Switching to Fiber Channel for SAN access. Part 1

As I have learned more advance features of VMware’s virtualization products my rack has slowly been filling up with servers. With the increase of servers there has been a steady increase in the amount of traffic to my SAN server as well. As previous posts indicate I was utilizing iSCSI primarily for my SAN access. While iSCSI worked pretty well, the traffic was on a shared medium (Ethernet) so there was some delay from other traffic in the same broadcast domain.

While I could have placed the iSCSI traffic on a dedicated VLAN to gained a performance bump at no cost; I decided, after reading about Fiber Channel to go that route instead. Like iSCSI, Fiber Channel is a storage oriented protocol. Unlike iSCSI, Fiber Channel is a dedicated media, meaning the only traffic transversing the optical fiber is the Fiber Channel Protocol. One of the many benefits of Fiber channel is that it can be setup at a low cost; currently $52 for the host and first client, and +$18 for each additional client, for up to 4 total clients. After four clients have been reached, a Fiber-Channel-switch or an additional 4x port card is required. What is impressive is at those prices you are getting an optical based media using a storage oriented protocol that operates at 4.25Gb/s. The Fiber Channel PCIe card adapters I bought have drivers for Windows, Apple’s OS X, Red Hat, SUSE, Solaris, VMware ESXi, and Xen. The cards support boot from Fiber Channel which is really cool as I am now running the ESXi servers completely diskless.

2014-02-21 09_18_18-10.0.70.228 - vSphere Client - Storage Adapters

You may wonder why I would want a 4.25Gb/s network for my SAN traffic when typical harddrives will only push between 100-145MB/s; a range that is mostly within the operating speed of a gigabit Ethernet network. I have added a SSD cache drive that has greater read and write performance. Having a 4.25Gb/s network should be able to handle the bursts that may occur from the ARC + L2ARC. I looked at creating a 10Gbe Ethernet network but the cost was incredibly high and the price of 10Gbe switches is still out of reach for my home lab. This high cost of 10Gbe Ethernet is ultimately why I selected Fiber Channel over 10Gbe Ethernet. Another point, with my setup, each client has a dedicated link to the SAN.

Fiber Channel is a pretty cool technology and was challenging to initially setup and understand with the limited resources outside of an enterprise support contract. It is important to note that I barely have touched the surface of this cool technology, there are so many more features are available such as bonding, arbitrated loops, Fiber Channel over Ethernet that I haven’t even touched in this article. I encourage you to look into it.

 

Price/Parts Breakdown:

Qlogic QLE2464 – 4x port PCIe adapter – $25

Qlogic QLE2460 – 1x port PCIe adapter – $9

LC to LC OM3 Fiber Cable – $9

Posted in News | Tagged , , , , , , , | 1 Comment

Raspberry Pi + Arch Linux + FDE + FreeRADIUS3, A low power RADIUS server for WPA2 Enterprise.

Updated: 20140523 – Please update the initrd image after kernel updates. See below for more information.

Background:IMG_4718

I recently finished up my article for getting a RADIUS server running for the purpose of authenticating WPA2 Enterprise wireless clients. That setup works great, the problem is if I bring my ESXi host down, my RADIUS server goes  offline; effectively bringing down my wireless. I wanted an elegant solution around this, enter the Raspberry Pi. The rPi is a low power device that can run a full fledged OS and is powered via a USB port, my wireless access point conveniently has an unused USB port.

 

What is this post about?

This guide explains how to get RADIUS server running on a Raspberry Pi {rPi} using Arch Linux on a nearly Full Disk Encryption {FDE} SD card. This RADIUS server is intended to be a backup server. This post assumes a RADIUS server is already setup as well as a Certificate Authority {CA} as described in my previous post.

 

How To:

Installing Arch Linux:

Download and flash the Arch Linux image:

Download the install image from RaspberryPi.org or ArchLinuxArm.org. This is not a typical install, it simply writes an image to the SD card. The device’s hardware is static, so there are not any needed prompt for options during a typical installation. The assumption is you can configure items such as the hostname, time zone, ecetera later on.

Below is how to write the image from an OS X host. Writing this image from a Windows host is also possible and the procedure for writing from a Linux host will be nearly identical.

In the OS X Disk Utility, Unmount, do not Eject, all the mounted partitions on the SD card. This allows full access to dd without other applications trying to locking the device.

Screen-Shot-2014-01-11-at-11.27.02-AM_further_crop

 

Then find out the device id to write to by selecting Info from the Disk Utility application after selecting the SD card you intend to format.

Screen-Shot-2014-01-11-at-11.27.32-AM

 

Use the dd command to write the image to the SD card. This will erase the entire SD card. Keep in mind the dd command is extremely destructive, make sure the correct input and output locations are used.

$ sudo dd bs=1m if=/Users/epijunkie/rpi/archlinux-hf-2013-11-14.img of=/dev/rdisk2
Password:
1870+0 records in
1870+0 records out
1960837120 bytes transferred in 58.268067 secs (33652002 bytes/sec)

As shown, it only took 58 seconds to write to a 16GB Class 10 SD card. Using rdisk instead of disk will perform faster writes on OS X. The r stands for raw, as in no buffering takes place. Using the bs=1m flag tells dd to write in 1MB chunks.

 

Eject the disk once the write is complete. The rPi is ready to boot Arch Linux.

Screen-Shot-2014-01-11-at-11.28.19-AM

 

Modify the base Arch Linux install:

After about 30 seconds of the rPi running you should be able to run date and have the current correct time displayed. This is because ntpd will run and update the time from ntp.org but updating is not instant upon boot. I installed a rasclock to my rPi, which is a hardware real-time clock {RTC}. I’d personally suggest a hardware RTC because without the correct time the certificates for the TLS connection won’t validate as they’ll be out of Validity window. I installed the rasclock to avoid the annoyance of having an inaccessible wireless network if say the power gets knocked out and something suppling my internet gets completely knocked offline, requiring my intervention to bring it back up. It’s always a lot of ifs until it happens.

 

It’s worth noting this guide is written so you can run the rPi completely headless relying on SSH to log into the machine. Log into the rPi via SSH as the root user.

$ ssh root@10.0.0.233
The authenticity of host '10.0.0.233 (10.0.0.233)' can't be established.
RSA key fingerprint is 64:ec:10:75:ec:53:52:ec:15:50:11:35:b6:86:c6:11.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.233' (RSA) to the list of known hosts.
root@10.0.0.233's password: root

‘root’ is the default password and can be changed by using the passwd command once logged on.

 

A static IP is needed for this install. So first we’ll disable the dhcp client service and set a hostname.

# systemctl stop dhcpcd.service
# hostnamectl set-hostname prefderpi

 

To set a static IP on the eth0 interface, edit the /etc/netctl/eth0 file to reflect a configuration similar to this this:

Description='A basic static ethernet connection'
Interface=eth0
Connection=ethernet
IP=static
Address=('10.0.0.253/24')
Gateway='10.0.0.1'
DNS=('10.0.0.1')

 

Then you’ll want to edit your /etc/resolv.conf with your DNS servers:

nameserver 10.0.0.1
nameserver 208.67.220.220
nameserver 208.67.222.222
search epijunkie.com

Lines 2 and 3 indicate the name servers for OpenDNS. Three is the maximum number of  settable name servers on Arch Linux. After a quick reboot the rPi will start using the new IP address and hostname. At this point pinging should be possible google.com

 

Next, update the package manager and update the base system install:

# pacman -Syu
:: Synchronizing package databases...
core 44.5 KiB 303K/s 00:00 [##########################################] 100%
extra 550.9 KiB 673K/s 00:01 [##########################################] 100%
community 591.6 KiB 1565K/s 00:00 [##########################################] 100%
alarm 7.8 KiB 7.58M/s 00:00 [##########################################] 100%
aur 20.6 KiB 10.1M/s 00:00 [##########################################] 100%
:: Starting full system upgrade...
:: Replace sysvinit-tools with core/procps-ng? [Y/n] Y
resolving dependencies...
looking for inter-conflicts...

Packages (47): coreutils-8.22-2 cronie-1.4.11-1 cryptsetup-1.6.3-1 curl-7.34.0-2 dbus-1.6.18-3 device-mapper-2.02.104-1
dhcpcd-6.1.0-1.1 file-5.16-1 glib2-2.38.2-1 grep-2.16-1 haveged-1.8-1 hwids-20130915.1-1
iana-etc-2.30-4 inetutils-1.9.1.341-2 iproute2-3.11.0-1 iptables-1.4.20-1 kbd-2.0.1-1 kmod-16-1
krb5-1.11.4-1 libcap-2.24-1 libdbus-1.6.18-3 libldap-2.4.38-1 libnl-3.2.23-1 libpipeline-1.2.6-1
linux-api-headers-3.12.4-1 linux-raspberrypi-3.10.25-2 lvm2-2.02.104-1 man-pages-3.55-1 mpfr-3.1.2.p5-1
netctl-1.4-2 ntp-4.2.6.p5-18 openssl-1.0.1.f-1 pacman-4.1.2-5 pacman-mirrorlist-20140107-1 pcre-8.34-1
procps-ng-3.3.9-1 raspberrypi-firmware-bootloader-20140109-1 raspberrypi-firmware-bootloader-x-20140109-1
raspberrypi-firmware-emergency-kernel-20140109-1 raspberrypi-firmware-tools-20140109-1 s-nail-14.5.1-1
systemd-208-3 systemd-sysvcompat-208-3 sysvinit-tools-2.88-12 [removal] tar-1.27.1-1 tzdata-2013i-1
util-linux-2.24-2

Total Download Size: 52.73 MiB
Total Installed Size: 141.39 MiB
Net Upgrade Size: 0.89 MiB

:: Proceed with installation? [Y/n] Y
:: Retrieving packages ...
libcap-2.24-1-armv6h 35.2 KiB 269K/s 00:00 [##########################################] 100%
openssl-1.0.1.f-1-armv6h 2.1 MiB 1316K/s 00:02 [##########################################] 100%
coreutils-8.22-2-armv6h 1967.3 KiB 3.29M/s 00:01 [##########################################] 100%
cronie-1.4.11-1-armv6h 54.8 KiB 5.95M/s 00:00 [##########################################] 100%
libdbus-1.6.18-3-armv6h 108.5 KiB 8.83M/s 00:00 [##########################################] 100%
<Lines Pruned>

 

Install the packages need for this guide:

# pacman -S rsync mkinitcpio dropbear freeradius base-devel yaourt
:: There are 25 members in group base-devel:
:: Repository core
1) autoconf 2) automake 3) binutils 4) bison 5) fakeroot 6) file 7) findutils 8) flex 9) gawk 10) gcc
11) gettext 12) grep 13) groff 14) gzip 15) libtool 16) m4 17) make 18) pacman 19) patch 20) pkg-config 21) sed
22) sudo 23) texinfo 24) util-linux 25) which

Enter a selection (default=all): <Enter>
warning: file-5.16-1 is up to date -- reinstalling
warning: findutils-4.4.2-5 is up to date -- reinstalling
warning: gawk-4.1.0-2 is up to date -- reinstalling
warning: gettext-0.18.3.1-2 is up to date -- reinstalling
warning: grep-2.16-1 is up to date -- reinstalling
warning: groff-1.22.2-5 is up to date -- reinstalling
warning: gzip-1.6-1 is up to date -- reinstalling
warning: pacman-4.1.2-5 is up to date -- reinstalling
warning: sed-4.2.2-3 is up to date -- reinstalling
warning: texinfo-5.2-2 is up to date -- reinstalling
warning: util-linux-2.24-2 is up to date -- reinstalling
warning: which-2.20-6 is up to date -- reinstalling
resolving dependencies...
looking for inter-conflicts...

