| 975 | | $INCLUDE ${raddbdir}/modules/preprocess |
| 976 | | $INCLUDE ${raddbdir}/modules/mschap |
| 977 | | $INCLUDE ${raddbdir}/modules/chap |
| 978 | | $INCLUDE ${raddbdir}/modules/digest |
| 979 | | $INCLUDE ${raddbdir}/modules/files |
| 980 | | $INCLUDE ${raddbdir}/modules/expiration |
| 981 | | $INCLUDE ${raddbdir}/modules/logintime |
| 982 | | $INCLUDE ${raddbdir}/modules/pap |
| 983 | | $INCLUDE ${raddbdir}/modules/unix |
| 984 | | $INCLUDE ${raddbdir}/modules/acct_unique |
| 985 | | $INCLUDE ${raddbdir}/modules/attr_filter |
| 986 | | $INCLUDE ${raddbdir}/modules/detail |
| 987 | | $INCLUDE ${raddbdir}/modules/detail.log |
| 988 | | $INCLUDE ${raddbdir}/modules/radutmp |
| 989 | | $INCLUDE ${raddbdir}/modules/exec |
| 990 | | $INCLUDE ${raddbdir}/modules/realm |
| 991 | | |
| | 975 | $INCLUDE ${raddbdir}/modules/ |
| | 976 | # $INCLUDE ${raddbdir}/modules/preprocess |
| | 977 | # $INCLUDE ${raddbdir}/modules/mschap |
| | 978 | # $INCLUDE ${raddbdir}/modules/chap |
| | 979 | # $INCLUDE ${raddbdir}/modules/digest |
| | 980 | # $INCLUDE ${raddbdir}/modules/files |
| | 981 | # $INCLUDE ${raddbdir}/modules/expiration |
| | 982 | # $INCLUDE ${raddbdir}/modules/logintime |
| | 983 | # $INCLUDE ${raddbdir}/modules/pap |
| | 984 | # $INCLUDE ${raddbdir}/modules/unix |
| | 985 | # $INCLUDE ${raddbdir}/modules/acct_unique |
| | 986 | # $INCLUDE ${raddbdir}/modules/attr_filter |
| | 987 | # $INCLUDE ${raddbdir}/modules/detail |
| | 988 | # $INCLUDE ${raddbdir}/modules/detail.log |
| | 989 | # $INCLUDE ${raddbdir}/modules/radutmp |
| | 990 | # $INCLUDE ${raddbdir}/modules/exec |
| | 991 | # $INCLUDE ${raddbdir}/modules/realm |
| 1202 | | During install of freeradius, certificates are probably auto generated see "/etc/freeradius/certs" folder. These are needed for the eduroam idP part to allow locally authentication of the @wleiden.net realm. However these certificates are made with a common/default credentials but they can also be made again/customized by running the ./bootstrap command and editing the *.cnf (ca, client, server)files to fit your institution/identity. See /usr/share/doc/freeradius/examples/certs/. Bootstrap will probably not run for a second time so move/delete all other files excepts these: bootstrap ca.cnf client.cnf README server.cnf xpextensions. |
| 1203 | | |
| 1204 | | For editing/customizing the *.cnf files make sure the "server.cnf" and "client.cnf" have a different "commonname" at the end of their files otherwise database TXTDB 2 error. |
| 1205 | | |
| 1206 | | The server.pem file is the one that needs to be distributed/deployed among the eduroam users to correctly setup their supplicants for savely logging in. Also the ca.pem needs to be converted by osx to cer to be used by windows. The pem file we deliver needs to be stripped of bag attributes and PRIVATEKEY? Windows mac use different formats? |
| | 1208 | ===== 2.1bb Freeradius TTLS/PEAP certificates ===== |
| | 1209 | |
| | 1210 | During install of freeradius, certificates are probably auto generated see "/etc/freeradius/certs" folder. These are needed for the eduroam idP part to allow local authentication of the @wleiden.net realm. However these certificates are made with a common/default credentials like "Freeradius CA etc" but they can also be made again/customized "My Certificate CA etc" by running the ./bootstrap command and editing the *.cnf (ca, client, server)files to fit your institution/identity. See /usr/share/doc/freeradius/examples/certs/. Probably there is still some parameter in on of the *cnf file that is common between the ca client and server, therefor is also writes the private key into the public certificate? |
| | 1211 | |
| | 1212 | * Bootstrap will probably not run for a second time so move/delete all other files excepts these: bootstrap ca.cnf client.cnf README server.cnf xpextensions. |
| | 1213 | * For editing/customizing the *.cnf files make sure the "server.cnf" and "client.cnf" have a different "commonname" at the end of their files otherwise database TXTDB 2 error. |
| | 1214 | * Warning the *.pem file we will deploy among users needs to be stripped of bag attributes and PRIVATEKEY!!!! |
| | 1215 | |
| | 1216 | The server.pem file is the one that needs to be distributed/deployed among the eduroam users to correctly setup their supplicants for safely logging in, for Mac and Linux. For Mac it will work, only for validating the origin of the certificate itself (red* mark) since we didn't use/bought a known verified root CA like verizon/thawte/etc we need to supply that one our self in our case "ca.pem" file. Than the Mac operating systems thinks everything is fine and the red mark about a certificate from a possible unknown provide will be gone. |
| | 1217 | This "root" "ca.pem" needs to be converted by Mac OSX to "ca.cer" to be usable by Windows XP-8, since windows only allows Root (dutch=basis) certificates to match its radius supplicant. Double click the ca.cer file and import it into the ROOT store! Than you will be able to select it! |
| | 1218 | |
| | 1219 | {{{ |
| | 1220 | ## prepare folder to regenerate certificates |
| | 1221 | cd /usr/share/doc/freeradius/examples/certs/ |
| | 1222 | mkdir oldcertsconfig |
| | 1223 | mkdir configbackup |
| | 1224 | cp * oldcertsconfig |
| | 1225 | cp bootstrap ca.cnf client.cnf README server.cnf xpextensions configbackup |
| | 1226 | rm * |
| | 1227 | cp configbackup/* . #now you have a fresh template to start from! |
| | 1228 | |
| | 1229 | ## edit certificate template, make common name differ |
| | 1230 | ca.cnf client.cnf server.cnf |
| | 1231 | |
| | 1232 | ## generate new certificates |
| | 1233 | ./bootstrap |
| | 1234 | |
| | 1235 | ## copy/overwrite certificates to freeradius folder |
| | 1236 | sudo cp dh ca.pem server.pem server.key server.crt /etc/freeradius/certs/ |
| | 1237 | }}} |
