OpenWRT 12.09 / 14.07 でWPA-EAP / WPA2-EAP を使う
※
OpenWrt Chaos Calmer 15.05 向けの内容は以下にあります。
pslabo.hatenablog.com
DD-WRTで WPA-EAP / WPA2-EAP (EAP=Enterprise)というネタは普通過ぎるのだけど、OpenWRTでEAPを使う手順は日本語で文書化されたものが見当たらなかったので書いてみるテスト。
UNIX のシェル操作が普通に行えるレベルの方向け。以下の2つで一応確認してますが、内容はメモレベルです。
- attitude_adjustment 12.09
- Barrier Breaker 14.07
基本的には https://www.youtube.com/watch?v=PvUqMFvTOn8 を参考にしつつ文字起こしを行っています。
ToDo
WPA-EAPに必要なパッケージをインストールする。
インストールするパッケージの一覧をテキストファイル化しておく。
以下の一覧を pkglist.txt というファイル名で作成する。
luci-i18n-japanese
freeradius2
freeradius2-democerts
freeradius2-mod-always
freeradius2-mod-attr-filter
freeradius2-mod-attr-rewrite
freeradius2-mod-chap
freeradius2-mod-detail
freeradius2-mod-eap
freeradius2-mod-eap-gtc
freeradius2-mod-eap-md5
freeradius2-mod-eap-mschapv2
freeradius2-mod-eap-peap
freeradius2-mod-eap-tls
freeradius2-mod-eap-ttls
freeradius2-mod-exec
freeradius2-mod-expiration
freeradius2-mod-expr
freeradius2-mod-files
freeradius2-mod-ldap
freeradius2-mod-logintime
freeradius2-mod-mschap
freeradius2-mod-pap
freeradius2-mod-passwd
freeradius2-mod-preprocess
freeradius2-mod-radutmp
freeradius2-mod-realm
freeradius2-mod-sql
freeradius2-mod-sql-mysql
freeradius2-mod-sql-pgsql
freeradius2-mod-sql-sqlite
freeradius2-mod-sqlcounter
freeradius2-mod-sqllog
freeradius2-utils
openssl-util
FreeRADIUS関連パッケージをインストールする。
opkg install $( cat pkglist.txt ) でOK。
RADIUSの秘密鍵、秘密鍵のCSR、秘密鍵の証明書を作る。
作業場所はココ
/etc/freeradius2/certs/
CAの秘密鍵を作る
root@OpenWrt:~# openssl genrsa -des3 -out [CA鍵].key 2048
Generating RSA private key, 2048 bit long modulus
....................................................................+++
...........................................+++
e is 65537 (0x10001)
Enter pass phrase for ca.key:[CA秘密鍵のパスフレーズ]
Verifying - Enter pass phrase for ca.key:[CA秘密鍵のパスフレーズを再入力]
root@OpenWrt:~#
CA秘密鍵のCSRを作る
root@OpenWrt:~/certs# openssl req -new -x509 -days 3650 -key [CA鍵].key -out [CA鍵].pem
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
- -
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) :Chiyoda
Organization Name (eg, company) [Internet Widgits Pty Ltd]:example.com
Organizational Unit Name (eg, section) :
Common Name (e.g. server FQDN or YOUR name) :
Email Address :admin@example.com
root@OpenWrt:~/certs#
RADIUSの秘密鍵を作る
root@OpenWrt:~/certs# openssl genrsa -des3 -out [RADIUS鍵].key 2048
Generating RSA private key, 2048 bit long modulus
..........+++
.......+++
e is 65537 (0x10001)
Enter pass phrase for ca.key:[RADIUS秘密鍵のパスフレーズ]
Verifying - Enter pass phrase for ca.key:[RADIUS秘密鍵のパスフレーズを再入力]
root@OpenWrt:~/certs#
RADIUS秘密鍵のCSRを作る
root@OpenWrt:~/certs# openssl req -new -key [RADIUS鍵].key -out [RADIUS鍵].csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
- -
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) :Chiyoda
Organization Name (eg, company) [Internet Widgits Pty Ltd]:example.com
Organizational Unit Name (eg, section) :OpenWRT
