Skip to content
Snippets Groups Projects
Commit ac947ac3 authored by Léo's avatar Léo
Browse files

Freeradius config folder

parent f4cf75f9
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 1652 additions and 0 deletions
config/freeradius/README.rst 0 → 100644
+ 665
0
View file @ ac947ac3
Upgrading to Version 3.0
========================
.. contents:: Sections
:depth: 2
.. important::
The configuration for 3.0 is *largely* compatible with the 2.x.x
configuration. However, it is NOT possible to simply use the 2.x.x
configuration as-is. Instead, you should re-create it.
Security
--------
A number of configuration items have moved into the "security"
subsection of radiusd.conf. If you use these, you should move them.
Otherwise, they can be ignored.
The list of moved options is::
chroot
user
group
allow_core_dumps
reject_delay
status_server
These entries should be moved from "radiusd.conf" to the "security"
subsection of that file.
Naming
------
Many names used by configuration items were inconsistent in earlier
versions of the server. These names have been unified in version 3.0.
If a file is being referenced or created the config item ``filename``
is used.
If a file is being created, the initial permissions are set by the
``permissions`` config item.
If a directory hierarchy needs to be created, the permissions are set
by ``dir_permissions``.
If an external host is referenced in the context of a module the
``server`` config item is used.
Unless the config item is a well recognised portmanteau
(as ``filename`` is for example), it must be written as multiple
distinct words separated by underscores ``_``.
The configuration items ``file``, ``script_file``, ``module``,
``detail``, ``detailfile``, ``attrsfile``, ``perm``, ``dirperm``,
``detailperm``, and ``hostname`` are deprecated. As well as any false
portmanteaus, and configuration items that used hyphens as word
delimiters. e.g. ``foo-bar`` has been changed to ``foo_bar``. Please
update your module configuration to use the new syntax.
In most cases the server will tell you the replacement config item to
use. As always, run the server in debugging mode to see these
messages.
Modules Directory
-----------------
As of version 3.0, the ``modules/`` directory no longer exists.
Instead, all "example" modules have been put into the
``mods-available/`` directory. Modules which can be loaded by the
server are placed in the ``mods-enabled/`` directory. All of the
modules in that directory will be loaded. This means that the
``instantiate`` section of radiusd.conf is less important. The only
reason to list a module in the ``instantiate`` section is to force
ordering when the modules are loaded.
Modules can be enabled by creating a soft link. For module ``foo``, do::
$ cd raddb/mods-enabled
$ ln -s ../mods-available/foo
To create "local" versions of the modules, we suggest copying the file
instead. This leaves the original file (with documentation) in the
``mods-available/`` directory. Local changes should go into the
``mods-enabled/`` directory.
Module-specific configuration files are now in the ``mods-config/``
directory. This change allows for better organization, and means that
there are fewer files in the main ``raddb`` directory. See
``mods-config/README.rst`` for more details.
Changed Modules
---------------
The following modules have been changed.
rlm_sql
~~~~~~~
The SQL configuration has been moved from ``sql.conf`` to
``mods-available/sql``. The ``sqlippool.conf`` file has also been
moved to ``mods-available/sqlippool``.
The SQL module configuration has been changed. The old connection
pool options are no longer accepted::
num_sql_socks
connect_failure_retry_delay
lifetime
max_queries
Instead, a connection pool configuration is used. This configuration
contains all of the functionality of the previous configuration, but
in a more generic form. It also is used in multiple modules, meaning
that there are fewer different configuration items. The mapping
between the configuration items is::
num_sql_socks -> pool { max }
connect_failure_retry_delay -> pool { retry_delay }
lifetime -> pool { lifetime }
max_queries -> pool { uses }
The pool configuration adds a number of new configuration options,
which allow the administrator to better control how FreeRADIUS uses
SQL connection pools.
The following parameters have been changed::
trace -> removed
tracefile -> logfile
The logfile is intended to log SQL queries performed. If you need to
debug the server, use debugging mode. If ``logfile`` is set, then
*all* SQL queries will go to ``logfile``.
You can now use a NULL SQL database::
driver = rlm_sql_null
This is an empty driver which will always return "success". It is
intended to be used to replace the ``sql_log`` module, and to work in
conjunction with the ``radsqlrelay`` program. Simply take your normal
configuration for raddb/mods-enabled/sql, and set::
driver = rlm_sql_null
...
logfile = ${radacctdir}/sql.log
All of the SQL queries will be logged to that file. The connection
pool does not need to be configured for the ``null`` SQL driver. It
can be left as-is, or deleted from the SQL configuration file.
rlm_sql_sybase
~~~~~~~~~~~~~~
The ``rlm_sql_sybase`` module has been renamed to ``rlm_sql_freetds``
and the old ``rlm_sql_freetds`` module has been removed.
``rlm_sql_sybase`` used the newer ct-lib API, and ``rlm_sql_freetds``
used an older API and was incomplete.
The new ``rlm_sql_freetds`` module now also supports database
selection on connection startup so ``use`` statements no longer
have to be included in queries.
sql/dialup.conf
~~~~~~~~~~~~~~~
Queries for post-auth and accounting calls have been re-arranged. The
SQL module will now expand the 'reference' configuration item in the
appropriate sub-section, and resolve this to a configuration
item. This behaviour is similar to rlm_linelog. This dynamic
expansion allows for a dynamic mapping between accounting types and
SQL queries. Previously, the mapping was fixed. Any "new" accounting
type was ignored by the module. Now, support for any accounting type
can be added by just adding a new target, as below.
Queries from v2.x.x may be manually copied to the new v3.0
``dialup.conf`` file (``raddb/sql/main/<dialect>/queries.conf``).
When doing this you may also need to update references to the
accounting tables, as their definitions will now be outside of
the subsection containing the query.
The mapping from old "fixed" query to new "dynamic" query is as follows::
accounting_onoff_query -> accounting.type.accounting-on.query
accounting_update_query -> accounting.type.interim-update.query
accounting_update_query_alt +> accounting.type.interim-update.query
accounting_start_query -> accounting.type.start.query
accounting_start_query_alt +> accounting.type.start.query
accounting_stop_query -> accounting.type.stop.query
accounting_stop_query_alt +> accounting.type.stop.query
postauth_query -> post-auth.query
Alternatively a 2.x.x config may be patched to work with the
3.0 module by adding the following::
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "${....accounting_onoff_query}"
}
accounting-off {
query = "${....accounting_onoff_query}"
}
start {
query = "${....accounting_start_query}"
query = "${....accounting_start_query_alt}"
}
interim-update {
query = "${....accounting_update_query}"
query = "${....accounting_update_query_alt}"
}
stop {
query = "${....accounting_stop_query}"
query = "${....accounting_stop_query_alt}"
}
}
}
post-auth {
query = "${..postauth_query}"
}
In general, it is safer to migrate the configuration rather than
trying to "patch" it, to make it look like a v2 configuration.
Note that the sub-sections holding the queries are labelled
``accounting-on``, and not ``accounting_on``. The reason is that the
names of these sections are taken directly from the
``Accounting-Request`` packet, and the ``Acct-Status-Type`` field.
The ``sql`` module looks at the value of that field, and then looks
for a section of that name, in order to find the query to use.
That process means that the server can be extended to support any new
value of ``Acct-Status-Type``, simply by adding a named sub-section,
and a query. This behavior is preferable to that of v2, which had
hard-coded queries for certain ``Acct-Status-Type`` values, and was
ignored all other values.
rlm_ldap
~~~~~~~~
The LDAP module configuration has been substantially changed. Please
read ``raddb/mods-available/ldap``. It now uses a connection pool,
just like the SQL module.
Many of the configuration items remain the same, but they have been
moved into subsections. This change is largely cosmetic, but it makes
the configuration clearer. Instead of having a large set of random
configuration items, they are now organized into logical groups.
You will need to read your old LDAP configuration, and migrate it
manually to the new configuration. Simply copying the old
configuration WILL NOT WORK.
Users upgrading from 2.x.x who used to call the ldap module in
``post-auth`` should now set ``edir_autz = yes``, and remove the ``ldap``
module from the ``post-auth`` section.
rlm_ldap and LDAP-Group
~~~~~~~~~~~~~~~~~~~~~~~
In 2.x.x the registration of the ``LDAP-Group`` pair comparison was done
by the last instance of rlm_ldap to be instantiated. In 3.0 this has
changed so that only the default ``ldap {}`` instance registers
``LDAP-Group``.
If ``<instance>-LDAP-Group`` is already used throughout your configuration
no changes will be needed.
rlm_ldap authentication
~~~~~~~~~~~~~~~~~~~~~~~
In 2.x.x the LDAP module had a ``set_auth_type`` configuration item,
which forced ``Auth-Type := ldap``. This was removed in 3.x.x as it
often did not work, and was not consistent with the rest of the
server. We generally recommend that LDAP should be used as a
database, and that FreeRADIUS should do authentication.
The only reason to use ``Auth-Type := ldap`` is when the LDAP server
will not supply the "known good" password to FreeRADIUS, *and* where
the Access-Request contains User-Password. This situation happens
only for Active Directory. If you think you need to force ``Auth-Type
:= ldap`` in other situations, you are very likely to be wrong.