Packages (46): cloog-0.18.0-2 gc-7.2.d-2 guile-2.0.9-1 isl-0.11.1-1 libaio-0.3.109-7 libltdl-2.4.2-7
libmariadbclient-5.5.34-3 libmpc-1.0.1-2 mkinitcpio-busybox-1.21.1-2 net-snmp-5.7.2-8 package-query-1.2-2
postgresql-libs-9.3.2-4 ppl-1.0-1 talloc-2.0.8-2 yajl-2.0.4-2 autoconf-2.69-1 automake-1.14.1-1
binutils-2.23.1-3 bison-3.0.2-1 dropbear-2013.62-1 fakeroot-1.20-1 file-5.16-1 findutils-4.4.2-5
flex-2.5.37-1 freeradius-3.0.0-1 gawk-4.1.0-2 gcc-4.7.2-4 gettext-0.18.3.1-2 grep-2.16-1 groff-1.22.2-5
gzip-1.6-1 libtool-2.4.2-7 m4-1.4.17-1 make-4.0-2 mkinitcpio-16-2 openssl-1.0.1.f-1 pacman-4.1.2-5
patch-2.7.1-2 pkg-config-0.28-1 rsync-3.1.0-1 sed-4.2.2-3 sudo-1.8.8-1 texinfo-5.2-2 util-linux-2.24-2
which-2.20-6 yaourt-1.3-1

Total Download Size: 43.51 MiB
Total Installed Size: 228.44 MiB
Net Upgrade Size: 180.58 MiB

:: Proceed with installation? [Y/n] Y
:: Retrieving packages ...
gawk-4.1.0-2-armv6h 839.7 KiB 976K/s 00:01 [##########################################] 100%
mkinitcpio-busybox-1.21.1-2-armv6h 145.0 KiB 10.9M/s 00:00 [##########################################] 100%
findutils-4.4.2-5-armv6h 319.0 KiB 2.40M/s 00:00 [##########################################] 100%
gzip-1.6-1-armv6h 70.5 KiB 13.8M/s 00:00 [##########################################] 100%
<Lines Pruned>

 

Install the pre-boot ssh daemon:

This installs the dropbear_initrd_encrypt package from source using yaourt. This allows for a ssh connection before the FDE password is entered; allowing for a completely headless install through reboots while maintaining the full disk encryption.

# yaourt -S dropbear_initrd_encrypt
==> Downloading dropbear_initrd_encrypt PKGBUILD from AUR...
x dropbear_install
x dropbear_hook
x encryptssh_hook
x PKGBUILD
x dropbear_initrd_encrypt.install
x ChangeLog
x encryptssh_install

<Lines Omitted>
dropbear_initrd_encrypt 0.12-1 (Sun Oct 11 14:44:09 MDT 2009)
( Unsupported package: Potentially dangerous ! )
==> Edit PKGBUILD ? [Y/n] ("A" to abort)
==> ------------------------------------
==> n

==> dropbear_initrd_encrypt dependencies:
- dropbear (already installed)
- cryptsetup (already installed)
- psmisc (already installed)
- iproute2 (already installed)
- mkinitcpio-nfs-utils (package found)
==> Edit dropbear_initrd_encrypt.install ? [Y/n] ("A" to abort)
==> -----------------------------------------------------------
==> n

==> Continue building dropbear_initrd_encrypt ? [Y/n] Y
==> -------------------------------------------------
==>
==> Building and installing package
==> Install or build missing dependencies for dropbear_initrd_encrypt:
resolving dependencies...
looking for inter-conflicts...

Packages (1): mkinitcpio-nfs-utils-0.3-4

Total Download Size: 0.01 MiB
Total Installed Size: 0.07 MiB

:: Proceed with installation? [Y/n] Y
:: Retrieving packages ...
mkinitcpio-nfs-utils-0.3-4-armv6h 14.6 KiB 187K/s 00:00 [##########################################] 100%
(1/1) checking keys in keyring [##########################################] 100%
(1/1) checking package integrity [##########################################] 100%
(1/1) loading package files [##########################################] 100%
(1/1) checking for file conflicts [##########################################] 100%
(1/1) checking available disk space [##########################################] 100%
(1/1) installing mkinitcpio-nfs-utils [##########################################] 100%
==> WARNING: Building package as root is dangerous.
Please run yaourt as a non-privileged user.
==> Making package: dropbear_initrd_encrypt 0.12-1 (Sat Jan 11 16:16:40 MST 2014)
==> WARNING: Using a PKGBUILD without a package() function is deprecated.
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Found ChangeLog
-> Found dropbear_hook
-> Found dropbear_install
-> Found encryptssh_hook
-> Found encryptssh_install
-> Found dropbear_initrd_encrypt.install
==> Validating source files with md5sums...
ChangeLog ... Passed
dropbear_hook ... Passed
dropbear_install ... Passed
encryptssh_hook ... Passed
encryptssh_install ... Passed
dropbear_initrd_encrypt.install ... Passed
==> Extracting sources...
==> Starting build()...
==> Tidying install...
-> Purging unwanted files...
-> Removing libtool files...
-> Removing static library files...
-> Compressing man and info pages...
-> Stripping unneeded symbols from binaries and libraries...
==> Creating package "dropbear_initrd_encrypt"...
-> Generating .PKGINFO file...
-> Adding changelog file...
-> Adding install file...
-> Generating .MTREE file...
-> Compressing package...
==> Finished making: dropbear_initrd_encrypt 0.12-1 (Sat Jan 11 16:16:44 MST 2014)

==> Continue installing dropbear_initrd_encrypt ? [Y/n]
==> [v]iew package contents [c]heck package with namcap
==> ---------------------------------------------------
==> y

loading packages...
resolving dependencies...
looking for inter-conflicts...

Packages (1): dropbear_initrd_encrypt-0.12-1

Total Installed Size: 0.01 MiB

:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring [##########################################] 100%
(1/1) checking package integrity [##########################################] 100%
(1/1) loading package files [##########################################] 100%
(1/1) checking for file conflicts [##########################################] 100%
(1/1) checking available disk space [##########################################] 100%
(1/1) installing dropbear_initrd_encrypt [##########################################] 100%
Insert your SSH public key into "/etc/dropbear/root_key", e.g. using
"cat ~/.ssh/id_rsa.pub > /etc/dropbear/root_key". Add the "ip=" kernel
command parameter to your bootloader configuration with the appropriate
arguments (see https://wiki.archlinux.org/index.php/Mkinitcpio#Using_net).

Afterwards add the "dropbear encryptssh" hooks before "filesystems" within
the "HOOKS" array in "/etc/mkinitcpio.conf". Finally rebuild the initramsfs
("mkinitcpio -p linux").

 

Prepare the partition:

Using fdisk prepare the SD for the encrypted partition. Delete the 5th partition and create a new primary partition as the 3rd.

# fdisk /dev/mmcblk0

Welcome to fdisk (util-linux 2.24).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command (m for help): p
Disk /dev/mmcblk0: 14.9 GiB, 15931539456 bytes, 31116288 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x417ee54b

Device Boot Start End Blocks Id System
/dev/mmcblk0p1 2048 186367 92160 c W95 FAT32 (LBA)
/dev/mmcblk0p2 186368 3667967 1740800 5 Extended
/dev/mmcblk0p5 188416 3667967 1739776 83 Linux

Command (m for help): d
Partition number (1,2,5, default 5): 5

Partition 5 has been deleted.

Command (m for help): n

Partition type:
p primary (1 primary, 1 extended, 2 free)
l logical (numbered from 5)
Select (default p): p
Partition number (3,4, default 3): 3
First sector (3667968-31116287, default 3667968):
Last sector, +sectors or +size{K,M,G,T,P} (3667968-31116287, default 31116287):

Created a new partition 3 of type 'Linux' and of size 13.1 GiB.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Re-reading the partition table failed.: Device or resource busy

The kernel still uses the old table. The new table will be used at the next reboot or after you run partprobe(8) or kpartx(8).

Reboot to let the kernel load the new partition table.

 

Prepare the FDE volume:

For basic security, zero out the newly create partition, then use LUKS to create a map to the encrypted volume using the entire partition 3 on the SD card.

# dd if=/dev/zero of=/dev/mmcblk0p3 bs=1M
dd: error writing '/dev/mmcblk0p3': No space left on device
13403+0 records in
13402+0 records out
14053539840 bytes (14 GB) copied, 830.066 s, 16.9 MB/s

# cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/mmcblk0p3
WARNING!
========
This will overwrite data on /dev/mmcblk0p3 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:

 

Format the encrypted volume:

Next the encrypted volume will be mapped using LUKS and then formatted using ext4. Then it can be system mounted to /mnt.

# cryptsetup luksOpen /dev/mmcblk0p3 root
Enter passphrase for /dev/mmcblk0p3: 

# mkfs.ext4 /dev/mapper/root
mke2fs 1.42.8 (20-Jun-2013)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
858480 inodes, 3430528 blocks
171526 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=3514826752
105 block groups
32768 blocks per group, 32768 fragments per group
8176 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208

Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

# mount /dev/mapper/root /mnt

 

Rsync System:

Copy over the running Arch Linux system to the encrypted LUKS volume using rsync.

# rsync -ax / /mnt/

Using the --progress flag will show the progress in the terminal but at the expense of slowing down the transfer. From this point on, any files changed will need to be copied over to the new boot environment so that future initrd builds will be valid. The /boot folder is it’s own partition, so changes won’t need to be synced over. Edits done in /mnt/* are exclusive to the post FDE environment, such as the fstab which will be discussed below.

 

Update the hostname on the encrypted install.

# echo "postfderpi" > /mnt/etc/hostname

 

Append initramfs initrd 0x00f00000 to the end of the content of /boot/config.txt or run this:

# echo "initramfs initrd 0x00f00000" >> /boot/config.txt

 

Edit the encrypted volume’s fstab file to incorporate the new LUKS mapping for the root partition located at /mnt/etc/fstab .

5: /dev/mmcblk0p1      /boot       vfat    defaults                    0      0
6: /dev/mapper/root    /           ext4    defaults,commit=120,noatime 0      1

It is suggested to use tabs in-between the options above rather than spaces.

 

Add the ip=, cryptdevice=, and initrd= sections and modify the root= section to reflect the LUKS mapped device rather than the physical device in the /boot/cmdline.txt file.

1: ipv6.disable=1 ip=10.0.0.253::10.0.0.1:255.255.255.0:postfderpi:eth0:static avoid_safe_mode=1 selinux=0 plymouth.enable=0 smsc95xx.turbo_mode=N dwc_otg.lpm_enable=0 console=ttyAMA0,115200 kgdboc=ttyAMA0,115200 console=tty1 cryptdevice=/dev/mmcblk0p3:root: root=/dev/mapper/root initrd=0x00f00000 rootfstype=ext4 elevator=noop rootwait

For the explanation of the ip= section use this link. The bold sections are what needs to be added or modified to the original cmdline.txt

 

Edit in /etc/mkinitcpio.conf the HOOKS declaration to something like this:

52: HOOKS="base udev autodetect modconf block keyboard dropbear encryptssh filesystems fsck"

From the standard Arch Linux install you’ll need to move keyboard to just after block and then add the dropbear and encryptssh.

 

Copy this file to the new encrypted install:

# cp /etc/mkinitcpio.conf /mnt/etc/mkinitcpio.conf

 

Setup the pre-boot sshd keys:

The public key from the primary machine that will be used to SSH into the rPi to enter the FDE password in the pre-boot environment needs to be copied to /etc/dropbear/root_key file. The command below should work on most *nix based devices.

remote_user@remote_host$ scp .ssh/id_rsa.pub root@10.0.0.233:/etc/dropbear/root_key

 

Back on the rPi, we’ll use the dropbear key converter to convert the current openssh daemon’s keys to be used with the pre-boot dropbear daemon

# cd /etc/dropbear
# dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key dropbear_rsa_host_key
Key is a RSA key
Wrote key to '/etc/dropbear/dropbear_rsa_host_key'

# dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key dropbear_dss_host_key
Key is a DSS key
Wrote key to '/etc/dropbear/dropbear_dss_host_key'

# cp /etc/dropbear/* /mnt/etc/dropbear/

 

Build the initrd image:

This tells mkinitcpio to build the initrd image for this particular kernel that’s running.

# uname -r
3.10.25-2-ARCH

 

Using the output string from above and enter into the command below.