Common Name (e.g. server FQDN or YOUR name) :openwrt.example.com
Email Address :admin@example.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :
An optional company name :
root@OpenWrt:~/certs#
RADIUS秘密鍵にCAの証明書を発行する
root@OpenWrt:~/certs# openssl x509 -req -days 3650 -in [RADIUS鍵].csr -CA [CA鍵].pem -CAkey [CA鍵].key -set_serial 01 -out [RADIUS鍵].pem
Signature ok
subject=/C=JP/ST=Tokyo/L=Chiyoda/O=example.com/OU=OpenWRT/CN=openwrt.example.com/emailAddress=admin@example.com
Getting CA Private Key
Enter pass phrase for ca.key:[CA秘密鍵のパスフレーズ]
FreeRADIUSを設定する。
以下の箇所を設定変更します。
--- /etc/freeradius2/clients.conf-opkg 2015-09-09 15:08:12.000000000 +0900 +++ /etc/freeradius2/clients.conf 2015-10-05 18:23:31.000000000 +0900 @@ -98,7 +98,7 @@ # The default secret below is only for testing, and should # not be used in any real environment. # - secret = testing123 + secret = [radius clientのパスワード] # # Old-style clients do not send a Message-Authenticator --- /etc/freeradius2/eap.conf-opkg 2015-09-09 15:08:12.000000000 +0900 +++ /etc/freeradius2/eap.conf 2015-10-05 18:16:53.000000000 +0900 @@ -155,8 +155,8 @@ certdir = ${confdir}/certs cadir = ${confdir}/certs - private_key_password = whatever - private_key_file = ${certdir}/server.pem + private_key_password = [RADIUS秘密鍵のパスフレーズ] + private_key_file = ${certdir}/[RADIUS鍵].key # If Private key & Certificate are located in # the same file, then private_key_file & @@ -168,7 +168,7 @@ # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. - certificate_file = ${certdir}/server.pem + certificate_file = ${certdir}/[RADIUS鍵].pem # Trusted Root CA list # @@ -185,7 +185,7 @@ # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. - CA_file = ${cadir}/ca.pem + CA_file = ${cadir}/[CA鍵].pem # # For DH cipher suites to work, you have to --- /etc/freeradius2/radiusd.conf-opkg 2015-09-09 15:08:13.000000000 +0900 +++ /etc/freeradius2/radiusd.conf 2015-10-05 17:10:20.000000000 +0900 @@ -323,7 +323,7 @@ # If your system does not support this feature, you will # get an error if you try to use it. # - interface = br-lan + # interface = br-lan # Per-socket lists of clients. This is a very useful feature. # @@ -473,7 +473,7 @@ # # allowed values: {no, yes} # - auth = no + auth = yes # Log passwords with the authentication requests. # auth_badpass - logs password if it's rejected --- /etc/freeradius2/users-opkg 2015-09-09 15:08:13.000000000 +0900 +++ /etc/freeradius2/users 2015-10-05 17:12:29.000000000 +0900 @@ -201,3 +201,5 @@ # Service-Type = Administrative-User # On no match, the user is denied access. + +[適当なradiusユーザ] Cleartext-Password:= "radiusユーザのパスワード" --- /etc/init.d/radiusd.opkg 2015-09-09 15:08:34.000000000 +0900 +++ /etc/init.d/radiusd 2015-10-05 18:22:54.000000000 +0900 @@ -7,7 +7,7 @@ RUN_D=/var/run PID_F=$RUN_D/radiusd.pid RADACCT_D=/var/db/radacct -IPADDR=$(ifconfig br-lan | sed -n 's/.*dr:\(.*\)Bc.*/\1/p') +IPADDR=127.0.0.1 start() { [ -f $DEFAULT ] && . $DEFAULT