2014.10.2

 安裝ubuntu作業系統

1. Download  : install ubuntu-10.04-alternate-i386
    http://old-releases.ubuntu.com/releases/10.04.3/

2. Ubuntu 10.04 安裝方法
     參考網頁: http://it-easy.tw/ubuntu-10-04-alternate-install/

3.  Username / Passwd (要記得)
     如何變更root帳號一勞永逸

4.  安裝完ubuntu,設定共用資料夾
     參考網頁:http://ppt.cc/sMjd

----------------------------------------------------------------
 開始在ubuntu安裝Openssl 
cd # mkdir CA
# mkdir CA/signed_certs
# mkdir CA/private
# chmod 700 CA/private
# cp /etc/ssl/openssl.cnf /home/lydia/CA/  
# cd home/lydia/CA
~/CA # vim openssl.cnf
    [CA_default]
    dir = /home/lydia/CA 
    certs = $dir/
    new_certs_dir = $dir/signed_certs
   在最後面新增
   # Windows XP TLS Extenstions
   [ xpclient_ext ]
   extendedKeyUsage=1.3.6.1.5.5.7.3.2
   [ xpserver_ext ]
   extendedKeyUsage=1.3.6.1.5.5.7.3.1
~/CA # touch index.txt 
 
Respect My (Certificate) Authority
~/CA # openssl req -new -keyout private/cakey.pem -out careq.pem \
-config ./openssl.cnf
   Enter PEM pass phrase: 1234
   Verifying - Enter PEM pass phrase: 1234
   Country Name (2 letter code) [US]:
   State or Province Name (full name) [The Great State You Live In]:
   Locality Name (eg, city) [My Town USA]:
   Organization Name (eg, company) [SmallNetBuilder]:
   Organizational Unit Name (eg, section) [Security Division]:
   Common Name (eg, YOUR name) []:CA
   Email Address []:[email protected]
   A challenge password []:
   An optional company name []:
 
~/CA # openssl ca -create_serial -out cacert.pem -keyfile private/cakey.pem \
-selfsign -extensions v3_ca -config ./openssl.cnf -in careq.pem
     Enter pass phrase for private/cakey.pem: 1234
     Sign the certificate? [y/n]:y
     1 out of 1 certificate requests certified, commit? [y/n]:y
~/CA # openssl x509 -inform PEM -outform DER -in cacert.pem -out cacert.crt
 
Creating the Client and Server Keys
(create server_key.pem server_req.pem)
~/CA # openssl req -new -config ./openssl.cnf -keyout server_key.pem \
-out server_req.pem
       Enter PEM pass phrase: 1234
       Verifying - Enter PEM pass phrase: 1234
       Country Name (2 letter code) [US]:
       State or Province Name (full name) [The Great State You Live In]:
       Locality Name (eg, city) [My Town USA]:
       Organization Name (eg, company) [SmallNetBuilder]:
       Organizational Unit Name (eg, section) [Security Division]:
       Common Name (eg, YOUR name) []:server
       Email Address []:[email protected]
       A challenge password []:
       An optional company name []:
 
使用windows來連線,請打這行指令(create server_cert.pem)
~/CA # openssl ca -config ./openssl.cnf -extensions xpserver_ext \
 -in server_req.pem -out server_cert.pem
        Enter pass phrase for private/cakey.pem: 1234
        Sign the certificate? [y/n]:y
        1 out of 1 certificate requests certified, commit? [y/n]:y
 
~/CA # openssl req -new -config ./openssl.cnf -keyout winxp_laptop_key.pem \
-out winxp_laptop_req.pem
       Enter PEM pass phrase: 1234
       Verifying - Enter PEM pass phrase: 1234
       Country Name (2 letter code) [US]:
       State or Province Name (full name) [The Great State You Live In]:
       Locality Name (eg, city) [My Town USA]:
       Organization Name (eg, company) [SmallNetBuilder]:
       Organizational Unit Name (eg, section) [Security Division]:
       Common Name (eg, YOUR name) []:winxp_laptop
       Email Address []:[email protected]
       A challenge password []:
       An optional company name []:

~/CA # openssl ca -config ./openssl.cnf -extensions xpclient_ext \
 -in winxp_laptop_req.pem -out winxp_laptop_cert.pem
        Enter pass phrase for private/cakey.pem: 1234
        Sign the certificate? [y/n]:y
        1 out of 1 certificate requests certified, commit? [y/n]:y

~/CA # openssl pkcs12 -export -clcerts -in winxp_laptop_cert.pem \
-inkey winxp_laptop_key.pem -out winxp_laptop.p12
        Enter pass phrase for winxp_laptop_key.pem: 1234
        Enter Export Password:1234
        Verifying - Enter Export Password: 1234

