Setting Up FreeRADIUS TLS
The following is an example setup configuration of FreeRADIUS as a RADIUS TLS server.
-
Edit the following CA config
file (ca.cnf) to have key usage:
/etc/freeradius/3.0/certs (otherwise /etc/raddb/certs) [v3_ca] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = critical,CA:true #crlDistributionPoints = URI:http://www.example.org/example_ca.crl keyUsage = cRLSign, keyCertSign, digitalSignature extendedKeyUsage = OCSP Signing noCheck = yes
Note
ExtremeXOS requires key usage for a CA certificate. -
Edit the file /etc/freeradius/3.0/certs/xpextensions with
the OCSP server address:
[ xpserver_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 authorityKeyIdentifier = keyid,issuer authorityInfoAccess = OCSP;URI:http://10.127.2.236:2561
Note
Use the IP of the machine in which the OCSP server runs. It can be the same machine where FreeRADIUS runs. DNS can also be used instead of the IP. -
Run the OCSP server using the following command in the same path where the
certificates and index.txt are present:
openssl ocsp -port 2561 -text -index index.txt -CA ca.pem -rkey ca.key -rsigner ca.pem
- Clean up by entering make destroycerts.
- Create the RADIUS TLS server key and certificate by entering make server.pem
- Create the ExtremeXOS switch key and certificate by entering make client.pem.
- Create the DH by entering make dh.
-
Enable TLS in FreeRADIUS:
File: etc/freeradius/3.0/sites-available/tls
- If you do not want the RADIUS server authenticating ExtremeXOS, search for the previous command line and set require_client_cert= no.
-
Search for 'clients
radsec' and add the ExtremeXOS
switch IP:
clients radsec { client 10.127.2.19 { ipaddr = 10.127.2.19 proto = tls secret = radsec }
- Add a soft link for etc/freeradius/3.0/sites-available/tls at etc/freeradius/3.0/sites-available/tls by running ln -s <file>.
-
Restart FreeRADIUS (or
radiusd).
EXOS Switch Setup: -----------------
- Copy the ca.pem to the TFTP server.
- Copy the client.pem to the TFTP server.
-
Convert the private, encrypted client key to plain format:
openssl rsa -in client.key -out clientPlain.key
- Copy the clientPlain.key to the TFTP server.
-
Install the following to the switch:
- Download the ca.pem as a trusted ca in the switch by entering download ssl <ip> certificate trusted-ca <file>
- Download the client.pem as an ssl-cert in the switch by entering