# mkinitcpio -k 3.10.25-2-ARCH -g /boot/initrd
==> Starting build: 3.10.25-2-ARCH
-> Running build hook: [base]
-> Running build hook: [udev]
-> Running build hook: [autodetect]
-> Running build hook: [modconf]
-> Running build hook: [block]
-> Running build hook: [keyboard]
-> Running build hook: [dropbear]
dropbear_dss_host_key : md5 a4:6a:78:1d:52:d6:72:ae:b6:23:25:cc:1f:4c:6a:ba
dropbear_rsa_host_key : md5 64:ec:10:75:ec:53:52:ec:15:50:11:35:b6:86:c6:11
-> Running build hook: [encryptssh]
-> Running build hook: [filesystems]
-> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip initcpio image: /boot/initrd
==> Image generation successful

Updated: 20140623. Please note that building this initrd image ties the image to the particular version of the kernel. Updating the kernel will invalidate the initrd image, so rebuilding the initrd is required and only requires that you run the command below after any kernel updates.

mkinitcpio -k `uname -r` -g /boot/initrd

 

Hope:

At this point, we are at the moment of truth. We can now reboot, SSH as root to the IP used in /boot/cmdline.txt under the ip= section, and enter the FDE passphrase. Immediately the SSH connection will be dropped after hitting enter if a correct passphrase was used. After a minute or two, you should be able to SSH into the fully boot environment. If for some reason you can not SSH into the fully booted environment, directions likely were not followed, and you’ll need to undo edits to files in the /boot directory to boot the unencrypted install. You can modify the files on any machine simply by mounting the SD card on another system; the /boot partition is formatted with FAT16.

 

Configuring FreeRADIUS:

With the 3.x series of FreeRADIUS the configuration syntax has slightly changes since version 2.x; not only that but the structure of the folders has also changed slightly.

Updated: 20160513. Thanks to “mkinitcpio” for the update. Apparently 3.0.11 of FreeRADIUS adds some sanity checks to the configuration file that breaks previous working configs, including the one below. See his post below.

Create server certificates:

A new certificate will need to be created for this particular instance of FreeRADIUS. So you will need a Certificate Authority setup on a machine, a recent tutorial of mine went over how to set one up. You will need to log into the server and create the server certificate. In this guide were logging on to our previous example and creating another certificate using ssl-admin.

 

# ssl-admin
This program will walk you through requesting, signing,
organizing and revoking SSL certificates.

===> Creating initial CRL.Using configuration from /usr/local/etc/ssl-admin/open
ssl.conf
Enter pass phrase for /usr/local/etc/ssl-admin/active/ca.key: ThisShouldBeLongToo
ssl-admin installed Sun Dec 29 16:02:41 MST 2013
OPTIONAL: I can't find your OpenVPN client config.  Please copy your config to
/usr/local/etc/ssl-admin/packages/client.ovpn

=====================================================
#                  SSL-ADMIN                        #
=====================================================
Please enter the menu option from the following list:
1) Update run-time options:
     Key Duration (days): 3650
     Current Serial #: 01
     Key Size (bits): 4096
     Intermediate CA Signing: NO
2) Create new Certificate Request
3) Sign a Certificate Request
4) Perform a one-step request/sign
5) Revoke a Certificate
6) Renew/Re-sign a past Certificate Request
7) View current Certificate Revokation List
8) View index information for certificate.
i) Generate a user config with in-line certifcates and keys.
z) Zip files for end user.
dh) Generate Diffie Hellman parameters.
CA) Create new Self-Signed CA certificate.
S) Create new Signed Server certificate.
q) Quit ssl-admin

Menu Item: S
Please enter certificate owner's name or ID.
Usual format is first initial-last name (jdoe) or
hostname of server which will use this certificate.
All lower case, numbers OK.
Owner []: rpiradius

File names will use wifiapname.
Please enter certificate owner's name or ID.
Usual format is first initial-last name (jdoe) or
hostname of server which will use this certificate.
All lower case, numbers OK.
Owner [rpiradius]: 
Would you like to password protect the private key (y/n): y
Generating a 4096 bit RSA private key
................................................................................
.............................++
...................................++
writing new private key to 'rpiradius.key'
Enter PEM pass phrase: ThisUniqueKeyMustMatchYourEAP.confFileOtherWiseItWontWork
Verifying - Enter PEM pass phrase: ThisUniqueKeyMustMatchYourEAP.confFileOtherWiseItWontWork
-----
===> Serial Number = 19
Using configuration from /usr/local/etc/ssl-admin/openssl.conf
Enter pass phrase for /usr/local/etc/ssl-admin/active/ca.key: ThisShouldBeLongToo
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'New Mexico'
localityName          :PRINTABLE:'Albuquerque'
organizationName      :PRINTABLE:'Lead Street Security'
commonName            :PRINTABLE:'rpiradius'
emailAddress          :IA5STRING:'webmaster@epijunkie.com'
Certificate is to be certified until Dec 27 23:08:26 2023 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
=========> Moving certificates and keys to /usr/local/etc/ssl-admin/active for production.
Can I move signing request (rpiradius.csr) to the csr directory for archiving?
(y/n): y
===> rpiradius.csr moved.

 

Next delete all the files in /etc/raddb/certs back on the rPi:

# cd /etc/raddb/certs
# rm *

 

Over on the CA machine, copy over the newly create certificates and the CA public key via scp:

remote_user@localCA$ cd /usr/local/ssl-admin/active/

remote_user@localCA$ scp rpiradius.* root@10.0.0.253:/etc/raddb/certs/

remote_user@localCA$ scp ca.crt root@10.0.0.253:/etc/raddb/certs/

 

Create the DH key by executing the following on the rPi:

# cd /etc/raddb/certs
# openssl dhparam -outform PEM -out dhparam.pem 4096
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time
..........................................+......................................................................................................................................+.........................................................................................................................................................................+......................
<Lines Pruned>
......................................................................+.........................................+.....................................+.................................................................................................................................................................................................................................+........................................................................................................................+.+...........................................................................................................................++*++*

Generating a 4096 DH key on a Raspberry Pi does take an exceptionally long time (1272m50.834s or 21 hours when I ran the command through time.) I suppose you could generate a new one on another machine with the faster processor and transfer the key afterwards. If you do run it on the rPi, I would suggest using screen to do at least this part of the installation, if not generally use this incredibly useful tool.

 

Configure FreeRADIUS3:

As stated above, some of the configuration files have different options than the version 2.x of FreeRADIUS; as well as a different structure in /etc/raddb/ folder.

First lets edit the /etc/raddb/radiusd.conf file.

prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/bin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
max_request_time = 30
cleanup_delay = 5
#max_requests: This should be 256 multiplied by the number of clients.
max_requests = 1024
hostname_lookups = no
listen { 
type = auth
ipaddr = 10.0.0.253 
port = 0
} 

log {
destination = files
colourise = yes
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}

checkrad = ${sbindir}/checkrad 

security {
user = radiusd
group = radiusd
allow_core_dumps = no
max_attributes = 200
reject_delay = 1
status_server = no
}

proxy_requests = no
$INCLUDE clients.conf

thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
auto_limit_acct = no
}

modules {
$INCLUDE mods-enabled/
}

instantiate { }

policy {
$INCLUDE policy.d/
}

$INCLUDE sites-enabled/

 

Next, edit the /etc/raddb/clients.conf file. This file tells the daemon which APs or Routers can connect to the server and utilize the RADIUS service. Even though it’s named clients.conf it refers to the Authenticator in the 802.1X process (not to be confused with Authentication Server which is what we are currently configuring in this guide.)

client rpiradius {
ipaddr = 10.0.0.2
proto = *
secret = MakeThisUniqueRandomStringLongAsItWillNeverBeNeededToTypedIn.IfUsingDD-WRTTheUndocumentedMaxLengthIs79Characters
require_message_authenticator = yes
nas_type = other

limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
} 
}

 

Next, the modules will be configured and the unnecessary modules disabled. We can disable the modules by deleting the symbolic links in the /etc/raddb/mods-enabled/ directory.

# cd /etc/raddb/mods-enabled/
# rm chap ntlm_auth unix digest pap mschap passwd

 

Next edit the /etc/raddb/mods-enabled/eap file. Below is configuration file to allow only EAP-TLS authentication with high ciphers and as such is heavily pruned. This is an example of where some of the configuration syntax has changed.

eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = yes
cisco_accounting_username_bug = no
max_sessions = 4096

tls-config tls-common {
private_key_password = ThisUniqueKeyMustMatchYourEAP.confFileOtherWiseItWontWork
private_key_file = ${certdir}/rpiradius.key
certificate_file = ${certdir}/rpiradius.crt
ca_file = ${cadir}/ca.crt
dh_file = ${certdir}/dhparam.pem
random_file = /dev/urandom
# check_crl = yes
ca_path = ${cadir}
cipher_list = "HIGH"

cache {
enable = yes
lifetime = 24 # hours
max_entries = 255
persist_dir = "/var/tmp/radiusd/tlscache"
}

verify {
tmpdir = /var/tmp/radiusd
client = "/usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}"
}
}
}

tls {
tls = tls-common
}
}

 

These commands setup the individual AP configurations/settings/profiles.

# cd /etc/raddb/sites-available/
# cp example rpiradius
# cd /etc/raddb/sites-enabled
# rm *
# ln -s ../sites-available/rpiradius ./rpiradius

 

Now to edit the  /etc/raddb/sites-available/rpiradius file.

authorize {

preprocess
auth_log
eap {
ok = return
}

expiration
logintime
}

authenticate {
eap
}

preacct {
preprocess

acct_unique
suffix
files
}

session {
radutmp
}

post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
eap
}
}

 

Cleaning up the permissions and files:

The folders /tmp/radiusd and /tmp/radiusd/tlscache will need to be created. This is where attempting Supplicant certificates will be temporarily stored during authentication and also cached for quick authentication, respectively. Quick authentication is helpful for time sensitive applications such as VoIP or teleconferences. Then we’ll fix the permissions to only allow the user radiusd to access the configuration files and certificates.

# mkdir /tmp/radiusd
# mkdir /tmp/radiusd/tlscache
# chown -R radiusd:radiusd /tmp/radiusd
# chmod -R 700 /tmp/radiusd
# chown -R radiusd:radiusd /etc/raddb/

Now to start the freeradius daemon in debug mode to check for errors:

# radiusd -X
radiusd: FreeRADIUS Version 3.0.0, for host armv6l-unknown-linux-gnu, built on Nov 2 2013 at 10:59:45
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/linelog
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/rpiradius
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/bin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/bin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client rpiradius {
ipaddr = 10.0.0.1
require_message_authenticator = yes
secret = "MakeThisUniqueRandomStringLongAsItWillNeverBeNeededToTypedIn.IfUsingDD-WRTTheUndocumentedMaxLengthIs79Characters"
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
radiusd: #### Instantiating modules ####
instantiate {
}
modules {
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Loaded module rlm_detail
# Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Loaded module rlm_dhcp
# Instantiating module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_eap
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "tls"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 4096
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/rpiradius.key"
certificate_file = "/etc/raddb/certs/rpiradius.crt"
ca_file = "/etc/raddb/certs/ca.crt"
private_key_password="ThisUniqueKeyMustMatchYourEAP.confFileOtherWiseItWontWork"
dh_file = "/etc/raddb/certs/dhparam.pem"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "HIGH"
cache {
enable = yes
lifetime = 24
max_entries = 255
persist_dir = "/tmp/radiusd/tlscache"
}
verify {
tmpdir = "/tmp/radiusd"
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = yes
}
}
# Loaded module rlm_radutmp
# Instantiating module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_files
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
usersfile = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
compat = "no"
}
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Loaded module rlm_always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Loaded module rlm_cache
# Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 16384
epoch = 0
add_stats = no
}
# Loaded module rlm_expr
# Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
# Loaded module rlm_utf8
# Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_dynamic_clients
# Instantiating module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients
# Instantiating module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_exec
# Instantiating module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
# Instantiating module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_logintime
# Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_soh
# Instantiating module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_expiration
# Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_replicate
# Instantiating module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_realm
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_linelog
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "%{%{Packet-Type}:-format}"
}
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading virtual module acct_unique
# Loading session {...}
# Loading post-auth {...}
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 10.0.0.253
port = 0
}
Listening on auth address 10.0.0.253 port 1812
Ready to process requests.

This last line is the most important. If you see this, you have a running radius authentication server. At this point, all the configuration files are probably correct.

 

Configuring the Access Point:

I’d suggest using a router/AP capable of running DD-WRT. It’s a custom firmware that runs on many home/SOHO class routers and AP devices, your’s may be supported. Below is a region screenshot of the Wireless > Wireless Security section for this tutorial’s wireless setup.

DD-WRT isn’t required but is known to work well with 802.1X wireless access. My stock Netgear firmware on my AP allowed for this to work as well but I’m typically not one to keep things stock.

