The following is an example setup configuration of freeradius as a RADIUS TLS server.
-
Edit the following CA config
file (ca.cnf) to have key usage:
/etc/freeradius/3.0/certs (otherwise /etc/raddb/certs)
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true
#crlDistributionPoints = URI:http://www.example.org/example_ca.crl
keyUsage = cRLSign, keyCertSign, digitalSignature
extendedKeyUsage = OCSP Signing
noCheck = yes
Note
ExtremeXOS requires key usage for a CA certificate.
-
Edit the file /etc/freeradius/3.0/certs/xpextensions with
the OCSP server address:
[ xpserver_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.1
authorityKeyIdentifier = keyid,issuer
authorityInfoAccess = OCSP;URI:http://10.127.2.236:2561
Note
Use the IP of the machine
in which the OCSP server runs. It can be the same machine where
freeradius runs. DNS can also be used instead of the IP.
-
Run the OCSP server using the following command in the same path where the
certificates and index.txt are present:
openssl ocsp -port 2561 -text -index index.txt -CA ca.pem -rkey ca.key -rsigner ca.pem
-
Clean up by entering make destroycerts.
-
Create the RADIUS TLS server key and certificate by entering make
server.pem
-
Create the ExtremeXOS switch key and certificate by
entering make client.pem.
-
Create the DH by entering make dh.
-
Enable TLS in freeradius:
File: etc/freeradius/3.0/sites-available/tls
-
If you do not want the RADIUS server authenticating ExtremeXOS, search for the previous command
line and set require_client_cert= no.
-
Search for 'clients radsec' and add the ExtremeXOS switch IP:
clients radsec {
client 10.127.2.19 {
ipaddr = 10.127.2.19
proto = tls
secret = radsec
}
-
Add a soft link for etc/freeradius/3.0/sites-available/tls at
etc/freeradius/3.0/sites-available/tls by running ln -s
<file>.
-
Restart freeradius (or radiusd).
EXOS Switch Setup:
-----------------
-
Copy the ca.pem to the TFTP server.
-
Copy the client.pem to the TFTP server.
-
Convert the private, encrypted client key to plain format:
openssl rsa -in client.key -out clientPlain.key
-
Copy the clientPlain.key to the TFTP server.
-
Install the following to the switch:
-
Download the ca.pem as a trusted ca in the switch
by entering download ssl <ip> certificate trusted-ca
<file>
-
Download the client.pem as an ssl-cert in the
switch by entering download ssl <ip> certificate ssl-cert
<file>
-
Download the clientPlain.key as priv-key in the
switch by entering download ssl <ip> privkey
<file>
-
Configure RADIUS or RADIUS-accounting with the TLS option.