The following is an example of what should be inserted into the
``authorize {}`` and ``authenticate {}`` sections of the relevant
virtual-servers, to get functionality equivalent to v2.x::
authorize {
...
ldap
if ((ok || updated) && User-Password) {
update control {
Auth-Type := ldap
}
}
...
}
authenticate {
...
Auth-Type ldap {
ldap
}
...
}
rlm_eap
~~~~~~~
The EAP configuration has been moved from ``eap.conf`` to
``mods-available/eap``. A new ``pwd`` subsection has been added for
EAP-PWD.
rlm_expiration & rlm_logintime
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The rlm_expiration and rlm_logintime modules no longer add a ``Reply-Message``,
the same behaviour can be achieved checking the return code of the module and
adding the ``Reply-Message`` with unlang::
expiration
if (userlock) {
update reply {
Reply-Message := "Your account has expired"
}
}
rlm_unix
~~~~~~~~
The ``unix`` module does not have an ``authenticate`` section. So you
cannot set ``Auth-Type := System``. The ``unix`` module has also been
deleted from the examples in ``sites-available/``. Listing it there
has been deprecated for many years.
The PAP module can do crypt authentication. It should be used instead
of Unix authentication.
The Unix module still can pull the passwords from ``/etc/passwd``, or
``/etc/shadow``. This is done by listing it in the ``authorize``
section, as is done in the examples in ``sites-available/``. However,
some systems using NIS or NSS will not supply passwords to the
``unix`` module. For those systems, we recommend putting users and
passwords into a database, instead of relying on ``/etc/passwd``.
rlm_preprocess
~~~~~~~~~~~~~~
In 2.x.x ``huntroups`` and ``users`` files were loaded from default locations
without being configured explicitly. Since 3.x.x you need to set
``huntgroups`` and ``users`` configuration item(s) in module section in order
to get them being processed.
New Modules
-----------
rlm_date
~~~~~~~~
Instances of rlm_date register an xlat method which can translate
integer and date values to an arbitrarily formatted date time
string, or an arbitrarily formated time string to an integer,
depending on the attribute type passed.
rlm_rest
~~~~~~~~
The ``rest`` module is used to translate RADIUS requests into
RESTfull HTTP requests. Currently supported body types are JSON
and POST.
rlm_unpack
~~~~~~~~~~
The ``unpack`` module is used to turn data buried inside of binary
attributes. e.g. if we have ``Class = 0x00000001020304`` then::
Tmp-Integer-0 := "%{unpack:&Class 4 short}"
will unpack octets 4 and 5 as a "short", which has value 0x0304.
All integers are assumed to be in network byte order.
rlm_yubikey
~~~~~~~~~~~
The ``yubikey`` module can be used to forward yubikey OTP token
values to a Yubico validation server, or decrypt the token
using a PSK.
Deleted Modules
---------------
The following modules have been deleted, and are no longer supported
in Version 3. If you are using one of these modules, your
configuration can probably be changed to not need it. Otherwise email
the freeradius-devel list, and ask about the module.
rlm_acct_unique
~~~~~~~~~~~~~~~
This module has been replaced by the "acct_unique" policy. See
raddb/policy.d/accounting.
The method for calculating the value of acct_unique has changed.
However, as this method was configurable, this change should not
matter. The only issue is in having a v2 and v3 server writing to the
same database at the same time. They will calculate different values
for Acct-Unique-Id.
rlm_acctlog
~~~~~~~~~~~
You should use rlm_linelog instead. That module has a superset of the
acctlog functionality.
rlm_attr_rewrite
~~~~~~~~~~~~~~~~
The attr_rewrite module looked for an attribute, and then re-wrote it,
or created a new attribute. All of that can be done in "unlang".
A sample configuration in "unlang" is::
if (request:Calling-Station-Id) {
update request {
Calling-Station-Id := "...."
}
}
We suggest updating all uses of attr_rewrite to use unlang instead.
rlm_checkval
~~~~~~~~~~~~
The checkval module compared two attributes. All of that can be done in "unlang"::
if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
ok
}
We suggest updating all uses of checkval to use unlang instead.
rlm_dbm
~~~~~~~
No one seems to use it. There is no sample configuration for it.
There is no speed advantage to using it over the "files" module.
Modern systems are fast enough that 10K entries can be read from the
"users" file in about 10ms. If you need more users than that, use a
real database such as SQL.
rlm_fastusers
~~~~~~~~~~~~~
No one seems to use it. It has been deprecated since Version 2.0.0.
The "files" module was rewritten so that the "fastusers" module was no
longer necessary.
rlm_policy
~~~~~~~~~~
No one seems to use it. Almost all of its functionality is available
via "unlang".
rlm_sim_files
~~~~~~~~~~~~~
The rlm_sim_files module has been deleted. It was never marked "stable",
and was never used in a production environment. There are better ways
to test EAP.
If you want similar functionality, see rlm_passwd. It can read CSV
files, and create attributes from them.
rlm_sql_log
~~~~~~~~~~~
This has been replaced with the "null" sql driver. See
raddb/mods-available/sql for an example configuration.
The main SQL module has more functionality than rlm_sql_log, and
results in less code in the server.
Other Functionality
-------------------
The following is a list of new / changed functionality.
RadSec
~~~~~~
RadSec (or RADIUS over TLS) is now supported. RADIUS over bare TCP
is also supported, but is recommended only for secure networks.
See ``sites-available/tls`` for complete details on using TLS. The server
can both receive incoming TLS connections, and also originate outgoing
TLS connections.
The TLS configuration is taken from the old EAP-TLS configuration. It
is largely identical to the old EAP-TLS configuration, so it should be
simple to use and configure. It re-uses much of the EAP-TLS code,
so it is well-tested and reliable.
Once RadSec is enabled, normal debugging mode will not work. This is
because the TLS code requires threading to work properly. Instead of doing::
$ radiusd -X
you will need to do::
$ radiusd -fxx -l stdout
That's the price to pay for using RadSec. This limitation may be
lifted in a future version of the server.
PAP and User-Password
~~~~~~~~~~~~~~~~~~~~~
From version 3.0 onwards the server no longer supports authenticating
against a cleartext password in the 'User-Password' attribute. Any
occurences of this (for instance, in the users file) should now be changed
to 'Cleartext-Password' instead.
e.g. change entries like this::
bob User-Password == "hello"
to ones like this::
bob Cleartext-Password := "hello"
If this is not done, authentication will likely fail. The server will
also print a helpful message in debugging mode.
If it really is impossible to do this, the following unlang inserted above
the call to the pap module may be used to copy User-Password to the correct
attribute::
if (!control:Cleartext-Password && control:User-Password) {
update control {
Cleartext-Password := "%{control:User-Password}"
}
}
However, this should only be seen as a temporary, not permanent, fix.
It is better to fix your databases to use the correct configuration.
Unlang
~~~~~~
The unlang policy language is compatible with v2, but has a number of
new features. See ``man unlang`` for complete documentation.
ERRORS
Many more errors are caught when the server is starting up. Syntax
errors in ``unlang`` are caught, and a helpful error message is
printed. The error message points to the exact place where the error
occurred::
./raddb/sites-enabled/default[230]: Parse error in condition
ERROR: if (User-Name ! "bob") {
ERROR: ^ Invalid operator
``update`` sections are more generic. Instead of doing ``update
reply``, you can do the following::
update {
reply:Class := 0x0000
control:Cleartext-Password := "hello"
}
This change means that you need fewer ``update`` sections.
COMPARISONS
Attribute comparisons can be done via the ``&`` operator. When you
needed to compare two attributes, the old comparison style was::
if (User-Name == "%{control:Tmp-String-0}") {
This syntax is inefficient, as the ``Tmp-String-0`` attribute would be
printed to an intermediate string, causing unnecessary work. You can
now instead compare the two attributes directly::
if (&User-Name == &control:Tmp-String-0) {
See ``man unlang`` for more details.
CASTS
Casts are now permitted. This allows you to force type-specific
comparisons::
if (<ipaddr>"%{sql: SELECT...}" == 127.0.0.1) {
This forces the string returned by the SELECT to be treated as an IP
address, and compare to ``127.0.0.1``. Previously, the comparison
would have been done as a simple string comparison.
NETWORKS
IP networks are now supported::
if (127.0.0.1/32 == 127.0.0.1) {
Will be ``true``. The various comparison operators can be used to
check IP network membership::
if (127/8 > 127.0.0.1) {
Returns ``true``, because ``127.0.0.1`` is within the ``127/8``
network. However, the following comparison will return ``false``::
if (127/8 > 192.168.0.1) {
because ``192.168.0.1`` is outside of the ``127/8`` network.
OPTIMIZATION
As ``unlang`` is now pre-compiled, many compile-time optimizations are
done. This means that the debug output may not be exactly the same as
what is in the configuration files::
if (0 && (User-Name == "bob')) {
The result will always be ``false``, as the ``if 0`` prevents the
following ``&& ...`` from being evaluated.