An advantage of using DD-WRT is possible to configure a backup RADIUS server; which has been done. Using the previous created RADIUS install from the last guide as the secondary and this install as the primary.

Screen-Shot-2014-01-12-at-4.30.54-PM

Now try to connect a client.

<Lines Pruned>
(20) eap_tls : Received TLS ACK
(20) eap_tls : Received TLS ACK
(20) eap_tls : ACK handshake is finished
(20) eap_tls : eaptls_verify returned 3
(20) eap_tls : eaptls_process returned 3
(20) eap_tls : Saving session dce546c87102e95ab9b0bdffebd0af2e1681aa7070de505b5c9e10289c7652d5 vps 0x108c120 in the cache
(20) eap : Freeing handler
(20) [eap] = ok
(20) } # authenticate = ok
(20) Login OK: [tutandroid] (from client rpiradius port 2 cli 60-BE-B5-00-00-00)
(20) # Executing section post-auth from file /etc/raddb/sites-enabled/rpiradius
(20) post-auth {
(20) [exec] = noop
(20) } # post-auth = noop
Sending Access-Accept of id 76 from 10.0.0.253 port 1812 to 10.0.0.2 port 56318
MS-MPPE-Recv-Key = 0xda100e3006a8710287102d525f0a7b63a0b4322f8d946ecb0e95eb01965db856
MS-MPPE-Send-Key = 0xbede6a62d9ca1d49e0b8f5672e8dfae817d505da050feb658b016c2e20757ec9
EAP-Message = 0x037a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'tutandroid'
(20) Finished request 20.
Waking up in 0.1 seconds.
Waking up in 3.5 seconds.
Ready to process requests.

Screenshot_2014-01-12-16-31-50

At this point you can safely assume that the certificates work as does the daemon. You can can terminate the debug mode of radiusd by sending an SIGINT with Ctrl + C.

 

You can now start the daemon manually by using this command:

# systemctl start freeradius

 

To enable freeradius to start on boot by running this once:

# systemctl enable freeradius

 

Security Considerations:

This is a near Full Disk Encryption {FDE} setup which means not everything is encrypted. What’s not encrypted is the /boot partition which contains the kernel among other things. A clever person could code all sorts of malicious things with access to the unencrypted kernel. To my knowledge there are not any ways around this.

Also I’d suggest zeroing out the partition containing the unencrypted Arch Linux install. You can do this by running dd if=/dev/zero of=/dev/mmcblk0p2 bs=1M as root.

 

Sources:

utlemming’s blog: WPA2-Enterprise: Making my Raspberry Pi earn its keep

Git – Pezz – Archlinux ARM encrypted root

Cryptsetup 1.4.0 Release Notes

Here – FreeBSD + Freeradius2 + EAP-TLS + ssl-admin, a WPA2 Enterprise Guide.

 

Thanks To:

pezz for the Arch Linux FDE SD guide.

Allan Jude via the BSDNow podcast for making me aware of screen.

And lastly Ben Howard for the original idea of using a Raspberry Pi to act as a RADIUS server.

Posted in How To, Wireless | Tagged , , , , , , , | 18 Comments

FreeBSD + Freeradius2 + EAP-TLS + ssl-admin, a WPA2 Enterprise Guide.

Background:

For years I’ve wanted to implement WPA2 Enterprise security for my home wireless network. For years I made slipshod attempts to do so, something typically would go wrong with the configuration/install and I never could source down what I broke or what was not working. Two months ago I decided I was going to make a full bore attempt. I finally found the right combination of software and configuration to get this running. I have also found several great blog posts describing the methods they used to get EAP-TLS working and roughly the commands used to get there. I have had a similar experience but not exact as others, which is why I’m writing this guide; to add to the collective knowledge/experience of this process using FOSS.

I’d also like to preface this by saying this post reflects my current understanding of the subjects below which mostly correlates with fact but are subject to error.

 

What is this post about?

This guide is written to help implement WPA2 Enterprise over a wireless network using only the most secure EAP protocol (EAP-TLS) for authentication. This is accomplished by using FreeBSD as a RADIUS server for 802.1X utilizing only EAP-TLS for verification. This guide doesn’t go into depth on how to secure and harden the FreeBSD machine much further, just enough to get freeradius2 using self-signed X.509 certificates configured and running.

This guide will also briefly touch on the wireless Access Point {AP} setup as an Authenticator and client (aka Supplicant in 802.1X terminology) setup on Apple OS X and Android.

 

What is Extensible Authentication Protocol – Transport Layer Security {EAP-TLS}?

EAP-TLS is a method of authentication where both sides verify each other’s identities through X.509 certificates; password are only used to access private certificate keys locally and not used directly between the Supplicant and Authentication Server. EAP-TLS is used to authenticate for 802.1X to grant or deny access to a network, such is the case here on a wireless network. 802.1X can also restrict access to a wired LAN but isn’t discuss in this guide beyond this sentence.

In the case of WPA2 PSK {Pre-Shared-Key} aka WPA2 Personal, the access point {AP} asks the wireless client for identification in the form of a password. The conversation goes something like:

The Naive Client: “I’m looking for ‘YourHomeWiFiSSID‘ is that access point in range?

The Incorrect Home AP: “I’m ‘YourHomeWiFiSSID

The Naive Client: “Cool, I’d like to connect. Here is the Pairwise Transient Key.

The Incorrect Home AP: “Sorry, I get a different hash. You must think I’m a different AP with the same name.

What is concerning about this, is the Pairwise Transient Key {PTK}, which is the session key, contains the hashes of the AP SSID, password, two sets of random numbers, and the MAC addresses of the client and AP. After collecting enough PTKs you can derive the Pairwise Master Key {PMK} from deducing the portion that contains the MAC addresses and random numbers. From there it is a simple matter of brute-forcing aka computational guessing to discover the pre-shared key aka the plain text password.

There are many ways to obtain the clear text password from the Pairwise Master Key. The PMK can be brute forced with a dictionary attack, or cracked against a rainbow table, or uploaded to the cloud to be cracked using a pay-for-use-password-cracking-cloud-service. There are some hacking techniques used to utilize functions built into the 802.11 standard to harvest more Pairwise Transient Keys quicker than can be done naturally by just listening to a Wifi conversation. Such techniques inject a DEAUTHENTICATION packet into the stream which is a legitimate 802.11 command, but intended when a client is closing the connection. At this point a different Pairwise Transient Key will be transmitted on reconnect. This reconnection will enviably happen because the actual client did not want to end the connection, a malicious person poising as the client sent that packet. Here is a good explanation of the WPA/2-PSK opening transaction.

With EAP-TLS the conversation is different, both sides verify each others identification in the form of certificates that use asymmetric encryption to pass data to each other. The EAP-TLS conversation with goes something like this:

The Suspicious Client: “I’m looking for ‘YourHomeWiFiSSID‘”

The Frank AP: “I’m ‘YourHomeWiFiSSID

The Suspicious Client: “I’d like you to prove it. Tell Strict Barney the Authentication Server that Suspicious_Client wants to connect using EAP-TLS.

Strick Barney The Authentication Server: “Here’s my server certificate. It’s signed by our Certificate Authority {CA}. Send all future messages encrypted with my public key that’s attached.

The Suspicious Client: <Encrypted with Barney's public keyI see your server certificate is signed by our CA. I trust our CA. My public key is attached. Please send all future message encrypted with my public key.” ⁄>

Strick Barney The Authentication Server: “Frank, Suspicious_Client is clear to talk on this network. His keys were signed by our CA. His public key is attached, send future communication to him using it.

So you may wonder, why can’t a malicious user request the server certificate from the server and then pretend to be him? The answer to that is, only the server’s private key can decrypt the data encrypted with his public key. This is the defining quality of asymmetric encryption; a private key can decrypt a message encrypted with it’s corresponding public key. This is why private keys should be highly guarded, otherwise why use this complicated process. Private keys should be guarded with restrictive permissions on an encrypted hard drive. Occasionally a private key isn’t needed, such as the case for just verifying identity. When verifying an identity both participants can use their copies of public keys to compare hash outputs of a common input such as a shared random string.

 

So what is a X.509 certificate?

X.509 certificates make the interwebs go-’round. These certificates establish trust between parties and utilize asymmetric encryption for communication. For the typical user, this interaction is completely transparent and most aren’t aware it is happening. For example, when you visit gmail.com you get redirected not only to mail.google.com but also to a secure transaction (a TLS connection aka https://). This means all the data that transverses the various routers of the internet are encrypted from your browser to the particular Google server you’re connected to. This happens because your browser comes pre-installed-trusting the root Certificate Authorities such as Comodo, DigiCert, Entrust, GlobalSign, GoDaddy, and VeriSign to name a few .

So why are X.509 certificates needed for EAP-TLS? Well again, to establish trust between both parties. These certificates provide proof that both parties are who they say they are by checking their digital signature. And only further communication can occur if the recipient can decrypt the data with their corresponding private key.

You may have notice, I still have yet to answer the question above in bold. To answer the question above, a single X.509 certificate is a file; This file can contain anything from a CA public or private key, a server public or private key, or a client public or private key. To make things further complicated, some of these files can be bundled with others to create a neat import package. Later in this guide we’ll use this bundling process for the Android client certificates. Without a third party application it is not possible to directly import a CA public key on Android OS. To get around this, we’ll bundle the private client key, public client key, and the public CA key into one file which Android happily accepts, installs, and trusts all three.

What a X.509 file contains is the following: a certificate version number field (this correlates to a formatting standard), a serial number field (this correlates back to the CA’s sequentially issued number for the certificate),  algorithm ID field (this field indicates which hash function is used; common ones are md5 and sha1), issuers field (this field contains the Certificate Authority’s Country, State, Locality, Organization, Org Unit, and Common Name), Validity field (this will contain two time stamps; the first time stamp says this certificate isn’t valid before and the second is not valid after.), Subject field (contains the Country, State, Locality, Organization, Org Unit, and Common Name; common names are typically tied to a domain name or sub-domain name [intermediate level] or a login name [client level]) , and Subject Public Key Info (contains the bit size, algorithm, and the signature.) Below is an example of the contents of a intermediate/server certificate signed by Thawte for freesoft.org.

Certificate:
   Data:
       Version: 1 (0x0)
       Serial Number: 7829 (0x1e95)
       Signature Algorithm: md5WithRSAEncryption
       Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc,
               OU=Certification Services Division,
               CN=Thawte Server CA/emailAddress=server-certs@thawte.com
       Validity   
           Not Before: Jul  9 16:04:02 1998 GMT
           Not After : Jul  9 16:04:02 1999 GMT
       Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala,
                OU=FreeSoft, CN=www.freesoft.org/emailAddress=baccala@freesoft.org
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (1024 bit)
               Modulus (1024 bit):
                   00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb:
                   33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1:
                   66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66:
                   70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17:
                   16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b:
                   c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77:
                   8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3:
                   d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8:
                   e8:35:1c:9e:27:52:7e:41:8f
               Exponent: 65537 (0x10001)
   Signature Algorithm: md5WithRSAEncryption
       93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d:
       92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92:
       ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67:
       d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72:
       0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1:
       5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7:
       8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22:
       68:9f

 

Why go through all this trouble?

Simply put, wireless networks as a concept is insecure. It nearly as bad as leaving a CAT5 network cable hanging out of your house connected to a hub on your internet line. Even when your wireless network is secured using common security protocols such as WEP, WPA, and WPA2 (except EAP-TLS) the password, pin, or encryption keys can be recovered or spoofed. Every packet gets sent into the air and anyone within ear-shot, so to speak, can just nab it and analyze the traffic. WEP is highly insecure and should never be used in any circumstance… ever. WPA/WPA2 with WPS active is also considered insecure as the 8 digit code can be recovered within a couple of days after monitoring the network traffic. As for WPA/WPA2 PSK aka WPA/WPA2 Personal the password can be brute forced after obtaining the PMK which as described above is not an impossible task.

Another positive consideration for implementing EAP-TLS, is the traffic is secure from peer on peer snooping. Only the client with their private key can decrypt their intended data. With WPA/2-PSK it is possible to decrypt your peers’ session keys (aka their Pairwise Transient Key) because the Pairwise Master Key is commonly shared/known for all clients on the wireless network.

So again, why? Why can’t I just create a really long password using WPA2 PSK. My answer to that is: you can and probably never have a problem. But I think EAP-TLS is cool, it is uncommon, and a challenge to implement.

