Lab Testing Radius Policies – Part 3

Lab testing Radius Policies – Part 3

Introduction

This is part 3 of my blog series on rapid prototyping in ISE without requiring any networking equipment. This time we’re going to perform EAP-TLS (X.509 certificate based) authentication.

This scenario is very similar to EAP-PEAP which we discussed in Part 2, but now in addition to the Radius server presenting its certificate, the client will present its certificate to the Radius server. This is called mutual certificate authentication. This trickiest part of this process is the client certificate creation this puts off many people due to perceived complexity. To create a client certificate for rapid prototyping testing, I believe you have three options:

  • Ask an expert to deliver one on a silver platter for you (e.g. a Microsoft PKI security admin)
  • Build your own Windows 2012 R2 lab VM and invest time understanding this – most enterprises use this.
  • Use openssl tools and do it all via cli or xca (GUI front end to openssl http://xca.sourceforge.net/ ).

We will use the openssl command line to create a Root CA. Using that Root CA we shall issue a client certificates for our wpa_supplicant testing purposes.

Using your Linux terminal session, create a directory called 'ca' and use it as your current directory. For the purpose of illustration I have used /home/abier/ca

I chose two relatively simple and weak pass phrases for illustration purposes and also to guide you when openssl prompts for passwords. In practice, please use stronger passwords!

Please note that text shown in bold text is user input

Root CA certificate

Create a Root CA private key

<strong>openssl genrsa -aes256 -out ca.key.pem 4096</strong>
Generating RSA private key, 4096 bit long modulus
Enter pass phrase for ca.key.pem:  <strong>MyCertPr1vateKey</strong>
Verifying - Enter pass phrase for ca.key.pem: <strong>MyCertPr1vateKey</strong>

Create the Root CA self-signed certificate

<strong>openssl req -key ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out ca.cert.pem</strong>
Enter pass phrase for ca.key.pem: <strong>MyCertPr1vateKey</strong>
Country Name (2 letter code) [XX]:<strong>AU</strong>
State or Province Name (full name) []:<strong>QLD</strong>
Locality Name (eg, city) [Default City]:<strong>BNE</strong>
Organization Name (eg, company) [Default Company Ltd]:<strong>Acme</strong>
Organizational Unit Name (eg, section) []:<strong>IT</strong>
Common Name (eg, your name or your server's hostname) []:<strong>AcmeCorp</strong>
Email Address []:

You can install the above Root CA certificate in your Radius server.

Client Certificate

Create the Client private key

<strong>openssl genrsa -aes256 -out client.key.pem 2048</strong>
Generating RSA private key, 2048 bit long modulus
Enter pass phrase for client.key.pem:  <strong>MyCl1entKey</strong>
Verifying - Enter pass phrase for client.key.pem: <strong>MyCl1entKey</strong>

Create a CSR (certificate signing request)

The CSR is submitted to the issuing CA, which is our Root CA we just created above.

<strong>openssl req -key client.key.pem -new -sha256 -out client.csr.pem</strong>
Enter pass phrase for client.key.pem:  <strong>MyCl1entKey</strong>
Country Name (2 letter code) [XX]:<strong>AU</strong>
State or Province Name (full name) []:<strong>QLD</strong>
Locality Name (eg, city) [Default City]:<strong>BNE</strong>
Organization Name (eg, company) [Default Company Ltd]:<strong>Acme</strong>
Organizational Unit Name (eg, section) []:<strong>IT</strong>
Common Name (eg, your name or your server's hostname) []:<strong>abier</strong>
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []: An optional company name []:

Prepare the CA for certificate creation duties

This requires a directory structure, because when a CA creates certificates, it must maintain them as well, which means, a little bit of administrative data – but this is easily done. Please note that you will need to be root user because there are files written to the /etc system directory. The following commands will prepare the CA infrastructure (the final ‘exit’ will exit the root mode)

<strong>touch /etc/pki/CA/index.txt</strong>
<strong>echo '1000' > /etc/pki/CA/serial</strong>
<strong>touch /etc/pki/CA/serial.new</strong>
<strong>touch /etc/pki/CA/index.txt.new</strong>
<strong>touch /etc/pki/CA/index.txt.attr.new</strong>
<strong>exit</strong>

In your ‘ca’ working directory you need to create a small file called extensions.txt containing the certificate extensions you need. In the example below the EKU is client auth (Extended Key Usage).