Not only that, but the entire contents of that section will be ignored
entirely::
if (0) {
this_module_does_not_exist
and_this_one_does_not_exist_either
}
In v2, that configuration would result in a parse error, as there is
no module called ``this_module_does_not_exist``. In v3, that text is
ignored. This ability allows you to have dynamic configurations where
certain parts are used (or not) depending on compile-time configuration.
Similarly, conditions which always evaluate to ``true`` will be
optimized away::
if (1) {
files
}
That configuration will never show the ``if (1)`` output in debugging mode.
Dialup_admin
------------
The dialip_admin directory has been removed. No one stepped forward
to maintain it, and the code had not been changed in many years.
config/freeradius/certs/01.pem 0 → 100644
+ 80
0
View file @ ac947ac3
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./emailAddress=admin@example.org, CN=Example Certificate Authority
Validity
Not Before: Mar 13 16:26:21 2019 GMT
Not After : May 12 16:26:21 2019 GMT
Subject: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/emailAddress=admin@example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a2:ab:1b:5f:5c:e7:40:c9:99:b2:46:6b:4e:1a:
ea:be:66:01:ba:d5:26:a9:da:e7:3b:b7:bd:d2:17:
a0:a8:c9:ca:38:91:7f:b8:e3:60:6d:c7:0b:c5:61:
0a:3b:f3:c4:86:40:d8:16:0b:ca:9e:38:ce:01:69:
27:41:00:d4:ed:f2:ea:52:8a:74:7b:d3:81:fb:ec:
18:e2:d3:98:54:45:c2:23:45:be:ed:ed:23:35:71:
a2:7e:26:ee:03:f3:f8:21:f9:2d:71:41:eb:a8:12:
10:94:63:48:66:fc:5d:22:7b:60:e0:8a:98:e2:20:
45:4b:1b:78:29:a5:72:a3:9d:41:d3:c0:55:9d:8a:
7a:fe:55:1b:1d:d1:ad:59:a7:cd:7b:ac:68:5b:07:
ca:ea:bf:de:6a:8b:46:ee:df:7e:98:4b:7c:a6:e7:
77:fb:34:55:d6:70:8c:2e:27:bf:0d:55:b9:33:9e:
bd:3e:77:ac:70:c9:24:51:49:e0:c9:b8:f3:56:7c:
03:54:48:9e:1e:74:a6:f7:78:7d:ef:1a:0f:f8:42:
13:db:4a:48:0a:72:b1:f1:ee:b2:bb:9c:20:25:b7:
80:dc:62:a1:20:10:17:da:63:e7:cc:fc:13:00:f5:
3f:38:be:57:43:a5:b9:0b:6e:c8:96:40:53:cc:2b:
e3:17
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.example.com/example_ca.crl
Signature Algorithm: sha256WithRSAEncryption
3f:5e:f0:c3:9f:f4:5f:16:e8:6b:a4:cc:4e:34:a8:23:35:c2:
07:af:ef:90:f9:d9:a9:67:a3:ce:9b:16:4e:41:65:b7:d0:9e:
12:52:7d:e7:d1:32:13:e1:36:93:69:cc:d4:03:00:ec:7f:34:
a0:63:c5:8f:74:7c:3e:82:ca:e2:41:af:1e:f9:71:ca:7e:82:
0b:16:30:e4:74:9e:a0:53:05:25:b1:8e:5e:14:82:d9:97:f7:
23:57:80:eb:82:38:f4:be:6b:f4:4d:22:01:a0:53:64:7b:a7:
6d:67:dd:2e:bf:1f:16:40:3a:70:2c:da:1e:a2:ff:b3:32:6d:
d9:6e:1c:4c:7a:94:12:cd:a8:2d:fe:65:63:84:41:8d:b1:03:
4d:5a:8e:7b:be:d1:4b:fc:5d:1e:78:cb:8d:37:45:29:de:34:
39:fc:a7:38:66:21:a9:71:73:da:04:de:55:60:7a:5f:11:5e:
4e:c3:8c:ac:0a:63:40:ab:85:e2:22:4a:7e:44:55:18:1d:fd:
58:d4:70:b9:d6:96:d2:dd:28:02:f2:fb:51:4e:4e:96:0b:91:
96:4e:7f:7a:1d:cc:8a:d0:1c:64:db:e5:c8:e6:ad:a7:39:a2:
c2:65:30:36:ae:95:75:16:13:e3:0a:11:c8:8d:79:9e:c3:9a:
21:eb:65:84
-----BEGIN CERTIFICATE-----
MIID2jCCAsKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCRlIx
DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF
eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUub3JnMSYw
JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTAzMTMx
NjI2MjFaFw0xOTA1MTIxNjI2MjFaMHwxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZS
YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEjMCEGA1UEAwwaRXhhbXBsZSBT
ZXJ2ZXIgQ2VydGlmaWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu
b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoqsbX1znQMmZskZr
ThrqvmYButUmqdrnO7e90hegqMnKOJF/uONgbccLxWEKO/PEhkDYFgvKnjjOAWkn
QQDU7fLqUop0e9OB++wY4tOYVEXCI0W+7e0jNXGifibuA/P4IfktcUHrqBIQlGNI
ZvxdIntg4IqY4iBFSxt4KaVyo51B08BVnYp6/lUbHdGtWafNe6xoWwfK6r/eaotG
7t9+mEt8pud3+zRV1nCMLie/DVW5M569PnescMkkUUngybjzVnwDVEieHnSm93h9
7xoP+EIT20pICnKx8e6yu5wgJbeA3GKhIBAX2mPnzPwTAPU/OL5XQ6W5C27IlkBT
zCvjFwIDAQABo08wTTATBgNVHSUEDDAKBggrBgEFBQcDATA2BgNVHR8ELzAtMCug
KaAnhiVodHRwOi8vd3d3LmV4YW1wbGUuY29tL2V4YW1wbGVfY2EuY3JsMA0GCSqG
SIb3DQEBCwUAA4IBAQA/XvDDn/RfFuhrpMxONKgjNcIHr++Q+dmpZ6POmxZOQWW3
0J4SUn3n0TIT4TaTaczUAwDsfzSgY8WPdHw+gsriQa8e+XHKfoILFjDkdJ6gUwUl
sY5eFILZl/cjV4Drgjj0vmv0TSIBoFNke6dtZ90uvx8WQDpwLNoeov+zMm3ZbhxM
epQSzagt/mVjhEGNsQNNWo57vtFL/F0eeMuNN0Up3jQ5/Kc4ZiGpcXPaBN5VYHpf
EV5Ow4ysCmNAq4XiIkp+RFUYHf1Y1HC51pbS3SgC8vtRTk6WC5GWTn96HcyK0Bxk
2+XI5q2nOaLCZTA2rpV1FhPjChHIjXmew5oh62WE
-----END CERTIFICATE-----
config/freeradius/certs/02.pem 0 → 100644
+ 80
0
View file @ ac947ac3
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./emailAddress=admin@example.org, CN=Example Certificate Authority
Validity
Not Before: Mar 13 16:26:21 2019 GMT
Not After : May 12 16:26:21 2019 GMT
Subject: C=FR, ST=Radius, O=Example Inc., CN=user@example.org/emailAddress=user@example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d6:e0:59:0b:d4:4e:8b:99:e0:cc:2d:a0:a8:89:
50:c7:eb:44:b8:6f:60:c8:b5:82:a9:09:fc:e0:77:
93:8f:96:c1:d0:b3:80:43:2f:a0:46:ac:e8:60:81:
5e:69:e4:95:f3:0c:64:95:a9:97:99:65:87:b9:5e:
80:df:d6:99:f9:7c:ce:ff:d5:db:24:7b:b3:48:74:
d5:21:f6:72:13:50:d7:e7:68:a6:a4:de:0e:be:9f:
98:5e:2e:9c:af:ab:86:ad:51:15:3a:a7:39:0c:9a:
65:14:c1:30:fb:c1:1b:1f:45:39:d5:88:bc:be:c2:
bc:8b:2a:95:57:d9:6f:46:63:3e:a7:d1:51:e8:5e:
2a:cc:b5:df:c8:28:26:4d:78:82:72:43:b7:84:f1:
c2:9c:f1:b8:8b:ba:01:89:62:45:29:2c:46:4d:0c:
6f:fc:c8:0a:93:70:08:ee:ac:89:07:af:94:1a:a0:
2b:9d:b3:c8:eb:3c:d0:65:3d:17:29:e3:3c:db:98:
d3:be:30:a7:5e:38:5c:4e:c3:92:ea:23:54:9e:d6:
3d:91:93:85:83:0a:42:3f:1d:77:8b:24:57:29:00:
ae:7a:ba:1e:8c:16:5e:9f:e9:70:8f:03:3d:24:16:
41:1f:91:b1:bd:9d:de:2e:bf:b3:f6:4b:bd:db:23:
4e:c9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.example.com/example_ca.crl
Signature Algorithm: sha256WithRSAEncryption
66:f1:57:42:b8:31:ad:98:57:e6:56:de:f1:aa:2e:f2:59:00:
03:33:54:32:24:d9:39:a1:2c:41:03:83:47:e2:2d:0e:90:b1:
9d:dd:ce:6f:fa:03:89:08:a6:4f:dc:8e:a0:22:75:cb:4d:f8:
2b:82:17:ba:ea:5a:cf:d5:62:91:cc:7a:25:fa:98:f0:5c:ec:
63:28:d3:30:1c:83:bf:2d:38:e1:d4:d2:df:13:59:a3:40:ad:
b2:b2:7d:57:0d:85:2a:74:0b:29:e6:0d:19:c3:e3:f8:bf:87:
5d:38:92:3c:ff:d9:1c:5a:ca:f6:7e:8d:35:ed:a6:ee:9a:2a:
14:48:7f:14:b5:34:2a:f6:88:5d:d1:87:bf:8d:f3:26:f0:39:
f7:8e:6b:7c:92:47:96:c4:ae:e5:77:26:33:79:6a:c4:18:f7:
b8:58:3e:b4:5d:a0:3f:61:7a:b2:27:f9:e5:c1:fc:65:42:0c:
6b:17:c9:73:cb:d3:87:eb:92:7b:c2:03:e9:bc:8d:bb:f6:9b:
4e:e7:4c:6a:1f:47:f4:65:c9:2e:4e:d7:40:32:78:54:9c:99:
26:65:19:dc:98:87:b7:fd:33:17:2a:99:65:28:7b:40:3c:a3:
a3:a6:b5:d5:3f:ea:89:f3:e0:cc:fa:b4:3b:2d:58:cd:0c:20:
04:9b:f8:37
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCRlIx
DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF
eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUub3JnMSYw
JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTAzMTMx
NjI2MjFaFw0xOTA1MTIxNjI2MjFaMHExCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZS
YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEZMBcGA1UEAwwQdXNlckBleGFt
cGxlLm9yZzEfMB0GCSqGSIb3DQEJARYQdXNlckBleGFtcGxlLm9yZzCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANbgWQvUTouZ4MwtoKiJUMfrRLhvYMi1
gqkJ/OB3k4+WwdCzgEMvoEas6GCBXmnklfMMZJWpl5llh7legN/Wmfl8zv/V2yR7
s0h01SH2chNQ1+dopqTeDr6fmF4unK+rhq1RFTqnOQyaZRTBMPvBGx9FOdWIvL7C
vIsqlVfZb0ZjPqfRUeheKsy138goJk14gnJDt4TxwpzxuIu6AYliRSksRk0Mb/zI