 

What’s Needed:

This go around I am using a virtual machine to run FreeBSD. In the future I plan on toying around with installing FreeBSD to a Raspberry Pi and running the RADIUS server as a literal piggy back. With the intention of using my AP’s USB for power; kind of a fun symbiotic relationship I think.

Here is what is needed to complete this project:

  • A basic, 24/7 machine to run FreeBSD (Anything from a virtual machine to a RaspberryPi)
  • A modern wireless router or access point (preferably one running DD-WRT)
  • Wireless clients capable of WPA2 Enterprise authentication (iOS, Apple’s OS X 10.3+, Microsoft Windows XP/2000 SP4/7+, most variants of free OSes, and Android will work. The PS3 won’t work.)
  • An interest in the subject and a desire to get this working in your own environment.

 

Downsides to EAP-TLS:

  • EAP-TLS is not supported on all wireless enabled devices. As an example, the PS3 is not able to be configured with this authentication method. Also some Wifi-connected thermostats aren’t compatible for the same reason. But all WiFi-Certified devices are compatible as part of this certification from the WiFi Alliance.
  • Another downside is certificates expire, leaving that device unusable until a new current certificate is created and installed on the device. Granted you can make the certificates last as long as you want from one day to the remainder of your lifetime.
  • Key management can be an issue if you have a lot of clients with high turnover rate. Revoking a license is possible but not covered in this version of the guide. See here for more information. Will topic be covered in version 2 of this guide.
  • And lastly granting access to guests requires issuing them a certificate and revoking it when they leave. An alternative is to create a virtual wireless connection using WPA2-PSK for the duration of your guests’ stay.

 

How:

For this to work we need to create a very barebones server; a no frills setup, just the basics. SSH, FreeRADIUS2, ssl-admin, and the supporting dependencies. I’m using FreeBSD in this guide because of the general concern for security of FreeBSD, the ports tree is really cool if you prefer to install from source, FreeBSD is fairly easy to adapt to if you have some background in Linux, and lastly and most influential, FreeBSD is the basis of many of the appliances running on top of my Hypervisor.

 

Installing FreeBSD:

Make sure to install the Ports tree as we will be installing freeradius2 from it; no other optinal system components are required from this menu.
2013-12-18 20_39_50-TUT-TUT on localhost.epijunkie.redirectme.net

Set the IP to a static address. This is necessary so your AP knows where to point the RADIUS requests. In this guide the FreeBSD’s IP is 10.0.0.254.
2013-12-18 20_46_57-Edit Post ‹ EpiJunkie — WordPress

Make sure to enable sshd so you can remotely log into the server to initially diagnose radiusd when it’s running in debug mode. Also enabling ntpd is a suggested as you’ll need the correct time for the certificates to work.
2013-12-18 20_51_15-Edit Post ‹ EpiJunkie — WordPress

Changes to the FreeBSD base install:

First off you’ll want to update the time so the certificates are properly time stamped by issuing this command:

# ntpdate -v -b in.pool.ntp.org

Next temporarily enable root access via ssh by editing the following line in /etc/ssh/sshd_config:

44:  PermitRootLogin yes

And also changing the following lines enables two factor authentication for ssh logins.

49:  RSAAuthentication yes
50:  PubkeyAuthentication yes
53:  AuthorizedKeysFile .ssh/authorized_keys

Installing FreeRADIUS2:

In this guide we’ll be using the ports tree to install FreeRADIUS2. If you aren’t terribly familiar with FreeBSD’s ports tree, it’s pretty neat. “[The] ports tree is simply that — a hierarchy of applications that have been ported to FreeBSD. Each directory contains a Makefile and any patches that are required for that particular app to compile and run on FreeBSD” [1]

When prompted for build options for freeradius2, only select ssl_port and user; you’ll be prompted later for more build options for freeradius2’s dependencies but the defaults are fine if you aren’t comfortable changing them.

# cd /usr/ports/net/freeradius2
# make install clean

 

Configuring FreeRADIUS2:

The configuration folder for FreeRADIUS2 is located in /usr/local/etc/raddb. Below is the entire configuration for each of the follow configuration files; the comments have been pruned and the bold portions are the section you should edit, specific to your install. I have also pruned sections of each configuration files that make freeradius2 less secure (such as EAP-MD5) or section that add bloat (such as accounting.)

 

First you’ll need to edit /usr/local/etc/raddb/radiusd.conf This file is the daemon file and contains the bulk of the options for the daemon.

prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/local/lib/freeradius-2.2.2
pidfile = ${run_dir}/${name}.pid
user = freeradius
group = freeradius
max_request_time = 30
cleanup_delay = 5
# max_requests: This should be 256 multiplied by the number of clients.
max_requests = 1024

listen {
type = auth
ipaddr = 10.0.0.254
port = 0
}

allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes

log {
destination = files
file = ${logdir}/radius.log
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}

checkrad = ${sbindir}/checkrad

security {
max_attributes = 200
reject_delay = 1
status_server = yes
}

proxy_requests = no
$INCLUDE clients.conf

thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}

modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
}

instantiate {
exec
expr
expiration
logintime
}

$INCLUDE policy.conf
$INCLUDE sites-enabled

 

Next edit /usr/local/etc/raddb/clients.conf This file tells the daemon which AP or Routers can connect to the server and utilize it’s services. Even though it’s named clients.conf it refers to the Authenticator in the 802.1X process (not to be confused with Authentication Server which is the freeradius2 FreeBSD server in this guide.)

client wifiapname {
ipaddr = 10.0.0.2
secret = MakeThisRandomStringLongAsItWillNeverBeNeededToTypedIn.IfUsingDD-WRTTheUndocumentedMaxLengthIs79Characters
require_message_authenticator = yes
nastype = other
}

 

Next edit /usr/local/etc/raddb/eap.conf This tells which EAP methods are okay to use and the parameters of the available methods. For our purpose this configuration has been heavily pruned of comments and more importantly pruned of insecure EAP methods. The less secure methods of EAP have been prune because even if your clients are not configured for them, any malicious person can request to use them and the AS will be obliged to use the less secure methods. We’ll be coming back to this configuration file later on to do final touches after the X.509 certificates have been created.

eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096

tls {
certdir = /usr/local/etc/ssl-admin/active
cadir = /usr/local/etc/ssl-admin/active
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = /dev/random
# check_crl = yes
cipher_list = "HIGH"   # This selects only strong ciphers

verify {
tmpdir = /tmp/radiusd
client = "/usr/local/bin/openssl verify -CAfile /usr/local/etc/ssl-admin/active/ca.crt %{TLS-Client-Cert-Filename}"
} # Closes Verify
} # Closes TLS
} # Closes EAP

Above you’ll notice the cipher_list has been changed to HIGH this is important because it does not select weak encryption algorithms that include RC4; which is in the default list. You may also notice under the verify function the openssl verify command; this command is useful if you are having issues and suspect there is a problem with the certificates.

 

These commands setup the individual AP configurations/settings/profiles.

# cd /usr/local/etc/raddb/sites-available/
# cp example wifiapname
# cd /usr/local/etc/raddb/sites-enabled
# rm *
# ln -s ../sites-available/wifiapname ./wifiapname

 

Next edit /usr/local/etc/raddb/sites-available/wifiapname

authorize {
preprocess
auth_log
eap {
ok = return
}

expiration
logintime
}

authenticate {
eap
}

preacct {
preprocess
}
acct_unique
suffix
files
}

session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}

 

Creating the X.509 Self -Signed Certificates:

Previously this is the part I would typically get stuck. When I used the certificate creation script that came with freeradius2 only the latest certificate created would be valid. So instead ssl-admin was used to create the certificates. ssl-admin has been great for creating multiple certificate that all check out as valid when checked with the openssl verify command against the CA certificate.

 

Install ssl-admin:

ssl-admin is a tool written by some OpenVPN developers to help manage CAs and other certificates with intended use for OpenVPN. However, this tool works really well for our purpose of creating several certificates for various functions (CA, Server Cert, and client certs.) We’ll need to create a Certificate Authority {CA} which acts as the absolute authority on whether a certificate that claims to be signed by us is actually signed by us. Then we’ll create a server certificate which will be used by the authentication server to encrypt data between itself and it’s connecting clients. The server will also get a copy of the CA’s public key to verify clients. Then each client will get a set of their own certificates of public and private keys, and a copy of the CA’s public key. Below are the commands to build ssl-admin from ports.

# cd /usr/ports/security/ssl-admin
# make install clean

 

Time to edit /usr/local/etc/ssl-admin/openvpn.conf

# OpenSSL Configuration File for ssl-admin

dir                = $ENV::KEY_DIR

[ca]
default_ca            = CA_default

[CA_default]
serial                = $dir/prog/serial
database            = $dir/prog/index.txt
new_certs_dir            = $dir/active
certificate            = $dir/active/ca.crt
private_key            = $dir/active/ca.key
default_days            = $ENV::KEY_DAYS
default_crl_days        = 30
default_md            = sha512
preserve            = no
email_in_dn            = yes
nameopt                = default_ca
certopt                = default_ca
policy                = policy_match

[ policy_match ]
countryName            = match
stateOrProvinceName        = match
organizationName        = match
organizationalUnitName        = optional
commonName            = supplied
emailAddress            = optional

[ policy_new_ca]
countryName            = supplied
stateOrProvinceName        = supplied
organizationName        = supplied
organizationalUnitName        = optional
commonName            = supplied
emailAddress            = optional

[ req ]
default_bits            = $ENV::KEY_SIZE
default_keyfile         = privkey.pem
default_md            = sha512
string_mask            = nombstr
distinguished_name        = req_distinguished_name
req_extensions            = v3_req

[ req_distinguished_name ]
# Prompts
countryName            = US
countryName_min            = 2
countryName_max            = 2
stateOrProvinceName        = New Mexico
localityName            = Albuquerque
0.organizationName        = Lead Street Security
organizationalUnitName        = Wifi Security
commonName            = epijunkie.com
commonName_max            = 64
emailAddress            = webmaster@epijunkie.com
emailAddress_max        = 40

# Default Variables (environment variables set from ssl-admin.pl script.
countryName_default        = $ENV::KEY_COUNTRY
commonName_default        = $ENV::KEY_CN
emailAddress_default        = $ENV::KEY_EMAIL
0.organizationName_default    = $ENV::KEY_ORG
stateOrProvinceName_default    = $ENV::KEY_PROVINCE
localityName_default        = $ENV::KEY_CITY

[ server ]

# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType            = server
nsComment            = "ssl-admin (OpenSSL) Generated Server Certificate"
subjectKeyIdentifier        = hash
authorityKeyIdentifier        = keyid,issuer:always
extendedKeyUsage        = serverAuth
keyUsage             = digitalSignature, keyEncipherment

[ v3_req ]
basicConstraints         = CA:FALSE
keyUsage             = keyAgreement, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage        = clientAuth
crlDistributionPoints        = $ENV::KEY_CRL_LOC

[ v3_ca ]
basicConstraints         = CA:TRUE
subjectKeyIdentifier        = hash
authorityKeyIdentifier        = keyid:always,issuer:always
crlDistributionPoints        = $ENV::KEY_CRL_LOC

Next run the command below to copy the defaults of ssl-admin.conf:

# cp /usr/local/etc/ssl-admin/ssl-admin.conf.default /usr/local/etc/ssl-admin/ssl-admin.conf

Time to edit /usr/local/etc/ssl-admin/ssl-admin.conf

## Set default values here.
#
# The following values can be changed without affecting
# your CA key.

$ENV{'KEY_SIZE'} = "4096";
$ENV{'KEY_DAYS'} = "3650";
$ENV{'KEY_CN'} = "";
$ENV{'KEY_CRL_LOC'} = "URI:http://CRL_URI";

## WARNING!!! ##
#
# Changing the following values has vast consequences.
# These values must match what's in your root CA certificate.

$ENV{'KEY_COUNTRY'} = "US";
$ENV{'KEY_PROVINCE'} = "New Mexico";
$ENV{'KEY_CITY'} = "Albuquerque";
$ENV{'KEY_ORG'} = "Lead Street Security";
$ENV{'KEY_EMAIL'} = 'webmaster@epijunkie.com';

 

Create your self signed CA.

