Setting Up FreeRADIUS TLS

The following is an example setup configuration of FreeRADIUS as a RADIUS TLS server.

Edit the following CA config file (ca.cnf) to have key usage:

/etc/freeradius/3.0/certs   (otherwise /etc/raddb/certs)  

	[v3_ca]
	subjectKeyIdentifier    = hash
	authorityKeyIdentifier  = keyid:always,issuer:always
	basicConstraints        = critical,CA:true
	#crlDistributionPoints  = URI:http://www.example.org/example_ca.crl
	keyUsage = cRLSign, keyCertSign, digitalSignature
	extendedKeyUsage = OCSP Signing
	noCheck = yes

Note

ExtremeXOS requires key usage for a CA certificate.

Edit the file /etc/freeradius/3.0/certs/xpextensions with the OCSP server address:
```
[ xpserver_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 
	authorityKeyIdentifier = keyid,issuer 
	authorityInfoAccess = OCSP;URI:http://10.127.2.236:2561
```
Note
Use the IP of the machine in which the OCSP server runs. It can be the same machine where FreeRADIUS runs. DNS can also be used instead of the IP.
Run the OCSP server using the following command in the same path where the certificates and index.txt are present:
```
openssl ocsp -port 2561 -text -index index.txt -CA ca.pem -rkey ca.key -rsigner ca.pem
```
Clean up by entering make destroycerts.
Create the RADIUS TLS server key and certificate by entering make server.pem
Create the ExtremeXOS switch key and certificate by entering make client.pem.
Create the DH by entering make dh.
Enable TLS in FreeRADIUS:
File: etc/freeradius/3.0/sites-available/tls
1. If you do not want the RADIUS server authenticating ExtremeXOS, search for the previous command line and set require_client_cert= no.
2. Search for 'clients radsec' and add the ExtremeXOS switch IP:
```
clients radsec {
				client 10.127.2.19 {
						ipaddr = 10.127.2.19
						proto = tls
						secret = radsec
				}
```
3. Add a soft link for etc/freeradius/3.0/sites-available/tls at etc/freeradius/3.0/sites-available/tls by running ln -s <file>.
4. Restart FreeRADIUS (or radiusd).
```
EXOS Switch Setup:
-----------------
```
Copy the ca.pem to the TFTP server.
Copy the client.pem to the TFTP server.
Convert the private, encrypted client key to plain format:
```
openssl rsa -in client.key -out clientPlain.key
```
Copy the clientPlain.key to the TFTP server.
Install the following to the switch:
1. Download the ca.pem as a trusted ca in the switch by entering download ssl <ip> certificate trusted-ca <file>
2. Download the client.pem as an ssl-cert in the switch by entering

Switching

Routing

Wireless

Management & Automation

Analytics & Visibility

Security & Access Control

Remote

Cloud

Security

Machine Learning

Campus Fabric

Data Center Fabric

Internet of Things

Wi-Fi 6

Primary & Secondary Education (K-12)

Retail

Service Providers

Federal Government

Manufacturing

Higher Education

Healthcare

Hospitality

State & Local Government

Sports & Public Venues

Support Portal

Knowledge Base

Documentation

End of Sale

Policies & Warranties

Training & Courses

Maintenance Services

Premier Services

Professional Services

Managed Services

Setting Up FreeRADIUS TLS