CpNwCO6siQevlBqgK52zyOs80GU9FynjPNuY074wp144XE7DkuojVJ7WPZGThYMK
Qj8dd4skVykArnq6HowWXp/pcI8DPSQWQR+Rsb2d3i6/s/ZLvdsjTskCAwEAAaNP
ME0wEwYDVR0lBAwwCgYIKwYBBQUHAwIwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDov
L3d3dy5leGFtcGxlLmNvbS9leGFtcGxlX2NhLmNybDANBgkqhkiG9w0BAQsFAAOC
AQEAZvFXQrgxrZhX5lbe8aou8lkAAzNUMiTZOaEsQQODR+ItDpCxnd3Ob/oDiQim
T9yOoCJ1y034K4IXuupaz9Vikcx6JfqY8FzsYyjTMByDvy044dTS3xNZo0CtsrJ9
Vw2FKnQLKeYNGcPj+L+HXTiSPP/ZHFrK9n6NNe2m7poqFEh/FLU0KvaIXdGHv43z
JvA5945rfJJHlsSu5XcmM3lqxBj3uFg+tF2gP2F6sif55cH8ZUIMaxfJc8vTh+uS
e8ID6byNu/abTudMah9H9GXJLk7XQDJ4VJyZJmUZ3JiHt/0zFyqZZSh7QDyjo6a1
1T/qifPgzPq0Oy1YzQwgBJv4Nw==
-----END CERTIFICATE-----
config/freeradius/certs/Makefile 0 → 100644
+ 146
0
View file @ ac947ac3
######################################################################
#
# Make file to be installed in /etc/raddb/certs to enable
# the easy creation of certificates.
#
# See the README file in this directory for more information.
#
# $Id: ef243c9b3719af58690bf48bcbb532eaa96099dd $
#
######################################################################
DH_KEY_SIZE = 2048
OPENSSL = openssl
#
# Set the passwords
#
-include passwords.mk
######################################################################
#
# Make the necessary files, but not client certificates.
#
######################################################################
.PHONY: all
all: index.txt serial dh server ca client
.PHONY: client
client: client.pem
.PHONY: ca
ca: ca.der
.PHONY: server
server: server.pem server.vrfy
.PHONY: verify
verify: server.vrfy client.vrfy
passwords.mk: server.cnf ca.cnf client.cnf
@echo "PASSWORD_SERVER = '$(shell grep output_password server.cnf | sed 's/.*=//;s/^ *//')'" > $@
@echo "PASSWORD_CA = '$(shell grep output_password ca.cnf | sed 's/.*=//;s/^ *//')'" >> $@
@echo "PASSWORD_CLIENT = '$(shell grep output_password client.cnf | sed 's/.*=//;s/^ *//')'" >> $@
@echo "USER_NAME = '$(shell grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//')'" >> $@
@echo "CA_DEFAULT_DAYS = '$(shell grep default_days ca.cnf | sed 's/.*=//;s/^ *//')'" >> $@
######################################################################
#
# Diffie-Hellman parameters
#
######################################################################
dh:
$(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
######################################################################
#
# Create a new self-signed CA certificate
#
######################################################################
ca.key ca.pem: ca.cnf
@[ -f index.txt ] || $(MAKE) index.txt
@[ -f serial ] || $(MAKE) serial
$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
-days $(CA_DEFAULT_DAYS) -config ./ca.cnf
chmod g+r ca.key
ca.der: ca.pem
$(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
######################################################################
#
# Create a new server certificate, signed by the above CA.
#
######################################################################
server.csr server.key: server.cnf
$(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf
chmod g+r server.key
server.crt: server.csr ca.key ca.pem
$(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
server.p12: server.crt
$(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
chmod g+r server.p12
server.pem: server.p12
$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
chmod g+r server.pem
.PHONY: server.vrfy
server.vrfy: ca.pem
@$(OPENSSL) verify -CAfile ca.pem server.pem
######################################################################
#
# Create a new client certificate, signed by the the above server
# certificate.
#
######################################################################
client.csr client.key: client.cnf
$(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf
chmod g+r client.key
client.crt: client.csr ca.pem ca.key
$(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
client.p12: client.crt
$(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
chmod g+r client.p12
client.pem: client.p12
$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
chmod g+r client.pem
cp client.pem $(USER_NAME).pem
.PHONY: client.vrfy
client.vrfy: ca.pem client.pem
c_rehash .
$(OPENSSL) verify -CApath . client.pem
######################################################################
#
# Miscellaneous rules.
#
######################################################################
index.txt:
@touch index.txt
serial:
@echo '01' > serial
print:
$(OPENSSL) x509 -text -in server.crt
printca:
$(OPENSSL) x509 -text -in ca.pem
clean:
@rm -f *~ *old client.csr client.key client.crt client.p12 client.pem
#
# Make a target that people won't run too often.
#
destroycerts:
rm -f *~ dh *.csr *.crt *.p12 *.der *.pem *.key index.txt* \
serial* *\.0 *\.1
config/freeradius/certs/README 0 → 100644
+ 226
0
View file @ ac947ac3
This directory contains scripts to create the server certificates.
To make a set of default (i.e. test) certificates, simply type:
$ ./bootstrap
The "openssl" command will be run against the sample configuration
files included here, and will make a self-signed certificate authority
(i.e. root CA), and a server certificate. This "root CA" should be
installed on any client machine needing to do EAP-TLS, PEAP, or
EAP-TTLS.
The Microsoft "XP Extensions" will be automatically included in the
server certificate. Without those extensions Windows clients will
refuse to authenticate to FreeRADIUS.
The root CA and the "XP Extensions" file also contain a crlDistributionPoints
attribute. The latest release of Windows Phone needs this to be present
for the handset to validate the RADIUS server certificate. The RADIUS
server must have the URI defined but the CA need not have...however it
is best practice for a CA to have a revocation URI. Note that whilst
the Windows Mobile client cannot actually use the CRL when doing 802.1X
it is recommended that the URI be an actual working URL and contain a
revocation format file as there may be other OS behaviour at play and
future OSes that may do something with that URI.
In general, you should use self-signed certificates for 802.1x (EAP)
authentication. When you list root CAs from other organisations in
the "ca_file", you permit them to masquerade as you, to authenticate
your users, and to issue client certificates for EAP-TLS.
If FreeRADIUS was configured to use OpenSSL, then simply starting
the server in root in debugging mode should also create test
certificates, i.e.:
$ radiusd -X
That will cause the EAP-TLS module to run the "bootstrap" script in
this directory. The script will be executed only once, the first time
the server has been installed on a particular machine. This bootstrap
script SHOULD be run on installation of any pre-built binary package
for your OS. In any case, the script will ensure that it is not run
twice, and that it does not over-write any existing certificates.
If you already have CA and server certificates, rename (or delete)
this directory, and create a new "certs" directory containing your
certificates. Note that the "make install" command will NOT
over-write your existing "raddb/certs" directory, which means that the
"bootstrap" command will not be run.