# cd /usr/local/etc/ssl-admin/
# ssl-admin
This program will walk you through requesting, signing,
organizing and revoking SSL certificates.

Looks like this is a new install, installing...
You will first need to edit the /usr/local/etc/ssl-admin/ssl-admin.conf
default variables.  Have you done this? (y/n): y
I need the CA credentials.  Would you like to create a new CA key and
certificate now?  (y/n): y
Please enter certificate owner's name or ID.
Usual format is first initial-last name (jdoe) or
hostname of server which will use this certificate.
All lower case, numbers OK.
Owner []: epijunkie.com

File names will use epijunkie.com.

===> Creating private key with 4096 bits and generating request.
Do you want to password protect your CA private key? (y/n): y
Generating RSA private key, 4096 bit long modulus
..............................++
................................................................................
........................++
e is 65537 (0x10001)
Enter pass phrase for epijunkie.com.key: ThisShouldBeLongToo
Verifying - Enter pass phrase for epijunkie.com.key: ThisShouldBeLongToo
===> Self-Signing request.
Enter pass phrase for /usr/local/etc/ssl-admin/epijunkie.com.key: ThisShouldBeLongToo
===> Moving certficate and key to appropriate directory.
===> Creating initial CRL.Using configuration from /usr/local/etc/ssl-admin/openssl.conf
Enter pass phrase for /usr/local/etc/ssl-admin/active/ca.key: ThisShouldBeLongToo

The Owner field for the CA should be named after a domain name or local machine which the CA will reside. Use a long password (I’d suggest 32+ characters) here that utilizes symbols, numbers, and upper and lower letters.

 

Next create your server certificate:

# cd /usr/local/etc/ssl-admin/
# ssl-admin
This program will walk you through requesting, signing,
organizing and revoking SSL certificates.

===> Creating initial CRL.Using configuration from /usr/local/etc/ssl-admin/open
ssl.conf
Enter pass phrase for /usr/local/etc/ssl-admin/active/ca.key: ThisShouldBeLongToo
ssl-admin installed Sun Dec 29 16:02:41 MST 2013
OPTIONAL: I can't find your OpenVPN client config.  Please copy your config to
/usr/local/etc/ssl-admin/packages/client.ovpn

=====================================================
#                  SSL-ADMIN                        #
=====================================================
Please enter the menu option from the following list:
1) Update run-time options:
     Key Duration (days): 3650
     Current Serial #: 01
     Key Size (bits): 4096
     Intermediate CA Signing: NO
2) Create new Certificate Request
3) Sign a Certificate Request
4) Perform a one-step request/sign
5) Revoke a Certificate
6) Renew/Re-sign a past Certificate Request
7) View current Certificate Revokation List
8) View index information for certificate.
i) Generate a user config with in-line certifcates and keys.
z) Zip files for end user.
dh) Generate Diffie Hellman parameters.
CA) Create new Self-Signed CA certificate.
S) Create new Signed Server certificate.
q) Quit ssl-admin

Menu Item: S
Please enter certificate owner's name or ID.
Usual format is first initial-last name (jdoe) or
hostname of server which will use this certificate.
All lower case, numbers OK.
Owner []: wifiapname

File names will use wifiapname.
Please enter certificate owner's name or ID.
Usual format is first initial-last name (jdoe) or
hostname of server which will use this certificate.
All lower case, numbers OK.
Owner [wifiapname]: 
Would you like to password protect the private key (y/n): y
Generating a 4096 bit RSA private key
................................................................................
.............................++
...................................++
writing new private key to 'wifiapname.key'
Enter PEM pass phrase: ThisKeyMustMatchYourEAP.confFileOtherWiseItWontWork
Verifying - Enter PEM pass phrase: ThisKeyMustMatchYourEAP.confFileOtherWiseItWontWork
-----
===> Serial Number = 01
Using configuration from /usr/local/etc/ssl-admin/openssl.conf
Enter pass phrase for /usr/local/etc/ssl-admin/active/ca.key: ThisShouldBeLongToo
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'New Mexico'
localityName          :PRINTABLE:'Albuquerque'
organizationName      :PRINTABLE:'Lead Street Security'
commonName            :PRINTABLE:'wifiapname'
emailAddress          :IA5STRING:'webmaster@epijunkie.com'
Certificate is to be certified until Dec 27 23:08:26 2023 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
=========> Moving certificates and keys to /usr/local/etc/ssl-admin/active for production.
Can I move signing request (wifiapname.csr) to the csr directory for archiving?
(y/n): y
===> wifiapname.csr moved.

The server certificate’s Owner field should be set to the primary wireless access point name. Use a different long password here (I’d suggest 32+ characters) that utilizes symbols, numbers, and upper and lower letters. This password will be stored in the eap.conf file later on.

 

Now to create the client certificates for the OSX machine:

# cd /usr/local/etc/ssl-admin/
# ssl-admin
This program will walk you through requesting, signing,
organizing and revoking SSL certificates.

ssl-admin installed Sun Dec 29 16:02:41 MST 2013
OPTIONAL: I can't find your OpenVPN client config.  Please copy your config to
/usr/local/etc/ssl-admin/packages/client.ovpn

=====================================================
#                  SSL-ADMIN                        #
=====================================================
Please enter the menu option from the following list:
1) Update run-time options:
Key Duration (days): 3650
Current Serial #: 02
Key Size (bits): 4096
Intermediate CA Signing: NO
2) Create new Certificate Request
3) Sign a Certificate Request
4) Perform a one-step request/sign
5) Revoke a Certificate
6) Renew/Re-sign a past Certificate Request
7) View current Certificate Revokation List
8) View index information for certificate.
i) Generate a user config with in-line certifcates and keys.
z) Zip files for end user.
dh) Generate Diffie Hellman parameters.
CA) Create new Self-Signed CA certificate.
S) Create new Signed Server certificate.
q) Quit ssl-admin

Menu Item: 4
Please enter certificate owner's name or ID.
Usual format is first initial-last name (jdoe) or
hostname of server which will use this certificate.
All lower case, numbers OK.
Owner []: tutmac

File names will use tutmac.
Please enter certificate owner's name or ID.
Usual format is first initial-last name (jdoe) or
hostname of server which will use this certificate.
All lower case, numbers OK.
Owner [tutmac]:
Would you like to password protect the private key (y/n): y
Generating a 4096 bit RSA private key
............................................................................++
................................................................................
......................................++
writing new private key to 'tutmac.key'
Enter PEM pass phrase: ThisKeyShouldBe>=16Chars
Verifying - Enter PEM pass phrase: ThisKeyShouldBe>=16Chars
-----
===> Serial Number = 02
=========> Signing request for tutmac
Using configuration from /usr/local/etc/ssl-admin/openssl.conf
Enter pass phrase for /usr/local/etc/ssl-admin/active/ca.key: ThisShouldBeLongToo
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'New Mexico'
localityName          :PRINTABLE:'Albuquerque'
organizationName      :PRINTABLE:'Lead Street Security'
commonName            :PRINTABLE:'tutmac'
emailAddress          :IA5STRING:'webmaster@epijunkie.com'
Certificate is to be certified until Dec 27 23:32:02 2023 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
=========> Moving certificates and keys to /usr/local/etc/ssl-admin/active for p
roduction.
Can I move signing request (tutmac.csr) to the csr directory for archiving? (y/n
): ===> tutmac.csr moved.

The Owner field for the client should be indicative of the machine it’s going on; whether that’s a host name or other unique ID. The input used in this field will also be used on the client as the username when connecting. Use a long password unique to this client (I’d suggest 16+ characters) that utilizes symbols, numbers, and upper and lower letters.

 

Create an OSX keyfile bundle:

This bundling is necessary as OSX needs to associate the public and private key together on import to function correctly.

# cd /usr/local/etc/ssl-admin/
# /usr/local/bin/openssl pkcs12 -export -in ./active/tutmac.crt -inkey ./active/tutmac.key -out tutmac_bundle.p12
WARNING: can't open config file: /usr/local/openssl/openssl.cnf
Enter pass phrase for ./active/tutmac.key: ThisKeyShouldBe>=16Chars
Enter Export Password: ThisKeyShouldBe>=16Chars
Verifying - Enter Export Password: ThisKeyShouldBe>=16Chars

 

Now to create the client certificates for the Android device:

# cd /usr/local/etc/ssl-admin/
# ssl-admin
This program will walk you through requesting, signing,
organizing and revoking SSL certificates.

ssl-admin installed Sun Dec 29 16:02:41 MST 2013
OPTIONAL: I can't find your OpenVPN client config.  Please copy your config to
/usr/local/etc/ssl-admin/packages/client.ovpn
=====================================================
#                  SSL-ADMIN                        #
=====================================================
Please enter the menu option from the following list:
1) Update run-time options:
Key Duration (days): 3650
Current Serial #: 03
Key Size (bits): 4096
Intermediate CA Signing: NO
2) Create new Certificate Request
3) Sign a Certificate Request
4) Perform a one-step request/sign
5) Revoke a Certificate
6) Renew/Re-sign a past Certificate Request
7) View current Certificate Revokation List
8) View index information for certificate.
i) Generate a user config with in-line certifcates and keys.
z) Zip files for end user.
dh) Generate Diffie Hellman parameters.
CA) Create new Self-Signed CA certificate.
S) Create new Signed Server certificate.
q) Quit ssl-admin

Menu Item: 4
Please enter certificate owner's name or ID.
Usual format is first initial-last name (jdoe) or
hostname of server which will use this certificate.
All lower case, numbers OK.
Owner []: tutandroid

File names will use tutandroid.
Please enter certificate owner's name or ID.
Usual format is first initial-last name (jdoe) or
hostname of server which will use this certificate.
All lower case, numbers OK.
Owner [tutandroid]:
Would you like to password protect the private key (y/n): y
Generating a 4096 bit RSA private key
..........................................++
................................................................................
.....................................++
writing new private key to 'tutandroid.key'
Enter PEM pass phrase: rememberthiskeywillbetypein
Verifying - Enter PEM pass phrase: rememberthiskeywillbetypein
-----
===> Serial Number = 03
=========> Signing request for tutandroid
Using configuration from /usr/local/etc/ssl-admin/openssl.conf
Enter pass phrase for /usr/local/etc/ssl-admin/active/ca.key: ThisShouldBeLongToo
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'New Mexico'
localityName          :PRINTABLE:'Albuquerque'
organizationName      :PRINTABLE:'Lead Street Security'
commonName            :PRINTABLE:'tutandroid'
emailAddress          :IA5STRING:'webmaster@epijunkie.com'
Certificate is to be certified until Dec 27 23:39:33 2023 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
=========> Moving certificates and keys to /usr/local/etc/ssl-admin/active for p
roduction.
Can I move signing request (tutandroid.csr) to the csr directory for archiving?
(y/n): ===> tutandroid.csr moved.

The Owner field for the client should be indicative of the machine it’s going on; whether that’s a host name or other unique ID. The input used in this field will also be used on the client as the username when connecting. Use a long password unique to this client (I’d suggest 16+ characters) that utilizes symbols, numbers, and upper and lower letters.

 

Create an Android keyfile bundle:

After creating the Android device’s certificate you’ll need to bundle the CA public key, the Android device’s private key, and the Android device’s public key into one file using the OpenSSL command line. To my knowledge Android won’t import a CA public key outright so you have to bundle it with keys it will accept. Which is amusing because OS X will not recognize a file bundled with all three certificates.

# cd /usr/local/etc/ssl-admin/
# openssl pkcs12 -export -out tutandroid_android.p12 -in ./active/tutandroid.pem -inkey ./active/tutandroid.key -certfile /usr/local/etc/ssl-admin/active/ca.crt
Enter pass phrase for ./active/tutandroid.key: rememberthiskeywillbetypein
Enter Export Password: rememberthiskeywillbetypein
Verifying - Enter Export Password: rememberthiskeywillbetypein

 

Now to create the Diffie Hellman file:

This will take awhile especially if you select a 4096 bit key. For a frame of reference, it took 55 Minutes on a Xeon L5630 2.13Ghz; my binary of openssl isn’t threaded so only one of my cores was pegged out for the duration of this dh parameter build.

# cd /usr/local/etc/ssl-admin/
# ssl-admin
This program will walk you through requesting, signing,
organizing and revoking SSL certificates.

ssl-admin installed Sun Dec 29 16:02:41 MST 2013
OPTIONAL: I can't find your OpenVPN client config.  Please copy your config to
/usr/local/etc/ssl-admin/packages/client.ovpn

=====================================================
#                  SSL-ADMIN                        #
=====================================================
Please enter the menu option from the following list:
1) Update run-time options:
Key Duration (days): 3650
Current Serial #: 04
Key Size (bits): 4096
Intermediate CA Signing: NO
2) Create new Certificate Request
3) Sign a Certificate Request
4) Perform a one-step request/sign
5) Revoke a Certificate
6) Renew/Re-sign a past Certificate Request
7) View current Certificate Revokation List
8) View index information for certificate.
i) Generate a user config with in-line certifcates and keys.
z) Zip files for end user.
dh) Generate Diffie Hellman parameters.
CA) Create new Self-Signed CA certificate.
S) Create new Signed Server certificate.
q) Quit ssl-admin

Menu Item: dh
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time
................................................................................
.............................................................+..................
..............................................+.................................
................................................................................
<Lines Omitted>
......................................................+.........................
...............................................................+................
...+............................................................................
................................................................................
................................................................................
...............................+................................................
................................................................................
.........................................................+..........+...........
................................................................................
.....................................................................++*++*
Your Diffie Hellman parameters have been created.

 

Reconfigure FreeRADIUS to use the certificates:

Modify /usr/local/etc/raddb/eap.conf to reflect the newly created certificates:

eap {
default_eap_type = tls
timer_expire     = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096

tls {
certdir = /usr/local/etc/ssl-admin/active
cadir = /usr/local/etc/ssl-admin/active
private_key_password = ThisKeyMustMatchYourEAP.confFileOtherWiseItWontWork
private_key_file = ${certdir}/wifiapname.key
certificate_file = ${certdir}/wifiapname.pem
CA_file = ${cadir}/ca.crt
dh_file = /usr/local/etc/ssl-admin/dh4096.pem
random_file = /dev/random
#    check_crl = yes
cipher_list = "HIGH"

verify {
tmpdir = /tmp/radiusd
client = "/usr/local/bin/openssl verify -CAfile /usr/local/etc/ssl-admin/active/ca.crt %{TLS-Client-Cert-Filename}"
} # Closes Verify
} # Closes TLS
} # Closes EAP

 

Cleaning up the permissions and files:

First we’re going to delete the modules that are insecure or not useful for this lightweight install. Then well create a folder /tmp/radiusd where attempting Supplicant certificates will be temporarily stored during authentication. Followed by fixing permissions to only allow the user freeradius to access the bulk of the certificates and the eap.conf file which contains the server private key password in plain text.

# cd /usr/local/etc/raddb/modules/
# rm chap digest ldap krb5 mschap ntlm_auth pam passwd smbpasswd unix wimax
# mkdir /tmp/radiusd
# chown freeradius:freeradius /tmp/radiusd
# chmod -R 700 /tmp/radiusd
# chown -R freeradius:freeradius /usr/local/etc/ssl-admin/
# chmod -R 700 /usr/local/etc/ssl-admin/
# chown -R freeradius:freeradius /usr/local/etc/raddb/
# chmod -R 700 /usr/local/etc/raddb/
# chown -R freeradius:freeradius /usr/local/etc/raddb/eap.conf

Configuring the Access Point:

I’d suggest using a router/AP capable of running DD-WRT. It’s a custom firmware that runs on many home/SOHO class routers and AP devices, your’s may be supported. Below is a region screenshot of the Wireless > Wireless Security section for this tutorial’s wireless setup.

DD-WRT isn’t required but is known to work well with 802.1X wireless access. My stock Netgear firmware on my AP allowed for this to work as well but I’m typically not one to keep things stock.

2013-12-23 00_46_40-DD-WRT (build 22118) - Wireless Security

Now to start the freeradius daemon in debug mode to check for errors:

# radiusd -X
radiusd: FreeRADIUS Version 2.2.2, for host amd64-portbld-freebsd9.2, built on D
ec 22 2013 at 11:45:21
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/cache
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/dhcp_sqlippool
including configuration file /usr/local/etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/radrelay
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_l
ogin
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/wifiapname
main {
        user = "freeradius"
        group = "freeradius"
        allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
        name = "radiusd"
        prefix = "/usr/local"
        localstatedir = "/var"
        sbindir = "/usr/local/sbin"
        logdir = "/var/log"
        run_dir = "/var/run/radiusd"
        libdir = "/usr/local/lib/freeradius-2.2.2"
        radacctdir = "/var/log/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 1024
        pidfile = "/var/run/radiusd/radiusd.pid"
        checkrad = "/usr/local/sbin/checkrad"
        debug_level = 0
        proxy_requests = no
 log {
        stripped_names = no
        auth = yes
        auth_badpass = no
        auth_goodpass = no
 }
 security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
 client wifiapname {
        ipaddr = 10.0.0.2
        require_message_authenticator = yes
        secret = "MakeThisRandomStringLongAsItWillNeverBeNeededToTypedIn.IfUsingDDWRTTheMaxLengthIs79Characters"
        nastype = "other"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec
  exec {
        wait = no
        input_pairs = "request"
        shell_escape = yes
        timeout = 10
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration
  expiration {
        reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime
  logintime {
        reply-message = "You are calling outside your allowed timespan  "
        minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
 modules {
  Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
  eap {
        default_eap_type = "tls"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 4096
  }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        pem_file_type = yes
        private_key_file = "/usr/local/etc/ssl-admin/active/wifiapname.key"
        certificate_file = "/usr/local/etc/ssl-admin/active/wifiapname.crt"
        CA_file = "/usr/local/etc/ssl-admin/active/ca.crt"
        private_key_password = "ThisKeyMustMatchYourEAP.confFileOtherWiseItWontWork"
        dh_file = "/usr/local/etc/ssl-admin/dh4096.pem"
        random_file = "/dev/random"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        cipher_list = "HIGH"
    verify {
        tmpdir = "/tmp/radiusd"
        client = "/usr/local/bin/openssl verify -CAfile /usr/local/etc/ssl-admin/active/ca.crt %{TLS-Client-Cert-Filename}"
    }
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess
  preprocess {
        huntgroups = "/usr/local/etc/raddb/huntgroups"
        hints = "/usr/local/etc/raddb/hints"
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
        with_alvarion_vsa_hack = no
  }
reading pairlist file /usr/local/etc/raddb/huntgroups
reading pairlist file /usr/local/etc/raddb/hints
 Module: Linked to module rlm_detail
 Module: Instantiating module "auth_log" from file /usr/local/etc/raddb/modules/detail.log
  detail auth_log {
        detailfile = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique
  acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
  }
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm
  realm suffix {
        format = "suffix"
        delimiter = "@"
        ignore_default = no
        ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files
  files {
        usersfile = "/usr/local/etc/raddb/users"
        acctusersfile = "/usr/local/etc/raddb/acct_users"
        preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
        compat = "no"
  }
reading pairlist file /usr/local/etc/raddb/users
reading pairlist file /usr/local/etc/raddb/acct_users
reading pairlist file /usr/local/etc/raddb/preproxy_users
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp
  radutmp {
        filename = "/var/log/radutmp"
        username = "%{User-Name}"
        case_sensitive = yes
        check_with_nas = yes
        perm = 384
        callerid = yes
  }
 Module: Checking post-auth {...} for more modules to load
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter
  attr_filter attr_filter.access_reject {
        attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
        key = "%{User-Name}"
        relaxed = no
  }
reading pairlist file /usr/local/etc/raddb/attrs.access_reject
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = 10.0.0.254
        port = 0
}
Listening on authentication address 10.0.0.254 port 1812
Ready to process requests.

This last line is the most important. If you see this, you have a running radius authentication server. At this point, all the configuration files are probably correct.

 

Configuring an OS X client:

You’ll need to transfer the certification files to a USB device to install them on the OS X client. You’ll need /usr/local/etc/ssl-admin/tutmac_bundle.p12 and /usr/local/etc/ssl-admin/active/ca.crt. And you’ll also need the password for the tutmac private key. That private key is now bundled with the public key in the .p12 file above; we used openssl directly to convert that file just after creating the certificate.

The first you’ll need to install is the CA public certificate (ca.crt) this is done by double clicking the file. A prompt will come up similar to the one below. Make sure to select System.

Screen Shot 2013-12-29 at 9.27.20 PM

After you click add you’ll need to Always Trust this CA

Screen Shot 2013-12-29 at 9.27.31 PM

After it’s imported you can check it’s status with the Keychain Access application under Utilities, it should show the newly imported and trusted CA.

Screen Shot 2013-12-29 at 9.28.51 PM

Next import the key bundle (both private and public keys for client.) The reason you need both is so the client can hand out the public key to the authentication server when initializing the connection. Make sure to select login before adding.

Screen Shot 2013-12-29 at 9.29.01 PM

You will be prompted for the password to access the private key.

Screen Shot 2013-12-29 at 9.29.32 PM

You won’t be prompted to trust these bundled certificates because the CA is already trusted on the system, so by premise these are trusted.

Screen Shot 2013-12-29 at 9.29.47 PM

Now we can open System Preferences > Network and connect to the AP

Screen Shot 2013-12-29 at 9.57.49 PM

In the drop down menu for Mode select EAP-TLS, under Identify select the certificate tutmac, and under Username put the Owner name as prompted by the ssl-admin utility in this case tutmac. Also I’d suggest to check Remember this network and Always Allow using the credentials selected.

Screen Shot 2013-12-29 at 9.42.18 PM

You’re now connected!

Screen Shot 2013-12-29 at 8.32.52 PM

If you switch over to your terminal with the radiusd -X still running in debug mode you should get something like this:

...
<Lines Pruned>
...
[tls] eaptls_verify returned 3
[tls] eaptls_process returned 3
[tls] Adding user data to cached session
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [tutmac] (from client wifiapname port 1 cli 20-C9-D0-00-00-00)
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/wifia
pname
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 149 to 10.0.0.2 port 43734
        MS-MPPE-Recv-Key = 0xb2a059c817c2154e7d98b687f60fbd6e4bc570f0677271636502e84a662088e8
        MS-MPPE-Send-Key = 0x559487ef5297f942794561c1177f5b3c0d4e5e8fc782ca181afc681444447ce1
        EAP-Message = 0x03e60004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "tutmac"
Finished request 10.
Going to the next request
Waking up in 2.0 seconds.
Cleaning up request 0 ID 139 with timestamp +23
Cleaning up request 1 ID 140 with timestamp +24
Cleaning up request 2 ID 141 with timestamp +24
Cleaning up request 3 ID 142 with timestamp +24
Cleaning up request 4 ID 143 with timestamp +24
Cleaning up request 5 ID 144 with timestamp +24
Waking up in 2.8 seconds.
Cleaning up request 6 ID 145 with timestamp +26
Cleaning up request 7 ID 146 with timestamp +26
Cleaning up request 8 ID 147 with timestamp +26
Cleaning up request 9 ID 148 with timestamp +26
Cleaning up request 10 ID 149 with timestamp +26
Ready to process requests.

Configuring an Android client:

First you’ll need to copy the /usr/local/etc/ssl-admin/tutandroid_android.p12 file to the root of the internal SD card. Depending on which version of Android the device uses will determine the method you’ll use to do this. But for starters you’ll probably want to connect the USB cable to the port. Typically a notification will show up top telling you how to proceed. After that you’ll need to secure the device in some way because it’s storage device will need protection to keep the private key safe. Android will prompt you if the method you’re using on the device is insufficient.

Then you’ll need to install the certificate; you’ll do this by going to Settings > Security > Install from storage:

Screenshot_2013-12-29-17-35-39

Screenshot_2013-12-29-17-36-10You’ll then be prompted to type in the password for the Android private key (rememberthiskeywillbetypein).

Screenshot_2013-12-29-22-52-18You’ll then be prompted to give the certificates a name, I use the default with no issue. You might notice that three certificates are being installed here, this .p12 was bundled with the CA certificate as well as the public and private keys for the client.

Screenshot_2013-12-29-22-52-26You can now connect to the network.Screenshot_2013-12-29-22-53-13Select the certificates and type in the Owner name as prompted by the ssl-admin utility, in this case tutandroid.

Screenshot_2013-12-29-22-53-59Tada!

