【網路 4】安裝Ubuntu 10.04 + 架Radius server
2014.10.2
安裝ubuntu作業系統
1. Download : install ubuntu-10.04-alternate-i386
http://old-releases.ubuntu.com/releases/10.04.3/
2. Ubuntu 10.04 安裝方法
參考網頁: http://it-easy.tw/ubuntu-10-04-alternate-install/
3. Username / Passwd (要記得)
如何變更root帳號一勞永逸
4. 安裝完ubuntu,設定共用資料夾
參考網頁:http://ppt.cc/sMjd
----------------------------------------------------------------
開始在ubuntu安裝Openssl
cd # mkdir CA
# mkdir CA/signed_certs
# mkdir CA/private
# chmod 700 CA/private
# cp /etc/ssl/openssl.cnf /home/lydia/CA/
# cd home/lydia/CA
~/CA # vim openssl.cnf
[CA_default]
dir = /home/lydia/CA
certs = $dir/
new_certs_dir = $dir/signed_certs
在最後面新增
# Windows XP TLS Extenstions
[ xpclient_ext ]
extendedKeyUsage=1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage=1.3.6.1.5.5.7.3.1
~/CA # touch index.txt
Respect My (Certificate) Authority
~/CA # openssl req -new -keyout private/cakey.pem -out careq.pem \ -config ./openssl.cnf
Enter PEM pass phrase: 1234
Verifying - Enter PEM pass phrase: 1234
Country Name (2 letter code) [US]:
State or Province Name (full name) [The Great State You Live In]:
Locality Name (eg, city) [My Town USA]:
Organization Name (eg, company) [SmallNetBuilder]:
Organizational Unit Name (eg, section) [Security Division]:
Common Name (eg, YOUR name) []:CA
Email Address []:[email protected]
A challenge password []:
An optional company name []:
~/CA # openssl ca -create_serial -out cacert.pem -keyfile private/cakey.pem \ -selfsign -extensions v3_ca -config ./openssl.cnf -in careq.pem
Enter pass phrase for private/cakey.pem: 1234
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]:y
~/CA # openssl x509 -inform PEM -outform DER -in cacert.pem -out cacert.crt
Creating the Client and Server Keys
(create server_key.pem server_req.pem)
~/CA # openssl req -new -config ./openssl.cnf -keyout server_key.pem \ -out server_req.pem
Enter PEM pass phrase: 1234
Verifying - Enter PEM pass phrase: 1234
Country Name (2 letter code) [US]:
State or Province Name (full name) [The Great State You Live In]:
Locality Name (eg, city) [My Town USA]:
Organization Name (eg, company) [SmallNetBuilder]:
Organizational Unit Name (eg, section) [Security Division]:
Common Name (eg, YOUR name) []:server
Email Address []:[email protected]
A challenge password []:
An optional company name []:
使用windows來連線,請打這行指令(create server_cert.pem)
~/CA # openssl ca -config ./openssl.cnf -extensions xpserver_ext \ -in server_req.pem -out server_cert.pem
Enter pass phrase for private/cakey.pem: 1234
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]:y
~/CA # openssl req -new -config ./openssl.cnf -keyout winxp_laptop_key.pem \ -out winxp_laptop_req.pem
Enter PEM pass phrase: 1234
Verifying - Enter PEM pass phrase: 1234
Country Name (2 letter code) [US]:
State or Province Name (full name) [The Great State You Live In]:
Locality Name (eg, city) [My Town USA]:
Organization Name (eg, company) [SmallNetBuilder]:
Organizational Unit Name (eg, section) [Security Division]:
Common Name (eg, YOUR name) []:winxp_laptop
Email Address []:[email protected]
A challenge password []:
An optional company name []:
~/CA # openssl ca -config ./openssl.cnf -extensions xpclient_ext \ -in winxp_laptop_req.pem -out winxp_laptop_cert.pem
Enter pass phrase for private/cakey.pem: 1234
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]:y
~/CA # openssl pkcs12 -export -clcerts -in winxp_laptop_cert.pem \ -inkey winxp_laptop_key.pem -out winxp_laptop.p12
Enter Export Password:1234
Verifying - Enter Export Password: 1234
~/CA # su Password: 1234 ~/CA # mkdir /etc/wireless
(可自己定義存放的位置,但要注意和radius eap.conf 有關)
~/CA # cp cacert.pem server_cert.pem server_key.pem /etc/wireless/
#cd /etc/wireless
~/etc/wireless # openssl dhparam -out dh 1024
~/etc/wireless # dd if=/dev/urandom of=random count=2
(∴/etc/wireless 裡會有5個檔案cacert.pem server_cert.pem server_key.pem dh random)
~/CA # <---裡面cacert.crt winxp_laptop.p12這二個憑証,複製出來,放到windows電腦進行安裝
-------------------------------------------------------------------------------
開始在Ubuntu安裝FreeRadius
open firefix download radius (我使用的是version 2.2.5)
ftp://ftp.freeradius.org/pub/freeradius/
#tar zxvf freeradius-2.2.5.tar.gz (解開壓縮)
#cd freeradius-2.2.5
~/freeradius-2.2.5 #./configure
~/freeradius-2.2.5 #make
~/freeradius-2.2.5 #make install
(編譯完之後,主要的幾個設定檔會放在系統目錄下 /usr/local/etc/raddb)
~/freeradius-2.2.5 $ su -c ldconfig Password:
(安裝過程中,要確認沒出現error訊息)
********************************************************
我遇到問題:出現 configure:error:failed location OpenSSL headers 的訊息,
開啟應用程式->Ubuntu軟體中心—>打openssl搜尋—>安裝 libssl-dev
********************************************************
接下來修改4個檔案 radiusd.conf clients.conf users eap.conf
~/usu/local/etc/raddb $ vim radiusd.conf
prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log
~/usu/local/etc/raddb $ vim clients.conf
client 192.168.2.0 { secret = testing123
}
~/usu/local/etc/raddb $ vim users 自己加在檔案內 (這檔案要注意空格,我遇到等於後面沒空格就不成功)
DEFAULT Auth-type := Reject
Reply-Message := "Welocom Here!"
~/usu/local/etc/raddb $ vim eap.conf
tls {
private_key_password = 1234
private_key_file = /etc/wireless/server_key.pem certificate_file = /etc/wireless/server_cert.pem CA_file = /etc/wireless/cacert.pem dh_file = /etc/wireless/dh random_file = /etc/wireless/random
radiusd -X (執行)
-------------------------------------------------------------------------------
在Windows 電腦上,檢視或管理您的憑證
您可以使用 [憑證管理員] 來查看憑證的相關詳細資料、修改憑證、刪除憑證或要求新憑證。
請按一下 [開始] 按鈕,在 [搜尋] 方塊中輸入 certmgr.msc,然後按 ENTER。 如果提示您輸入系統管理員密碼或確認,請輸入密碼或提供確認資訊。
參考網頁:http://ppt.cc/k3d-
1. 安裝 cacert.crt
2. 選”將所有憑証放入以下的存放區 –>信任的根憑証授權
3. 安裝winxp_laptop.p12
4. 密碼:1234
5. 選”將所有憑証放入以下的存放區 –>信任的根憑証授權
安裝完後可以檢查一下憑証是否安裝正確
在執行打"certmgr.msc"
按到個人憑證,會看到你剛安裝的winxp_laptop,確認日期…等。
按信任的根憑證授權,會看到你剛安裝的CA,確認日期…等。
在右邊的CA按二下,會跳出會憑證的視窗,選憑證路徑會看到如下圖那樣,就成功囉!
Q & A
Q : Radius Server 執行時遇到的問題?
A: kill radiusd
radiusd -X