NEW INSTALLATIONS OF FREERADIUS
We suggest that new installations use the test certificates for
initial tests, and then create real certificates to use for normal
user authentication. See the instructions below for how to create the
various certificates. The old test certificates can be deleted by
running the following command:
$ rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
Then, follow the instructions below for creating real certificates.
Once the final certificates have been created, you can delete the
"bootstrap" command from this directory, and delete the
"make_cert_command" configuration from the "tls" sub-section of
eap.conf.
If you do not want to enable EAP-TLS, PEAP, or EAP-TTLS, then delete
the relevant sub-sections from the "eap.conf" file.
MAKING A ROOT CERTIFICATE
$ vi ca.cnf
Edit the "input_password" and "output_password" fields to be the
password for the CA certificate.
Edit the [certificate_authority] section to have the correct values
for your country, state, etc.
$ make ca.pem
This step creates the CA certificate.
$ make ca.der
This step creates the DER format of the self-signed certificate,
which is can be imported into Windows.
MAKING A SERVER CERTIFICATE
$ vi server.cnf
Edit the "input_password" and "output_password" fields to be the
password for the server certificate.
Edit the [server] section to have the correct values for your
country, state, etc. Be sure that the commonName field here is
different from the commonName for the CA certificate.
$ make server.pem
This step creates the server certificate.
If you have an existing certificate authority, and wish to create a
certificate signing request for the server certificate, edit
server.cnf as above, and type the following command.
$ make server.csr
You will have to ensure that the certificate contains the XP
extensions needed by Microsoft clients.
MAKING A CLIENT CERTIFICATE
Client certificates are used by EAP-TLS, and optionally by EAP-TTLS
and PEAP. The following steps outline how to create a client
certificate that is signed by the server certificate created above.
You will have to have the password for the server certificate in the
"input_password" and "output_password" fields of the server.cnf file.
$ vi client.cnf
Edit the "input_password" and "output_password" fields to be the
password for the client certificate. You will have to give these
passwords to the end user who will be using the certificates.
Edit the [client] section to have the correct values for your
country, state, etc. Be sure that the commonName field here is
the User-Name that will be used for logins!
$ make client.pem
The users certificate will be in "emailAddress.pem",
i.e. "user@example.com.pem".
To create another client certificate, just repeat the steps for
making a client certificate, being sure to enter a different login
name for "commonName", and a different password.
PERFORMANCE
EAP performance for EAP-TLS, TTLS, and PEAP is dominated by SSL
calculations. That is, a normal system can handle PAP
authentication at a rate of 10k packets/s. However, SSL involves
RSA calculations, which are very expensive. To benchmark your system,
do:
$ openssl speed rsa
or
$ openssl speed rsa2048
to test 2048 bit keys.
A 1GHz system will likely do 30 calculations/s. A 2GHz system may
do 50 calculations/s, or more. That number is also the number of
authentications/s that can be done for EAP-TLS (or TTLS, or PEAP).
COMPATIBILITY
The certificates created using this method are known to be compatible
with ALL operating systems. Some common issues are:
- Windows requires certain OIDs in the certificates. If it doesn't
see them, it will stop doing EAP. The most visible effect is
that the client starts EAP, gets a few Access-Challenge packets,
and then a little while later re-starts EAP. If this happens, see
the FAQ, and the comments in raddb/eap.conf for how to fix it.
- Windows requires the root certificates to be on the client PC.
If it doesn't have them, you will see the same issue as above.
- Windows XP post SP2 has a bug where it has problems with
certificate chains. i.e. if the server certificate is an
intermediate one, and not a root one, then authentication will
silently fail, as above.
- Some versions of Windows CE cannot handle 4K RSA certificates.
They will (again) silently fail, as above.
- In none of these cases will Windows give the end user any
reasonable error message describing what went wrong. This leads
people to blame the RADIUS server. That blame is misplaced.
- Certificate chains of more than 64K bytes are known to not work.
This is a problem in FreeRADIUS. However, most clients cannot
handle 64K certificate chains. Most Access Points will shut down
the EAP session after about 50 round trips, while 64K certificate
chains will take about 60 round trips. So don't use large
certificate chains. They will only work after everyone upgrade
everything in the network.
- All other operating systems are known to work with EAP and
FreeRADIUS. This includes Linux, *BSD, Mac OS X, Solaris,
Symbian, along with all known embedded systems, phones, WiFi
devices, etc.
- Someone needs to ask Microsoft to please stop making life hard for
their customers.
SECURITY CONSIDERATIONS
The default certificate configuration files uses MD5 for message
digests, to maintain compatibility with network equipment that
supports only this algorithm.
MD5 has known weaknesses and is discouraged in favour of SHA1 (see
http://www.kb.cert.org/vuls/id/836068 for details). If your network
equipment supports the SHA1 signature algorithm, we recommend that you
change the "ca.cnf", "server.cnf", and "client.cnf" files to specify
the use of SHA1 for the certificates. To do this, change the
'default_md' entry in those files from 'md5' to 'sha1'.
config/freeradius/certs/bootstrap 0 → 100755
+ 82
0
View file @ ac947ac3
#!/bin/sh
#
# This is a wrapper script to create default certificates when the
# server first starts in debugging mode. Once the certificates have been
# created, this file should be deleted.
#
# Ideally, this program should be run as part of the installation of any
# binary package. The installation should also ensure that the permissions
# and owners are correct for the files generated by this script.
#
# $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
#
umask 027
cd `dirname $0`
make -h > /dev/null 2>&1
#
# If we have a working "make", then use it. Otherwise, run the commands
# manually.
#
if [ "$?" = "0" ]; then
make all
exit $?
fi
#
# The following commands were created by running "make -n", and edited
# to remove the trailing backslash, and to add "exit 1" after the commands.
#
# Don't edit the following text. Instead, edit the Makefile, and
# re-generate these commands.
#
if [ ! -f dh ]; then
openssl dhparam -out dh 2048 || exit 1
if [ -e /dev/urandom ] ; then
ln -sf /dev/urandom random
else
date > ./random;
fi
fi
if [ ! -f server.key ]; then
openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
fi
if [ ! -f ca.key ]; then
openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
fi
if [ ! -f index.txt ]; then
touch index.txt
fi
if [ ! -f serial ]; then
echo '01' > serial
fi
if [ ! -f server.crt ]; then
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1
fi
if [ ! -f server.p12 ]; then
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
fi
if [ ! -f server.pem ]; then
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
openssl verify -CAfile ca.pem server.pem || exit 1
fi
if [ ! -f ca.der ]; then
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1
fi
if [ ! -f client.key ]; then
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
fi
if [ ! -f client.crt ]; then
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
fi
config/freeradius/certs/ca.cnf 0 → 100644
+ 62
0
View file @ ac947ac3
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./
certs = $dir
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir
certificate = $dir/ca.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/ca.key
RANDFILE = $dir/.rand
name_opt = ca_default
cert_opt = ca_default
default_days = 60
default_crl_days = 30
default_md = sha256
preserve = no
policy = policy_match
crlDistributionPoints = URI:http://www.example.org/example_ca.crl
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
prompt = no
distinguished_name = certificate_authority
default_bits = 2048
input_password = whatever
output_password = whatever
x509_extensions = v3_ca
[certificate_authority]
countryName = FR
stateOrProvinceName = Radius
localityName = Somewhere
organizationName = Example Inc.