Screenshot_2013-12-29-22-54-06

If you switch over to your terminal with the radiusd -X still running in debug mode you should get something like this:

...
<Lines Pruned>
...
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake is finished
[tls] eaptls_verify returned 3
[tls] eaptls_process returned 3
[tls] Adding user data to cached session
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [tutandroid] (from client wifiapname port 1 cli 60-BE-B5-00-00-00)
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/wifiapname
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 187 to 10.0.0.2 port 43734
        MS-MPPE-Recv-Key = 0x5e0b565b73c734b067ab090c21cff2ec11a3e0186f5f217d097fa1c5ae213e59
        MS-MPPE-Send-Key = 0xcb5989c431316692ae4d6e083393281a40f32829116113c940e0772c7b77e0a3
        EAP-Message = 0x03b30004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "tutandroid"
Finished request 37.
Going to the next request
Waking up in 4.6 seconds.
Cleaning up request 28 ID 178 with timestamp +5011
Cleaning up request 29 ID 179 with timestamp +5011
Cleaning up request 30 ID 180 with timestamp +5011
Cleaning up request 31 ID 181 with timestamp +5011
Cleaning up request 32 ID 182 with timestamp +5011
Cleaning up request 33 ID 183 with timestamp +5011
Waking up in 0.2 seconds.
Cleaning up request 34 ID 184 with timestamp +5011
Cleaning up request 35 ID 185 with timestamp +5011
Cleaning up request 36 ID 186 with timestamp +5011
Cleaning up request 37 ID 187 with timestamp +5011
Ready to process requests.

At this point you can safely assume that the certificates work as does the daemon. You can can terminate the debug mode of radiusd by sending an SIGINT with Ctrl + C.

You can now start the daemon manually by using this command:

# /usr/local/etc/rc.d/radiusd start
Starting radiusd.

If you want to enable freeradius to start on boot run this once:

# echo 'radiusd_enable="YES"' >> /etc/rc.conf

This simple command appends the line radiusd_enable="YES" to the file rc.conf in /etc.

 

To Recapitulate:

We first started this by installing FreeBSD to some machine. We configured FreeBSD with a manual IP address and made sure to install the ports tree on installation. Once FreeBSD booted, we updated the time and installed freeradius2 from the ports tree. We then configured freeradius2, pruning insecure modules in the configuration files and further editing the files to reflect our environment. We then installed ssl-admin from the ports tree and configured it. We created a self-signed Certificate Authority, a server certificate, and two client certificates. We then finished the configuration of freeradius2 by updating the eap.conf file with the correct certificate file names and paths. Then we deleted the unnecessary modules for freeradius2 and fixed the permissions of the files for freeradius2 and ssl-admin. Some of the permission we set limited access solely to the user freeradius, the user name which the daemon is ran. We then configured the the wireless access point to send authentication request to the appropriate authentication server’s IP and port using the correct password. We then started the freeradius2 daemon in debug mode so that we could see any errors in the terminal. We then configured the OS X and Android clients and connected them to the network. Both were successful, we then terminated the daemon running in debug mode and started the client from the rc.d file. Also we configured the freeradius2 daemon to start on boot by editing the rc.conf.

 

Where to go from here:

From here I would suggest looking into locking down FreeBSD. I’d first start by creating a firewall; only allowing traffic to ntp.org, the access point, and one PC for ssh access. I also would turn off root access via ssh. I would disable logins with the freeradius user account to  further protect the private key files of which only root and freeradius have access to. I’d  also suggest backing up the certificates to an offline encrypted storage device.

Even though it’s not covered in this guide, it’s possible to honor certificate revocation with freeradius2 and also to deauthenticating users currently connected to the network who’s certs were just revoked without power cycling the AP.

There are two more considerations for this setup I’d consider. One, would be to consider installing FreeBSD onto a Raspberry Pi and piggy back the rPi onto the AP. Many APs have USB ports which could supply power and even more APs have mounting slots which would make it simple to attach the rPi to the AP. The other consideration is, using FreeBSD 10.0 (currently at RC3) which out of the box supports GELI encryption under a ZFS rpool install.

 

Sources:

In addition to all the links above, I’d suggest reading the various links below as well. I have used most of these links during my implementation; some were read after I got it working to further my own knowledge.

Wifi Cracking:

SG :: How To Crack WEP and WPA Wireless Networks

AirCrack-NG.org – Tutorial: How to Crack WPA/WPA2 

coWPAtty – Attacking WPA/WPA2-PSK Exchanges

Tom’s Hardware – Harden Up: Can We Break Your Password With Our GPUs?

Tom’s Hardware – Wi-Fi Security: Cracking WPA With CPUs, GPUs, And The Cloud

WPA2 PSK:

Wikipedia.org – IEEE 802.11i-2004 – The Four-Way Handshake

Pyrit – The twilight of Wi-Fi Protected Access

Tech Net – The Cable Guy – Wi-Fi Protected Access Data Encryption and Integrity

EAP-TLS:

Area536.com – The toughest WiFi on the block

A Threat Analysis of The Extensible Authentication Protocol by Lei Han on April, 2006 at Carleton University

Cubic – Setting up WPA2-Enterprise + AES with Ubuntu 12.04.2 + FreeRADIUS with EAP-TLS only

Certificates:

SSL: Who do you trust?

Validating a Certificate Path with OpenSSL

Dan Langille’s Other Diary – ssl-admin

Sébastien Wains – Importing certificates on Android (CA and client)

Request for Comments commonly {RFC}, Institute of Electrical and Electronics Engineers {IEEE}, and MAN pages reference documents:

RFC-5216 – EAP-TLS

RFC 3748 – Extensible Authentication Protocol

RFC 5280 – X.509 PKI and CRL

IEEE 802.1X-2010

man ssl-admin

Direct Quotes:

[1] OS News – FreeBSD Week: Migrating from Linux to FreeBSD

Versions used:

I include this section in case you have any problems and can’t seem to get around them. You can source down these versions and try it from that basis.

  • FreeBSD 9.2 AMD64
  • OpenSSL 0.9.8y 5 Feb 2013
  • FreeRADIUS 2.2.0
  • gmake-3.82_1
  • autoconf-2.69
  • libtool-2.4.2_2
  • gdbm-1.10
  • libltdl-2.4.2_2
  • perl5-5.16.3_4
  • m4-1.4.17,1
  • help2man-1.43.3_1
  • autoconf-wrapper-20131203
  • zip-3.0
  • ssl-admin-1.1.0
  • DD-WRT v24-sp2 (07/24/13) std – build 22118
Posted in How To, Wireless | Tagged , , , , , , , , , , | 3 Comments

UPS fire and subsequent collateral.

So recently I lost my NFS datastore yet again (2nd time.) This last time was due to a UPS catching fire as I was about to leave for a bike ride. Thankfully I hung around the house a bit longer than planned and was in ear-shot when the UPS board caught fire. Needless to say I panicked and started ripping power cords from the UPS without a proper shutdown on anything. My concern at the time was getting the UPS outside the house and onto concrete before something drastic happened such as a battery explosion or fire spreading to the wood floors.

Ripping the power cord out caused some sort of software issue that I haven’t been able to recover from. ZFS scrubbing yields no errors but mounting the encrypted volume causes an instant kernel panic followed by a dump and reboot. This issue has only exhibited on the NFS datastore and not the primary datastore. So I imagine it has to do with an improper disconnect of the NFS share.

This being the second time I’ve lost all my play and study virtual machines, I am a bit pissed. I will say this is my fault as I haven’t been keeping backups of the VMs in any capacity. I’ve decided to have another go at iSCSI even though there are several aspects of it I don’t particularly care for. Such as iSCSI needing to claim a size for the zvol, difficult future expansion, and the exclusive access to just one machine at a time.

Posted in News | Tagged , , , | 4 Comments

NAS v3

This is the 3rd revision of my home server setup. I’ve sold or am in the process of selling the remainder of every part from version 2.x. The only thing that remains is the data that’s been transferred to the new drives.

The first curious thing you may notice is I bought used WD Red drives. I bought them on Amazon.com. I bought them used because after reading the reviews on NewEgg.com, there seemed to be a lot of DOA and early failures. I figured by buying used they would have already failed on the previous owners. Also they were about $15/drive cheaper. At any rate ZFS will keep the data safe if there’s a failure at this point.

Currently I have the Dell running an ESXi hypervisor. Among the VMs running is: pfSense acting as the WAN router, a Solaris 11 instance acting as the data storage server, and a fair amount VMs for playing. The Solaris instance utilizes the LSI non-RAID HBA card and the SAS 12x expansion box. Currently only 8 of the 12 drive bays are being used. 6x drives for the RAIDZ2 array, 2x drives for the datastore, 2x drives for an offsite backup for a friend’s data, and 1x drive as a cold spare.

For future expansion I plan on purchasing 6x more Red drives, an iStarUSA 1U SAS Expansion box that has 4x 3.5″ Bays with a single SFF-8088 port, and 2x Western Digital 4TB Enterprise drives to replace the 2TB consumer drives. The iStarUSA SAS box will house the datastore array drives and an offsite backup array for a friend. The enterprise drives are meant to give better IO performance for the NFS datastore and the Red drives will give another 11TB of double parity data.

That’s all for now. In the near future I’ll be making a post with my rack setup.

Posted in News | Tagged , , , , , , | 1 Comment

WordPress theme changed on EpiJunkie… again.

Also this is my 200th post.

Posted in General News | Leave a comment

How to access files on Solaris 11.1 through Apple Filling Protocol (AFP or Apple Talk)

Purpose:
This guide is a how to compile netatalk (3.x series) from source so that you may access your files stored on a Solaris 11.1 machine.

Starting Point:
This guide assumes you have at least a text install of Solaris 11.1 and 7GB+ of free space before starting. Sounds ridiculous, I know, but Solaris does make a backup copy of the boot environment.

How to:
First you’ll need to install various packages to build anything from source. While this command below can be trimmed down, this is the base I use for my source installs on Solaris 11.1.

$ pfexec pkg install developer-gnu gcc-dev base-libs mc gcc-3 stdcxx gdbm cmake pkg5 gettext autoconf automake-19 gnu-binutils gnu-gettext gnu-m4 gperf libtool autogen lua cvs git developer/gnu header-hotplug makedepend header-storage storage-nas storage-server auto-install auto-install-common libevent libnet patchutils system/header libtool

After everything installs you should see a screen similar to this:

           Packages to install: 184
           Mediators to change:   1
       Create boot environment:  No
Create backup boot environment: Yes
            Services to change:  11

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                            184/184   35905/35905  487.8/487.8    0B/s

PHASE                                          ITEMS
Installing new actions                   45462/45462
Updating package state database                 Done 
Updating image state                            Done 
Creating fast lookup database                   Done 

There shouldn’t be any errors. I’ve done this twice, once on a fresh install and another on a dirtier install. Next you’ll need to download Netatalk 3.x.

Once you have the source, untar netatalk and change directory. Issue the commands as seen below, in order, and continue only if you don’t have errors.

$ ./configure --with-init-style=solaris
$ gmake
$ sudo gmake install

After a bit of waiting for those to compile and install you are ready to configure the server. With Netatalk 3.0 you only have to edit one file to get it running. Below is a sample

# nano /usr/local/etc/afpd.conf

Now that’s done, you’ll need to start the new netatalk service and enable a couple other services so your AFP server shows up on the network.

# svcadm enable multicast
# svcadm enable svc:/system/avahi-bridge-dsd:default
# svcadm enable netatalk

Sample Configuration:

;
; Netatalk 3.x configuration file
;

;
; See here for more configuration options.
; http://netatalk.sourceforge.net/3.0/htmldocs/afp.conf.5.html
;

[Global]
hostname = EpiJunkie's Site
mimic model = RackMac

[ZFS]
path = /ZFS
login message = "This message will display once you log on."
appledouble = ea
valid users = gullibleAdmin @smartguys
invalid users = badGuys

[Homes]
basedir regex = /home
appledouble = ea

[Media]
path = /media

Comments:
This is far easier than in previous versions of netatalk and Solaris. It actually seems pretty trivial to have written this guide but I hope it helps a few people. It seems there’s been an explosion of people doing ridiculous NAS build, myself included, some based on the less than popular Solaris platform.

Version Used:
Netatalk 3.0.3
Solaris 11.1 text only install
Mac OSX 10.8

Posted in How To | 1 Comment