Feed on

If you’ve ever tried setting up FreeRADIUS and WPA2-Enterprise, and wondered how the example certs wind up with the X509v3 extended key “TLS Web Server Authentication” on it, the trick here is a config file specifying a numerical OID for the key instead of a text description. (Apparently Windows expects to see these TLS extended keys when connecting to a wireless network with EAP/TLS).

This puzzled me for a while, I’ve never seen this key and couldn’t figure out how they were getting it on their certs. It’s obvious now, but I spent way longer than I care to admit carefully combing over the example *.cnf files that came with the package, my system’s openssl.cnf, another system’s pristine openssl.cnf for any missing extendedKeyUsage or nsCertType directives, and the OpenSSL manual page for x509 looking for any missed defaults. It wasn’t until I carefully followed the Makefile in the example that they were pulling in an extension file via -extfile xpextensions and using an section with -extensions xpserver_ext that were specifying the options as OIDs. I had overlooked this file in earlier spelunking. Mystery solved.


P.S. this dude wrote an incredibly detailed instruction guide on a home lab setup using a Raspberry Pi as a UniFi wireless controller, private CA, FreeRADIUS, and WPA2-Enterprise.  It’s got more screenshots and explanations than most of the internet deserves.  https://dot11zen.blogspot.com/2018/04/wpa2-entreprise-using-unifi-access.html

P.P.S. FreeRADIUS has been incredibly annoying to write an attribute-API-driven Chef cookbook for.

users file? Easy, we’ll just iterate over a loop and dump out the values — not so fast, the last entry on a user can’t have a trailing comma, oh and we use tabs in some spots.

Config file? We’ll define convenience variables in it, using them all over the place and then use them to create more convenience variables in other config files we include. (I get it, for human maintainers this makes it easy) Without writing templates for each and every config file to get rid of them all, it took a while to locate the major ones to maintain compatibility.

Ubuntu? We’ll use completely different paths to store our RADDB, daemon names, TLS certs, system users and groups than CentOS, because we’re Ubuntu. And amazingly CentOS 7.x has FreeRADIUS v3, whereas Ubuntu 16.x has v2, which uses slightly different syntax.

The majority of the work is done now so hopefully I can post the cookbook on Github soon.

Leave a Reply