emailAddress = admin@example.org
commonName = "Example Certificate Authority"
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true
crlDistributionPoints = URI:http://www.example.org/example_ca.crl
config/freeradius/certs/ca.der 0 → 100644
+ 0
0
View file @ ac947ac3
File added
config/freeradius/certs/ca.key 0 → 100644
+ 30
0
View file @ ac947ac3
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQICVheb8g3fQoCAggA
MBQGCCqGSIb3DQMHBAjxyXI3dwajIgSCBMjIHzZ9ovJfVWLOaLTCBwsIg/TeYM1A
+I9VwdbjeUQLF5/jUYK98R2AX2Ipuup2W/K1TQuGU92qBLR9vkiC35JEysOzsUWD
C98BoQ/TAV+A5N8WJ47JahJFZQ2ACY+NommM6bpgpMUxC6/vu9GfWg4/iy1Q8WuE
LOGzdg/1DMlk3qkbNYPiEiV0oG3+P1r4DFvP8HLu1jEep1QSIjyzJmu8l0KwJtFX
zIo6g/u6tqA9JFshhAwJs8hZZFLPcnM7OYb7zlunF52a0EIR6SXdrbp9XsaKLIYJ
XkYnNLpjpSwhkm6oMSrRKr9KAnMAjR0wUVeGX4xxgky06xlUzM9xXENuvvnlajVV
LPLilT/CFq3oNRlbSqQ4nXvWAQKw5crQf4SC/o15jOL/thIBh7yoIjQOsJVt67wh
j2kYRdFdlZOGxDnOxt+m8rv0YLuVhQj7GMuNTqRZF73E2yewHMr6zntEDdEEWiK8
6sjrxN82scU9mP+BYkLdvg1mjFgtyp5NvfigjVJjUgyzU0DVIgo3iLCkCOzZOSyR
X6LEKAlAXkEC1NNWhZvGM0YcsTQhdRrnjpbXm0pFMVBY0vzNPGp5CMdMdrAVslGG
yTuDrELHVbzFcDti3slUFTTOZk2cSRzJEhrHojgkbsEyBAWb04HTaZz+E+SLf6AJ
u7LCuInDiuvey5i7lN/7BPOBOkxhlN313NV62RnpUlDIUo31RZlQhZIrdFC6I3z7
y3go3NpMKHQSEA24+CytRLiaqrG6W4wB9H1Y4p02rFFp8JRrhgQG3PDYjl6Fx8lJ
AsTQwK+qq+MMfh17o/toi41F/RmPD5i2oPh0Xn3dfXFsYxz07DbSKXkzYGaRjh2s
krCvz6VyqFiJ20P9BflEFNnEAckr/dyK8JcSurQrbDtsvfChDjXKUtZgGPqf8ihp
dG4mewBP8Tg53AXQ57uHISRr0IQrChj0mp3Z9VX1Y2ji5Qd+T/bhGKGnlfg2vo6m
SsQe+vZJ5PO8TvdSE5cNCef1yV8/KzQHi3+xmaiPJDqIOKQmPcXiSORQgP3RBNyN
8KfivZerbwVUKZ0FckiwpL5ieWGCsdzMJ46dEvK7S9XlQtqUeavgpXnsmLrrke60
Rj53IOcg1j30xYS0xygzVxAApqwG6oABJKoc6mF/j6AFZaS1fuW4RcTOKm/LMIT4
r1BbjIjfXCYyfqCljLAVZ6gcfLKOQBn62u1F3e8CeLiO5sR9w0BpztYGjg6pGUoF
i8Pny57FHFb8tHdxv0hNDF8IOhTmQdaVb9vT2ts+8EdTwC+O0iN5x6esAyOYUzMs
uKBEIuccnT2oEJ676rFrhwVBB/QEwH/Z4LFHTfl9RyNuuyDMdx9npSxOyU8xcgc6
NkqZyB7CvtA056/yLTInydZzOQFwM/k9WUiuf3AOXX16NalOF+gB+Ih7TtHeYGXE
CJ3g8XgpC5ggUUPDy3EvYo1ql4qSAq84F5ERU95GCLmiVtE5UzllIC+7ytpsHdZv
8JhfP1JV0c/r8ZB8DYmb5+qtFYqKqaX97LwXCxZJPKQRjLq0bebEsBoHm2EBkTxC
dgIfZhhI9jBCftSrgfqYqgDt2qfJmLQlkgTgcLbfBEqX2ASJ7v7QlgGYlE7zpCdq
ypM=
-----END ENCRYPTED PRIVATE KEY-----
config/freeradius/certs/ca.pem 0 → 100644
+ 29
0
View file @ ac947ac3
-----BEGIN CERTIFICATE-----
MIIE5DCCA8ygAwIBAgIJAOnFv3rLG87hMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD
VQQGEwJGUjEPMA0GA1UECAwGUmFkaXVzMRIwEAYDVQQHDAlTb21ld2hlcmUxFTAT
BgNVBAoMDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBs
ZS5vcmcxJjAkBgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
DTE5MDMxMzE2MjYyMVoXDTE5MDUxMjE2MjYyMVowgZMxCzAJBgNVBAYTAkZSMQ8w
DQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhh
bXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQG
A1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC+sIkKp/IAMLOXX2zicohAURLE7YdURfxvzi7j
8fU3cWjvE7T404o7bW347e8pRxvkf26HV7o+vf7jT7SPKsLGtgXSOawrDWMuFcKh
2e+tzhomHUA+VmgYd/8MihvWGJbypCcgrxvXMmFX8kHxZulM02ofZR56QqwpS4K/
dxicC8KXdkAqdPHDBaoLCK3uJgki9zz47R++JKaZlWZJ0gBzmyc5mwQ5Gg3EVDiA
8e6pwF8TtoPhy89GbVWV12iZ+Z8NGSegxeuqihY/oQlNxguAYqwnyDK6HMiX01vg
t308vP7AfCEM5+2ZMlhkQNebm3cvjm3+gJqz5MKE9yA/SdNxAgMBAAGjggE3MIIB
MzAdBgNVHQ4EFgQU1M8RY6G02AhFtTCH3G75v4NGMyowgcgGA1UdIwSBwDCBvYAU
1M8RY6G02AhFtTCH3G75v4NGMyqhgZmkgZYwgZMxCzAJBgNVBAYTAkZSMQ8wDQYD
VQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhhbXBs
ZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQGA1UE
AwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCCQDpxb96yxvO4TAPBgNV
HRMBAf8EBTADAQH/MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly93d3cuZXhhbXBs
ZS5vcmcvZXhhbXBsZV9jYS5jcmwwDQYJKoZIhvcNAQELBQADggEBAJ8uiCngOq8d
uhMc4HEaQt6DBvEwsqXmcmHXFiy/2r6gjKVYLkJyHF+v92LemUE8sEbJLjoN6si8
mosdyy0b9eI4rEiMbN0X9etLn0AEr210JAhLnRo5KGwTXjiIH45H7LpLEsDaPksA
6uGkI9qf9SkHl3Fsu4NdM1lOUTCDd8tM3cDk4s9y86/+QzqrWGFZH79wc04mnzpY
rMQGZOwaLeXyN9UWlEFJRl38xIKLBxDbNzRkmfFqbYfXk9KjD7Fg3EKqaC4QqTk2
wrvyl0mbvNvLmJKoJDng0ThRYF3ofrZKfLUYovtpYWxV54uGf2vXZln38nZyecNM
4vySr9vwLFs=
-----END CERTIFICATE-----
config/freeradius/certs/client.cnf 0 → 100644
+ 53
0
View file @ ac947ac3
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./
certs = $dir
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir
certificate = $dir/ca.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/ca.key
RANDFILE = $dir/.rand
name_opt = ca_default
cert_opt = ca_default
default_days = 60
default_crl_days = 30
default_md = sha256
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
prompt = no
distinguished_name = client
default_bits = 2048
input_password = whatever
output_password = whatever
[client]
countryName = FR
stateOrProvinceName = Radius
localityName = Somewhere
organizationName = Example Inc.
emailAddress = user@example.org
commonName = user@example.org
config/freeradius/certs/client.crt 0 → 100644
+ 80
0
View file @ ac947ac3
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./emailAddress=admin@example.org, CN=Example Certificate Authority
Validity
Not Before: Mar 13 16:26:21 2019 GMT
Not After : May 12 16:26:21 2019 GMT
Subject: C=FR, ST=Radius, O=Example Inc., CN=user@example.org/emailAddress=user@example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d6:e0:59:0b:d4:4e:8b:99:e0:cc:2d:a0:a8:89:
50:c7:eb:44:b8:6f:60:c8:b5:82:a9:09:fc:e0:77:
93:8f:96:c1:d0:b3:80:43:2f:a0:46:ac:e8:60:81:
5e:69:e4:95:f3:0c:64:95:a9:97:99:65:87:b9:5e:
80:df:d6:99:f9:7c:ce:ff:d5:db:24:7b:b3:48:74:
d5:21:f6:72:13:50:d7:e7:68:a6:a4:de:0e:be:9f:
98:5e:2e:9c:af:ab:86:ad:51:15:3a:a7:39:0c:9a:
65:14:c1:30:fb:c1:1b:1f:45:39:d5:88:bc:be:c2:
bc:8b:2a:95:57:d9:6f:46:63:3e:a7:d1:51:e8:5e:
2a:cc:b5:df:c8:28:26:4d:78:82:72:43:b7:84:f1:
c2:9c:f1:b8:8b:ba:01:89:62:45:29:2c:46:4d:0c:
6f:fc:c8:0a:93:70:08:ee:ac:89:07:af:94:1a:a0:
2b:9d:b3:c8:eb:3c:d0:65:3d:17:29:e3:3c:db:98:
d3:be:30:a7:5e:38:5c:4e:c3:92:ea:23:54:9e:d6:
3d:91:93:85:83:0a:42:3f:1d:77:8b:24:57:29:00:
ae:7a:ba:1e:8c:16:5e:9f:e9:70:8f:03:3d:24:16:
41:1f:91:b1:bd:9d:de:2e:bf:b3:f6:4b:bd:db:23:
4e:c9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.example.com/example_ca.crl
Signature Algorithm: sha256WithRSAEncryption
66:f1:57:42:b8:31:ad:98:57:e6:56:de:f1:aa:2e:f2:59:00:
03:33:54:32:24:d9:39:a1:2c:41:03:83:47:e2:2d:0e:90:b1:
9d:dd:ce:6f:fa:03:89:08:a6:4f:dc:8e:a0:22:75:cb:4d:f8:
2b:82:17:ba:ea:5a:cf:d5:62:91:cc:7a:25:fa:98:f0:5c:ec:
63:28:d3:30:1c:83:bf:2d:38:e1:d4:d2:df:13:59:a3:40:ad:
b2:b2:7d:57:0d:85:2a:74:0b:29:e6:0d:19:c3:e3:f8:bf:87:
5d:38:92:3c:ff:d9:1c:5a:ca:f6:7e:8d:35:ed:a6:ee:9a:2a:
14:48:7f:14:b5:34:2a:f6:88:5d:d1:87:bf:8d:f3:26:f0:39:
f7:8e:6b:7c:92:47:96:c4:ae:e5:77:26:33:79:6a:c4:18:f7:
b8:58:3e:b4:5d:a0:3f:61:7a:b2:27:f9:e5:c1:fc:65:42:0c:
6b:17:c9:73:cb:d3:87:eb:92:7b:c2:03:e9:bc:8d:bb:f6:9b:
4e:e7:4c:6a:1f:47:f4:65:c9:2e:4e:d7:40:32:78:54:9c:99:
26:65:19:dc:98:87:b7:fd:33:17:2a:99:65:28:7b:40:3c:a3:
a3:a6:b5:d5:3f:ea:89:f3:e0:cc:fa:b4:3b:2d:58:cd:0c:20:
04:9b:f8:37
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCRlIx
DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF
eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUub3JnMSYw
JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTAzMTMx
NjI2MjFaFw0xOTA1MTIxNjI2MjFaMHExCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZS
YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEZMBcGA1UEAwwQdXNlckBleGFt
cGxlLm9yZzEfMB0GCSqGSIb3DQEJARYQdXNlckBleGFtcGxlLm9yZzCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANbgWQvUTouZ4MwtoKiJUMfrRLhvYMi1
gqkJ/OB3k4+WwdCzgEMvoEas6GCBXmnklfMMZJWpl5llh7legN/Wmfl8zv/V2yR7
s0h01SH2chNQ1+dopqTeDr6fmF4unK+rhq1RFTqnOQyaZRTBMPvBGx9FOdWIvL7C
vIsqlVfZb0ZjPqfRUeheKsy138goJk14gnJDt4TxwpzxuIu6AYliRSksRk0Mb/zI
CpNwCO6siQevlBqgK52zyOs80GU9FynjPNuY074wp144XE7DkuojVJ7WPZGThYMK
Qj8dd4skVykArnq6HowWXp/pcI8DPSQWQR+Rsb2d3i6/s/ZLvdsjTskCAwEAAaNP
ME0wEwYDVR0lBAwwCgYIKwYBBQUHAwIwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDov
L3d3dy5leGFtcGxlLmNvbS9leGFtcGxlX2NhLmNybDANBgkqhkiG9w0BAQsFAAOC
AQEAZvFXQrgxrZhX5lbe8aou8lkAAzNUMiTZOaEsQQODR+ItDpCxnd3Ob/oDiQim
T9yOoCJ1y034K4IXuupaz9Vikcx6JfqY8FzsYyjTMByDvy044dTS3xNZo0CtsrJ9
Vw2FKnQLKeYNGcPj+L+HXTiSPP/ZHFrK9n6NNe2m7poqFEh/FLU0KvaIXdGHv43z
JvA5945rfJJHlsSu5XcmM3lqxBj3uFg+tF2gP2F6sif55cH8ZUIMaxfJc8vTh+uS
e8ID6byNu/abTudMah9H9GXJLk7XQDJ4VJyZJmUZ3JiHt/0zFyqZZSh7QDyjo6a1
1T/qifPgzPq0Oy1YzQwgBJv4Nw==
-----END CERTIFICATE-----
config/freeradius/certs/client.csr 0 → 100644
+ 17
0
View file @ ac947ac3
-----BEGIN CERTIFICATE REQUEST-----
MIICyzCCAbMCAQAwgYUxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZSYWRpdXMxEjAQ
BgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhhbXBsZSBJbmMuMR8wHQYJKoZI
hvcNAQkBFhB1c2VyQGV4YW1wbGUub3JnMRkwFwYDVQQDDBB1c2VyQGV4YW1wbGUu
b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1uBZC9ROi5ngzC2g
qIlQx+tEuG9gyLWCqQn84HeTj5bB0LOAQy+gRqzoYIFeaeSV8wxklamXmWWHuV6A
39aZ+XzO/9XbJHuzSHTVIfZyE1DX52impN4Ovp+YXi6cr6uGrVEVOqc5DJplFMEw
+8EbH0U51Yi8vsK8iyqVV9lvRmM+p9FR6F4qzLXfyCgmTXiCckO3hPHCnPG4i7oB
iWJFKSxGTQxv/MgKk3AI7qyJB6+UGqArnbPI6zzQZT0XKeM825jTvjCnXjhcTsOS
6iNUntY9kZOFgwpCPx13iyRXKQCueroejBZen+lwjwM9JBZBH5GxvZ3eLr+z9ku9
2yNOyQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBADkG8VUSPfq3JuYZ4mMqn/i+
zjjG+nI27rA3rzREGKhOb+CtQ95Q7f313aYvPDIRxceijHTYMnjTK5PEQVnOtsms
fmxVdkcpagd5zRdo5WIS1WWp69ZGqx/OIGB5KylDocMMQfA8FUZqYHW5kumxRjXJ
iKI3BPjaFCxCFi0QIWRcsq+t8lOyVAjLhkP6q//KSu07oGD2CJPxjWaG1ccMoFOe
snVZ+S8NGKGArI1AJLADB4yBRN8m5pzdEzty+oCBDIwJzkTuX3BNikrijPGmTN4T
5eLLK6tOWhImL1XnG7t0b1Oz9H03eSBLMppLro4Kp2p/6LOSFMg9wWR6nMoc2Oc=
-----END CERTIFICATE REQUEST-----
config/freeradius/certs/client.key 0 → 100644
+ 30
0
View file @ ac947ac3
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIs6HAPGigMTcCAggA
MBQGCCqGSIb3DQMHBAjOLJmJOm+7wgSCBMgACOzBVjE3F279Tv4l7EWcLROlLdzI
o0MacwR2A5Q2KS0e2MQgZy57VZ4BaRxsd8qOroYMqQlC+6GSe6b8kSgm51IU7qki
szTNhXIw4+kn3iCigMZXmIy72+WB+HulXNhRlHRB1F9yGg8g2SYYJRvDmzN4ReSM
A37MPGPCIazhepYEH4wVq2yX87AeqU6lKuafyGRyj0SBalsjkXcWmQc07NmIZuGN
wDkG8zOm9GMfG5+slyz1TS2NJIpYrauIzuL5T3uDYYNIxibc6tBTxia1L6sYFpIw
Spy55xWMfylvdTwNYDaKOvzmrr2fuv0EIBIXxyxOyzvviwtfFeglsL4Dcdt5FcdX
Zn2y2VsoscQRtfzdY8SNTLnnHH0DzaS3hMcPEkMLu7DC3UZ2fS+Go0g182z7GoaI
y6vMyftGJFwOrnFgTlQ4CPxVYvDcq1QRlBCEdvHcf0fbRr317kmjFvHpqTgEdQVQ
NqWCQNtQ9aXBjZb6O4WaQE8eSuGqFooQ2AjFrJnQ+yAWSwFJlgNSFvEWBSG6Tl4p
IXjCyfGoVF/OXe8wYjMbNxyEoqPTzaVjHcbOZR1qVlrrG2MRjRP+LdJ/KyaDF4p9
zS87d/HxzeRW2+TqMtIHdNuHO7f6d4aqCN2PFnxmq5QIJR4VfgDRVhaj3IqOBZhK
NCKAiuV2TRkX639zmiB+22vOHkpQVuXhm9+U6nYz85fq7/IJ2386ArlRhAqdIlSB
m+YCsFO1j7MUwEkoIT/khlTIMsllncBlG3aIPfRF9KgvUabEHoh2q09sD9Jhbn//
ODGzL33mc5a+0o0jg0zsa8y/fqc/4WC163UEm/9eBcy8kKonIDwhzLRjTTJf7Qp9
JPHPAAHGsu2+fH5H6NtfTFlVLB6Cc75vEQUGhKWlU4PJTDn18Xd0dK02p5L2WFop
OaSiJqp4eAkUxFBAzIbuukNe8ok+DF/MqVQc4oic5cxEblEMIDbKIxrpoJ2YHak0
hiT1uZNVgIrtKu7HIXedljsMX3Kdc7zcrqt7JbWkO9DbcWTqro3yNgOEEYfAW1zK