<strong>[ext]</strong>
<strong>basicConstraints=CA:FALSE</strong>
<strong>nsCertType = client</strong>
<strong>keyUsage = digitalSignature, keyEncipherment</strong>
<strong>extendedKeyUsage = clientAuth</strong>

Create the client certificate

Finally we are ready to create the client certificate. Since I am using all the defaults here, openssl wants to write in directories that need root access – it’s easier to run the command with sudo to allow it to write in the /etc/pki/CA directory.

 <strong>sudo openssl ca -extfile extensions.txt  -extensions ext -days 365 -notext -md sha256 -in client.csr.pem -cert ca.cert.pem -keyfile ca.key.pem  -outdir . -out client.cert.pem</strong>
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key.pem: <strong>MyCertPr1vateKey</strong>
Check that the request matches the signature
Signature ok
Certificate Details:
       Serial Number: 4096 (0x1000)
       Validity
           Not Before: May  5 04:14:16 2018 GMT
           Not After : May  5 04:14:16 2019 GMT
       Subject:
           countryName               = AU
           stateOrProvinceName       = QLD
           organizationName          = Acme
           organizationalUnitName    = IT
           commonName                = abier
       X509v3 extensions:
           X509v3 Basic Constraints:
               CA:FALSE
           Netscape Cert Type:
               SSL Client
           X509v3 Key Usage:
               Digital Signature, Key Encipherment
           X509v3 Extended Key Usage:
               TLS Web Client Authentication
Certificate is to be certified until May  5 04:14:16 2019 GMT (365 days)
Sign the certificate? [y/n]: <strong>y</strong>

1 out of 1 certificate requests certified, commit? [y/n] <strong>y</strong>
Write out database with 1 new entries
Data Base Updated

View the certificate with the command

<strong>openssl x509 -in client.cert.pem -text </strong>

Testing certificate authentication with the wap_supplicant

If you need a refresher on wpa_supplicant, please see part 2 of this blog series.

The configuration file eaptls.conf must contain the EAP method and make reference to relevant files:

network={
         ssid="example"
         key_mgmt=WPA-EAP
         eap=TLS
         identity="anonymous"
         ca_cert="/home/abier/radius/radius-ca.pem"
         client_cert="/home/abier/ca/client.cert.pem"
         private_key="/home/abier/ca/client.key.pem"
         private_key_passwd="MyCl1entKey"
         eapol_flags=3
}

Note: Remember that the ca_cert shown above is the Root certificate that issued the Radius Server cert (and not to be confused with the CA that issued the client certificate!!!). They may be the same in some cases, but just be aware of what is meant here.

We don't cover the configuration of the Radius server itself because that is not the focus of this blog - it is assumed you can find the information you need.

Below is the command to send one request to a NAS at 192.168.21.101 with a client Wireless MAC address of 00:00:00:00:00:FF, and Service-Type=Framed (which is standard for Cisco/HPE WLC’s). To simulate an Aruba AP you can substitute the value with 1 (Service-Type=Login)

<strong>eapol_test -c eaptls.conf -s RadiusS3cret -a 192.168.21.101 -M '00:00:00:00:00:ff' -N '6:d:2'</strong>

Conclusion

The above command performs exactly the same sequence of steps as you would expect a real supplicant would do when performing EAP-TLS.

Remember also that your Radius server will need to have the CA certificate chain of your client certificate installed in order for the authentication to succeed.

Need Help?

We're here to help! If you need help with your Cisco ISE or Aruba Clearpass installation, drop us a line at sales@iptel.com.au



©IPTel Solutions .