~/CA # su
   Password: 1234
~/CA # mkdir /etc/wireless 
(可自己定義存放的位置,但要注意和radius eap.conf 有關)
~/CA # cp cacert.pem server_cert.pem server_key.pem /etc/wireless/
#cd /etc/wireless
~/etc/wireless # openssl dhparam -out dh 1024 
~/etc/wireless # dd if=/dev/urandom of=random count=2 
(∴/etc/wireless 裡會有5個檔案cacert.pem  server_cert.pem  server_key.pem  dh  random) 
 
~/CA # <---裡面cacert.crt  winxp_laptop.p12這二個憑証,複製出來,放到windows電腦進行安裝
 -------------------------------------------------------------------------------
 開始在Ubuntu安裝FreeRadius

open firefix download radius  (我使用的是version 2.2.5)
     ftp://ftp.freeradius.org/pub/freeradius/

#tar zxvf freeradius-2.2.5.tar.gz   (解開壓縮)

#cd freeradius-2.2.5     

~/freeradius-2.2.5 #./configure 

~/freeradius-2.2.5 #make

~/freeradius-2.2.5 #make install
(編譯完之後,主要的幾個設定檔會放在系統目錄下 /usr/local/etc/raddb)

~/freeradius-2.2.5 $ su -c ldconfig
Password: 
(安裝過程中,要確認沒出現error訊息)

********************************************************
我遇到問題:出現 configure:error:failed location OpenSSL headers 的訊息,
開啟應用程式->Ubuntu軟體中心—>打openssl搜尋—>安裝 libssl-dev
********************************************************

接下來修改4個檔案 radiusd.conf    clients.conf    users  eap.conf

~/usu/local/etc/raddb $ vim radiusd.conf
   prefix = /usr/local
   exec_prefix = ${prefix}
   sysconfdir = ${prefix}/etc
   localstatedir = ${prefix}/var
   sbindir = ${exec_prefix}/sbin
   logdir = ${localstatedir}/log/radius
   raddbdir = ${sysconfdir}/raddb
   radacctdir = ${logdir}/radacct
   confdir = ${raddbdir}
   run_dir = ${localstatedir}/run/radiusd
   log_file = ${logdir}/radius.log
 
~/usu/local/etc/raddb $ vim clients.conf
   client 192.168.2.0 {
          secret  =  testing123
     }
 

~/usu/local/etc/raddb $ vim users   自己加在檔案內  (這檔案要注意空格,我遇到等於後面沒空格就不成功)

          winxp_laptop    Auth-type  :=  EAP
          DEFAULT            Auth-type  := Reject
                  Reply-Message  :=  "Welocom Here!"

 

~/usu/local/etc/raddb $ vim eap.conf

         default_eap_type = tls
          tls {
             private_key_password = 1234

 
          private_key_file = /etc/wireless/server_key.pem
          certificate_file = /etc/wireless/server_cert.pem
          CA_file = /etc/wireless/cacert.pem
          dh_file = /etc/wireless/dh
          random_file = /etc/wireless/random

 
radiusd -X  (執行)

-------------------------------------------------------------------------------

 在Windows 電腦上,檢視或管理您的憑證

您可以使用 [憑證管理員] 來查看憑證的相關詳細資料、修改憑證、刪除憑證或要求新憑證。
請按一下 [開始] 按鈕[開始] 按鈕的圖片,在 [搜尋] 方塊中輸入 certmgr.msc,然後按 ENTER。‌ 需要系統管理員權限 如果提示您輸入系統管理員密碼或確認,請輸入密碼或提供確認資訊。

參考網頁:http://ppt.cc/k3d-

1. 安裝 cacert.crt

2. 選”將所有憑証放入以下的存放區 –>信任的根憑証授權

3. 安裝winxp_laptop.p12

4. 密碼:1234

5. 選”將所有憑証放入以下的存放區 –>信任的根憑証授權

安裝完後可以檢查一下憑証是否安裝正確

 

在執行打"certmgr.msc"

 

按到個人憑證,會看到你剛安裝的winxp_laptop,確認日期…等。

 

按信任的根憑證授權,會看到你剛安裝的CA,確認日期…等。

在右邊的CA按二下,會跳出會憑證的視窗,選憑證路徑會看到如下圖那樣,就成功囉!


 

 

 

 

 Q & A 


Q :  Radius Server 執行時遇到的問題?
2015-01-28_124134  

A:  kill radiusd 
     radiusd -X 

 

相关文章