8.6. WiFi EAP Demo with Raspberry Pi3

8.6.1. Prerequisites

  • Rsapberry pi3 with raspbian OS installed.

  • Ubuntu machine to run freeRadius

  • Access point (WPA/WPA2 Enterprise capable)

8.6.2. Introduction

The image shows the wifi EAP demo set up

../../_images/wifiEAP.jpg

8.6.3. Setting up Access point

  1. Connect Access point (WPA/WPA2 Enterprise capable) and Linux machine over a ethernet cable,

  2. Log in to access point

  3. Under wireless settings change security to WPA/WPA2 Enterprise and give the ip address of Ubuntu machine to RADIUS Server IP

  4. RADIUS Server Port - 1812

  5. Enter any password in RADIUS Server password field

8.6.4. Setting up freeradius Server on Ubuntu

  1. Install freeradius server on ubuntu machine.

    sudo apt-get install freeradius

    Freeradius is installed at /etc/freeradius

  2. Now add the access point ip address and radius password to client configuration file - /etc/freeradius/clients.conf

    For freeradius 2.2.8 add,
        client 192.168.2.1/16 {
            secret      = <radius server password mentioned in previous section>
            shortname   = <Any short name>
        }
    
    For freeradius 3.0 add,
        client router {
            ipaddr      = 192.168.2.1
            secret      = <radius server password mentioned in previous section>
        }
    
  3. Generate client and server keys. Scripts to generate keys and certificates are available in freeradius source code

    git clone https://github.com/FreeRADIUS/freeradius-server.git
    cd freeradius-server
    
  4. Add client email address and common name in /freeradius-server/raddb/certs/client.cnf
    ../../_images/user_in_client_conf.jpg
  5. Execute bootstrap script at /freeradius-server/raddb/certs

    ./bootstrap
    
  6. Keys and certificates are generated in folder /freeradius-server/raddb/certs

  7. Copy root ca cert, server key and server certificate to installed freeradius path

    cp /freeradius-server/raddb/certs/ca.pem /etc/freeradius/certs/
    cp /freeradius-server/raddb/certs/server.key /etc/freeradius/certs/
    cp /freeradius-server/raddb/certs/server.pem /etc/freeradius/certs/
    cp /freeradius-server/raddb/certs/dh /etc/freeradius/certs/
    
  8. Add client details to user configuration file

    For freeradius 2.2.8, add details in /etc/freeradius/users file
    
        <user_name> Cleartext-password := <user_password>
        Reply-Message = "<message>"
    
    
    For freeradius 3.0 add details in /etc/freeradius/mods-config/files/authorize file
    
        <user_name> Auth-Type := Accept, Cleartext-password := <user_password>
        Reply-Message = "<message>"
    
  9. Make the following changes to freeradius conf file at

    For freeradius 2.2.8 - /etc/freeradius/eap.conf.

    For freeradius 3.0 - /etc/freeradius/mods-available/eap.

        @@ -199,6 +199,7 @@ eap {
            #  *one* CA certificate.
            #
            # ca_file = /etc/ssl/certs/ca-certificates.crt
    +       ca_file = /etc/freeradius/3.0/certs/ca.pem
    
            #  OpenSSL will automatically create certificate chains,
            #  unless we tell it to not do that.  The problem is that
    @@ -498,7 +499,7 @@ eap {
                #
                #  You should also delete all of the files
                #  in the directory when the server starts.
    -   #       tmpdir = /tmp/radiusd
    +           tmpdir = /tmp/radiusd
    
                #  The command used to verify the client cert.
                #  We recommend using the OpenSSL command-line
    @@ -703,7 +704,8 @@ eap {
            # client certificate with EAP-TTLS, so this option is unlikely
            # to be usable for most people.
            #
    -   #   require_client_cert = yes
    +       EAP-TLS-Require-Client-Cert = Yes
    +       require_client_cert = yes
        }
    
  10. Create a radiusd directory in /tmp and assign permission for freerad user

    mkdir tmp/radiusd
    sudo chown freerad:freerad tmp/radiusd
    
  11. Start free radius server as

    sudo freeradiux -X
    

8.6.5. Setting up Raspberry Pi3

  1. Copy plug and trust middleware package to rpi3 at /home/pi location

  2. Modify the openssl engine id to pkcs11 in openssl engine header file ax_embSeEngine.h.

    Location: simw-top/sss/plugin/openssl/engine/inc/ax_embSeEngine.h

  3. Build openssl engine

    cd simw-top
    python scripts/create_cmake_projects.py
    cd ../simw-top_build/raspbian_native_se050_t1oi2c
    make install
    ldconfig /usr/local/lib
    
  4. Copy client key (client.key), client certificate (client.crt), Root CA certificate (ca.pem) from ubuntu machine (freeradius-server/certs/) to raspberry pi at location /home/pi/wifiEAP

  5. Refer to CLI Tool for ssscli tool setup. Using ssscli tool, create a reference pem file for client key

    cd /home/pi/wifiEAP
    openssl rsa -in client.key -out client.pem
    ssscli connect se05x t1oi2c none
    ssscli set rsa pair 0x1234 client.pem
    ssscli refpem rsa pair 0x1234 client_ref.pem
    
  6. Add folowing network configuration to wpa_supplicant.conf file (/etc/wpa_supplicant)

    pkcs11_engine_path=/usr/local/lib/libsss_engine.so
    pkcs11_module_path=/usr/local/lib/libsss_engine.so
    
    network={
        ssid="<SSID>"
        priority=1
        engine=1
        key_mgmt=WPA-EAP
        pairwise=CCMP TKIP
        auth_alg=OPEN
        eap=TTLS                                # When using freeradius 2.2.8, use TLS
        identity="<user_name>"                  # from user configuration file
        password="<user_password>"              # from user configuration file
    
        ca_cert="/home/pi/wifiEAP/<ROOT_CA_CERT_FILE>"
        client_cert="/home/pi/wifiEAP/<CLIENT_CERT_FILE>"
        private_key="/home/pi/wifiEAP/<CLIENT_KEY_REFERENCE_FILE>"
        private_key_passwd="<PRIVATE_KEY_PASSWORD>"                   # If key file is not encrypted with pass phrase, comment this line.
    
        ca_cert2="/home/pi/wifiEAP/<ROOT_CA_CERT_FILE>"
        client_cert2="/home/pi/wifiEAP/<CLIENT_CERT_FILE>"
        private_key2="/home/pi/wifiEAP/<CLIENT_KEY_REFERENCE_FILE>"
        private_key_passwd="<PRIVATE_KEY_PASSWORD>"                   # If key file is not encrypted with pass phrase, comment this line.
    }
    
  7. Change the engine_id to pkcs11 in openssl configuration file (/simw-top/demos/linux/common/openssl11_sss_se050.cnf)

    [e4sss_se050_section]
    engine_id = pkcs11
    dynamic_path = /usr/local/lib/libsss_engine.so
    init = 1
    default_algorithms = RAND,RSA,EC
    
  8. Set the openssl config path as call:

    $ export OPENSSL_CONF=/simw-top/demos/linux/common/openssl11_sss_se050.cnf
    
  9. kill wpa_supplicant process as

    pkill wpa_supplicant
    
  10. Restart wpa_supplicant process as

    wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant.conf -iwlan0 -Dwext
    
  11. On successful TLS handshake, Rpi should be assigned with a valid IP address.

Note

  1. Tested with openssl version of 1.1.0j on raspberry pi.

  2. Ip address mentioned above is for illustrative purpose.