateKey
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: May 5 04:14:16 2018 GMT
Not After : May 5 04:14:16 2019 GMT
Subject:
countryName = AU
stateOrProvinceName = QLD
organizationName = Acme
organizationalUnitName = IT
commonName = abier
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
Certificate is to be certified until May 5 04:14:16 2019 GMT (365 days)
Sign the certificate? [y/n]: <strong>y

1 out of 1 certificate requests certified, commit? [y/n] <strong>y
Write out database with 1 new entries
Data Base Updated

View the certificate with the command

openssl x509 -in client.cert.pem -text 

ASSOCIATED BLOGS:

Testing certificate authentication with the wap_supplicant

If you need a refresher on wpa_supplicant, please see part 2 of this blog series.

The configuration file eaptls.conf must contain the EAP method and make reference to relevant files:

network={
ssid="example"
key_mgmt=WPA-EAP
eap=TLS
identity="anonymous"
ca_cert="/home/abier/radius/radius-ca.pem"
client_cert="/home/abier/ca/client.cert.pem"
private_key="/home/abier/ca/client.key.pem"
private_key_passwd="MyCl1entKey"
eapol_flags=3
}

Note: Remember that the ca_cert shown above is the Root certificate that issued the Radius Server cert (and not to be confused with the CA that issued the client certificate!!!).

They may be the same in some cases, but just be aware of what is meant here.

We don't cover the configuration of the Radius server itself because that is not the focus of this blog - it is assumed you can find the information you need.

Below is the command to send one request to a NAS at 192.168.21.101 with a client Wireless MAC address of 00:00:00:00:00:FF, and Service-Type=Framed (which is standard for Cisco/HPE WLC’s). To simulate an Aruba AP you can substitute the value with 1 (Service-Type=Login)

<strong>eapol_test -c eaptls.conf -s RadiusS3cret -a 192.168.21.101 -M '00:00:00:00:00:ff' -N '6:d:2'

Prototyping RADIUS Server Policies: Summary

The above command performs exactly the same sequence of steps as you would expect a real supplicant would do when performing EAP-TLS.

Remember also that your Radius server will need to have the CA certificate chain of your client certificate installed in order for the authentication to succeed.

This ends our series on Radius Server Policies, we hope this was informative and that you enjoyed this trilogy.

ASSOCIATED BLOGS:

As with all work you undertake on your RADIUS installation, take great care to have a backup and backout plan: this tends to be critical infrastructure, so take care when making any changes to a live network.