c6GvATx0DRp3KuOokYep9fYNXc9l3C7GPE5T8V0NO87Y0BGZNPNErvfFDjZ/rm/s
ABsYImIYOKWBMsLm0tO8EFND7jkiTPXhqkflj6+XWh8HC88KYBPhsPNNLY3ML+8w
YBoQ6fzcI84bN2Qhvx78TKljvPEB4gVASs1E+NXU+2ntms1NI5XlU2zRhuXdLuM1
bn4gCauGG6sabfiXNyxzUl5IbOE3VD+9cEg3L+9H5SF2roIYng3R/G/K3qt7DJ+C
5bWYzusfWVmbyHbh/Y7YtYfhqTgSXBQ8N4rz6Y0lYMwI0L4v27wJb+jgmoYuUKOY
E/TahuDggu03PPBnY2WC9sxqliWlmsrTSl0ZiO5QYxITD568Uk3LCeu+70QbDY7Z
FaSPoDoErNvlfgcSENZSA4DPKWcpGRIsdLRM9umU9lbMKXYMebaJ4cBNQqukLbS+
TvVqKg1ejvnZQQrRPsWdHDMykT5fCR6I0EnXtf28REIE8/JEMkv7JJdrbNIN8nN4
5DZs7ycUzKkT7ZrA8Uji1+NM1tc19oHmlWoWWZutugPF1XY+cjhvRLVDDjs1GcYP
fUE=
-----END ENCRYPTED PRIVATE KEY-----
config/freeradius/certs/client.p12 0 → 100644
+ 0
0
View file @ ac947ac3
File added
config/freeradius/certs/client.pem 0 → 100644
+ 60
0
View file @ ac947ac3
Bag Attributes
localKeyID: 6B B4 DA 45 B0 75 41 A1 DC 84 DD 8C 24 A5 F9 07 9C 4A 65 74
subject=/C=FR/ST=Radius/O=Example Inc./CN=user@example.org/emailAddress=user@example.org
issuer=/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCRlIx
DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF
eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUub3JnMSYw
JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTAzMTMx
NjI2MjFaFw0xOTA1MTIxNjI2MjFaMHExCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZS
YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEZMBcGA1UEAwwQdXNlckBleGFt
cGxlLm9yZzEfMB0GCSqGSIb3DQEJARYQdXNlckBleGFtcGxlLm9yZzCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANbgWQvUTouZ4MwtoKiJUMfrRLhvYMi1
gqkJ/OB3k4+WwdCzgEMvoEas6GCBXmnklfMMZJWpl5llh7legN/Wmfl8zv/V2yR7
s0h01SH2chNQ1+dopqTeDr6fmF4unK+rhq1RFTqnOQyaZRTBMPvBGx9FOdWIvL7C
vIsqlVfZb0ZjPqfRUeheKsy138goJk14gnJDt4TxwpzxuIu6AYliRSksRk0Mb/zI
CpNwCO6siQevlBqgK52zyOs80GU9FynjPNuY074wp144XE7DkuojVJ7WPZGThYMK
Qj8dd4skVykArnq6HowWXp/pcI8DPSQWQR+Rsb2d3i6/s/ZLvdsjTskCAwEAAaNP
ME0wEwYDVR0lBAwwCgYIKwYBBQUHAwIwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDov
L3d3dy5leGFtcGxlLmNvbS9leGFtcGxlX2NhLmNybDANBgkqhkiG9w0BAQsFAAOC
AQEAZvFXQrgxrZhX5lbe8aou8lkAAzNUMiTZOaEsQQODR+ItDpCxnd3Ob/oDiQim
T9yOoCJ1y034K4IXuupaz9Vikcx6JfqY8FzsYyjTMByDvy044dTS3xNZo0CtsrJ9
Vw2FKnQLKeYNGcPj+L+HXTiSPP/ZHFrK9n6NNe2m7poqFEh/FLU0KvaIXdGHv43z
JvA5945rfJJHlsSu5XcmM3lqxBj3uFg+tF2gP2F6sif55cH8ZUIMaxfJc8vTh+uS
e8ID6byNu/abTudMah9H9GXJLk7XQDJ4VJyZJmUZ3JiHt/0zFyqZZSh7QDyjo6a1
1T/qifPgzPq0Oy1YzQwgBJv4Nw==
-----END CERTIFICATE-----
Bag Attributes
localKeyID: 6B B4 DA 45 B0 75 41 A1 DC 84 DD 8C 24 A5 F9 07 9C 4A 65 74
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI/k3I9Xw35B0CAggA
MBQGCCqGSIb3DQMHBAhfSdugG8/GyQSCBMh7TLHOBnNHsdK7/FOC+9TNQAA/xleZ
rPKdn9ySGy2n4IUsgN4GcNaf2HnSyiQeVHIwypkLkth47+nxHbtQJMDeyrMRFZtQ
RYoLi4lspe/Ir9EA1shyDip7q0KIe5ypagzLgrH0QyMyb9veNQ2jLCPiIuhNlTw5
l58kBlrwKdXeyD1CT1k3adAoKsUoqD0rxBkHyUqf3PSWTMSQDLjmULB4Djn6GBSK
MvOmEIzSQSS/UjZWz/BFJKZNh/oCDwT+cGqs2OodADj+ZiVTndUea3RvEhCKTS3g
Fa+E4DMlgu9sf5lnP0tyR7VMLjq9qdJ+/4kmw5RPC7Qy3hTnXAOVBOF05sxGejpG
Hp7cuyv37VHMEl036Jdf9Jvp66kjtg0BiTarB7IfWPVm9l+hE6cjKEXoXemw/RoM
qjZz0T6qdb5hKjfua7RZX2HV61P0S8bQGbTFOrePIp7+mG/ZUHE8t1ebM4/AJgRv
0mPjpDVYDD8U/oCe9SVB5K+LadBVeuFy3qJTDxZGkxKkGmOztpHrLv29txdSaNrn
gBQeNi0Amj2ecOu+k0sgOY+EM9BGzn38fVd+qkXs1BMt525sNbIr5hD+MAt7QFv/
hv0Fmu8vcfqwJRPCo2AmGFmu9CvpSMpYdIA54gEpyZIVRM/PorKgOvYIf2wgW0C6
IIPJT/LfOkzvn8sX5hR+epv1nxh7/cn2GLQHvCXiW+XewFlGpJIT3PsoYrgNU2+V
MC9q/CIs4zYpb+g2zi0enYeYHDRcuAmsnDKCqZIf97Osg/0DT/T99pXBvKocOHYk
5iYB38n1P46KEcA1dq7iLU9HGBHbQn3zf3Kz97zKMp929uQfAdY2nOrw/nBXivUf
N41claxYcU6JoJDg5howCAjAV0lsuvU5Xngq7Q72N0FKkP9wSQhrFy+zPSF2ix1P
cQddc4sSfWaW5PSlly6uuGrvTy+3XEHtftsbyWw7xWpXxu8avfAgTVTCW0sz09pD
el1D//lIGXrPrWVmzwk6j+jtg6sZulgrrZxSLYcIyqJq2ihbK60igy5H1FG/5KO9
xg8AY7mnOAoDdSdmQ5Nz8nIbQiyY9Foe+W+TzBrV6lSSZIJ7202bNDs82+9pX5q9
/F4PHY/I02sogN5AXAj/srKN/4dSjPKQlltUFbe3BdSHr0hMwllIKp/jH5adtxlH
h/gLVsYB128lM9TeDBc106vVg9brvgdI09MRFzXVCg61hU45t2cOKfuhSoaMynIh
+p4fSZlMtlXpoYxZS8lAfkkU49dTjYypHoBB6V78vIoqBrg2ZOJZsh+7JMB3bPkk
27e7yF1HXP+lSg1Bl373dHul4XX7uHAgRuFwM3+BUD0HMeBxywPVhRbziRotw3Ht
75lyGEskPSM63pT2t1hG6OUtnEoU0f3SbotKr4E/2adsFbPkoPNtnaHuFiXKvPM7
mjEidwFJ7adsOkFwWzV9vkAeF+AwgVBv52KTFB+hhkzBthiciipc+oVtQeoiBLwY
DnCQsW6GiFY+R+ja8ujJGphn1rijmEr5g6lFfphwMxUSFeq3h8OXaFHedxdmjHrk
mugTWFyzst/k+J9discNtaMqMqgdB5eUtZasE27eSJ41U0pSDNq4Pf0vXpmCj4zU
iX4=
-----END ENCRYPTED PRIVATE KEY-----
config/freeradius/certs/dh 0 → 100644
+ 8
0
View file @ ac947ac3
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAgSpzjYN+YrcmG0ifKF2lYaEPoIWnWGLDMAVLU42DjNWVhBs1frwR
zuNIUO2JfNoyfe8gj6grA9ls/UQ02KRHHW3mreqDUrfnjq3YCtUzsR0B9q5fFOMZ
FyFk2HlHj/+llXZ3NKPZnr4bJvEIwobzDRcs96C0nlONwLK2BRxDgkquB6s/awuc
5s534jHP9gkyjCVM8xKJ1rpEL7neus8rzufMv9wtMcO+uC25lghglKgWXk3lQfHl
EVQ7fl/9MAbYUEXOIdH6NvYx9k5Y4T2cZzCynR1jTbIEnzMLgfFllgoUgcVufmI1
LgFrBOQPDPaVf+E4+WNWmV3bHMYTPE4diwIBAg==
-----END DH PARAMETERS-----
config/freeradius/certs/index.txt 0 → 100644
+ 2
0
View file @ ac947ac3
V 190512162621Z 01 unknown /C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin@example.org
V 190512162621Z 02 unknown /C=FR/ST=Radius/O=Example Inc./CN=user@example.org/emailAddress=user@example.org
config/freeradius/certs/index.txt.attr 0 → 100644
+ 1
0
View file @ ac947ac3
unique_subject = yes
config/freeradius/certs/index.txt.attr.old 0 → 100644
+ 1
0
View file @ ac947ac3
unique_subject = yes
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment