18 mars 2009

Howto setup an EAP-TLS WPA network with freeradius



A WPA entreprise network secured with EAP/TLS & Freeradius


Introduction



The most important choice to make when implementing WPA entreprise is which flavor of EAP to use. This choice is mainly limited by your client platform. Indeed, the freeradius server licensed under the free GPL license could be made compliant with virtually all EAP method you may dream of. Your wireless access point is EAP agnostic. You only have to verify that it supports WPA entreprise sometimes mentioned as 802.1x by some vendors. It simply passes EAP traffic from clients to servers, without requiring explicit support for any particular EAP subtype.
What your client platform supports is a function both of your client operating system and of its wireless hardware. For example, a Microsoft Windows XP system with an Centrino chipset supports EAP-TLS and PEAP, but EAP-TTLS isn't an easy option if using a Microsoft OS. At the opposite if you run Linux with wpa_supplicant, you have a much wider range of choices available.

Here we choose to use EAP-TLS. EAP-TLS requires client certificates, which in turn requires you to set up a certificate authority (CA). TLS authentication provides strong security thanks to X.509 certificate. In fact it doesn't require that much work to use OpenSSL to create your own CA.

In this howto, Windows XP clients use EAP-TLS to connect to a WPA-enabled access point. The access point, in turn, is configured to authenticate on a FreeRADIUS server running Linux (Debian Lenny).


Freeradius with EAP-TLS/TTLS/PEAP support


Debian's freeRadius package is built without support for EAP/TLS/TTLS/PEAP because of the licensing problems of the OpenSSL library. We want to implement 802.1x network authentication with strong security, so we need it. We will build Debian package (lenny, stable at time of writing 10 March 2009) linked to libssl and with EAP/TLS/TTLS/PEAP support compiled in.

I suppose you made a minimal installation of lenny and you added a minimal gnome environment.

$ apt-get install x-window-system-core
$ apt-get install gnome-core synaptic

Then in order to build the missing packages you need to install dpkg-dev and fakeroot (to limit root access)

$ apt-get install dpkg-dev fakeroot

Download the newest source package (orig.tar.gz), Debian diffs (diff.gz) and description file (dsc) from the freeradius package page. The version I tested the procedure with is freeradius-2.0.4+dfsg

Unpack the source and switch to the resulting directory like this:

# dpkg-source -x *.dsc
dpkg-source: extracting freeradius in freeradius-2.0.4+dfsg
dpkg-source: unpacking freeradius_2.0.4+dfsg-6.diff.gz
dpkg-source: applying ./freeradius_2.0.4+dfsg-6.diff.gz
# cd freeradius-*

There are two files that must be edited in order to successfully build the package:

1. Edit debian/rules, search for eap and change every mentioning of --without-rlm_eap-* to --with-rlm_eap-* excepted --without-rlm_eap_ikev2, --without-rlm_eap_tnc --without-rlm_sql_oracle --without-rlm_sql_unixodbc --without-rlm_otp
A few lines below, in the same file, replace --without-openssl with --with-openssl.

So it should look like:

--with-rlm_eap_tls \
--with-rlm_eap_ttls \
--with-rlm_eap_peap \
--without-rlm_eap_tnc \
--without-rlm_otp \
--with-rlm_sql_postgresql_lib_dir=`pg_config --libdir`\
--with-rlm_sql_postgresql_include_dir=`pg_config --includedir` \
--with-openssl \
--without-rlm_eap_ikev2 \
--without-rlm_sql_oracle \
--without-rlm_sql_unixodbc \




Still editing the same file, find the following code and comment it entirely:

for pkg in ${pkgs} ; do \
if dh_shlibdeps -p $$pkg -- -O 2>/dev/null | grep -q libssl; then \
echo "$$pkg links to openssl" ;\
exit 1 ;\
fi ;\
done

2. Finally, edit debian/control and at the end of the line starting with Build-Depends: add , libssl-dev

Finally, I needed to install some packages before running "dpkg-buildpackage -rfakeroot":

# apt-get install libssl-dev debhelper libgdbm-dev libiodbc2-dev libkrb5-dev libldap2-dev libltdl3-dev libmysqlclient15-dev libpam0g-dev libpcap-dev libperl-dev libpq-dev libsasl2-dev libsnmp-dev python-dev

You can now build new packages with EAP/TLS/TTLS/PEAP support like this:

# dpkg-buildpackage -rfakeroot

If everything goes well, you'll find 10 debian packages in the parent directory which you can now install. Don't forget to hold newly installed packages in your package manager. Otherwise new official versions (without EAP/TLS/TTLS/PEAP support) should overwrite your custom built packages when upgrading.

A way to achieve the "hold" is by using dpkg

Put a package on hold
echo “package hold” | dpkg --set-selections
Example
echo “freeradius hold” | dpkg --set-selections
Remove the hold
echo “package install” | dpkg --set-selections
Example
echo “freeradius install” | dpkg --set-selections
Knowing the status of your packages
dpkg --set-selections



Now I show you what's happening when installing the newly created packages on a frenchspeaking lenny server (hostname: hp-debian-stable.multitel.be)


hp-debian-stable:/home/hanoteau# dpkg --install freeradius-common_2.0.4+dfsg-6_all.deb
Sélection du paquet freeradius-common précédemment désélectionné.
(Lecture de la base de données... 99926 fichiers et répertoires déjà installés.)
Dépaquetage de freeradius-common (à partir de freeradius-common_2.0.4+dfsg-6_all.deb) ...
Paramétrage de freeradius-common (2.0.4+dfsg-6) ...
Ajout de l'utilisateur freerad au groupe shadow
Traitement des actions différées (« triggers ») pour « man-db »...

hp-debian-stable:/home/hanoteau# dpkg --install libfreeradius2_2.0.4+dfsg-6_i386.deb
Sélection du paquet libfreeradius2 précédemment désélectionné.
(Lecture de la base de données... 100311 fichiers et répertoires déjà installés.)
Dépaquetage de libfreeradius2 (à partir de libfreeradius2_2.0.4+dfsg-6_i386.deb) ...
Paramétrage de libfreeradius2 (2.0.4+dfsg-6) ...

hp-debian-stable:/home/hanoteau# dpkg --install freeradius_2.0.4+dfsg-6_i386.deb
(Lecture de la base de données... 100317 fichiers et répertoires déjà installés.)
Préparation du remplacement de freeradius 2.0.4+dfsg-6 (en utilisant freeradius_2.0.4+dfsg-6_i386.deb) ...
Dépaquetage de la mise à jour de freeradius ...
Paramétrage de freeradius (2.0.4+dfsg-6) ...
suppression du / final
suppression du / final
suppression du / final
Starting FreeRADIUS daemon: freeradius.

Now Freeradius is supposed to run, let's go further


Creating a Certificate Authority

Before we configure FreeRADIUS, we need to create some certificates. And before we create any certificates, we must create our CA.
A CA is a system that acts as the root of a public key infrastructure. It's the central authority that guarantees, by way of digital signatures, the authenticity of all certificates issued in your organization. It also periodically issues certificate revocation lists (CRLs), lists of certificates the CA no longer guarantees, for example, certificates issued to people who've left the organization, servers that are no longer on-line and so on.
None of this requires your CA to act as an actual server; in fact, it's better if it doesn't. For a CA to be trustworthy, it must be protected carefully from misuse. So your CA should be on a not permanently connected server or on a virtual machine.I recommend you virtual box OSE for freely creating virtual machines.
If you already have a CA that you've used to create certificates for Web servers or other applications that use TLS then just use it for WPA too. If not, here's how to create a CA. First, make sure your designated CA system has OpenSSL installed. OpenSSL is a standard package on all popular Linux distributions, not to mention BSD. One quick way to make sure you have OpenSSL is to issue the command which openssl. This command returns the path to your OpenSSL command, if it's installed.

On debian Lenny the path is: /usr/bin/openssl

Next, change your working directory to wherever your system keeps OpenSSL's configuration and certificate files. On debian lenny, this is /etc/ssl.
Now, open the file openssl.cnf with your text editor of choice, do you know vim? We will tweak some default settings so as to make certificate creation speedier later on. Feel free to adapt this to your special needs or go to the next step if you are in a hurry.

Changes to openssl.cnf for Optimal Certificate Creation

# First we change the CA root path in the CA_default
# section to reflect the CA we're about to create

[ CA_default ]
dir = ./jhCA # Where everything is kept by default ./demoCA

# The following lines are further down in openssl.cnf:

countryName_default = Be
stateOrProvinceName_default = Hainaut
0.organizationName_default = Multitel ASBL

Next, we should edit the CA creation script to change our CA's root directory to something other than demoCA, that is, to match the dir variable we just changed in openssl.cnf. I use the script CA.sh, which on Debian lenny systems is located in /usr/share/ssl/misc. The line you need to change is CATOP=./jhCA.

If you changed your working directory to edit this file, change back to your SSL configuration directory, for example, /etc/ssl. From there, run the CA.sh script with the -newca option, for example, /usr/lib/ssl/misc/CA.sh -newca. You then are prompted to create a new root certificate and to type a passphrase for its private key. Choose a difficult-to-guess passphrase, and write it down in a safe place—if you forget it, you'll be unable to use your CA.

If you really want to follow this howto witout needing any personal input feel free to type the proposed password. Doing so you will have an unsecure EAP-TLS test infrastructure.

passphrase: strongpasswordbebete
challenge password: telematique

After the script is done, your SSL configuration directory should contain a new directory, jhCA in our example. At the root level of this directory is your new CA's public certificate; by default this file is named cacert.pem. You need to copy this file to your FreeRADIUS server and to each wireless client.
There's one more thing you need to do before creating certificates if you've got Windows XP wireless clients. Windows XP expects certain attributes in server and client certificates, so you need to create a file called xpextensions that contains the lines shown below.

Contents of xpextensions

[xpclient_ext]
extendedKeyUsage=1.3.6.1.5.5.7.3.2

[xpserver_ext]
extendedKeyUsage=1.3.6.1.5.5.7.3.1

It should be in the same directory as openssl.cnf.


In EAP-TLS, a wireless client and your RADIUS server mutually authenticate each other. They present each other with their respective certificates and cryptographically verify that those certificates were signed by your organization's certificate authority. In some ways, this is an elegant and simple way to handle authentication. After you install the CA's public certificate on the FreeRADIUS server, you don't need to configure any other client information explicitly, such as user names, passwords and so on.
That doesn't mean EAP-TLS is less work than user name-password schemes, however. You still need to use OpenSSL to create certificates for all your users and copy those certificates over to them. You also need to ensure that everyone has a copy of the root CA certificate installed in the proper place.


Creating Certificates


For EAP-TLS, you need at least two certificates in addition to your CA certificate, a server certificate for your FreeRADIUS server and one client certificate for each wireless client on your network. Creating certificates is a three-step process:

Generate a signing request, that is, an unsigned certificate.
Sign the signing request with your CA key.
Copy the signed certificate to the host on which it will be used.

Let's start by creating a server certificate signing request using OpenSSL's req command:

$ openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730 -config ./openssl.cnf
(challenge password : telematique)

This command creates the files server_req.pem, which contains the actual request—an unsigned certificate—and server_key.pem, its passphrase-less private key. First, though, you are prompted for your organization's Country Code, State and so on, much of which can use the default values defined in openssl.conf. Pay special attention, however, to Common Name. When prompted for this, type the fully qualified domain name of your server, for example, hp-debian-stable.multitel.be.

Next, let's use our CA key to sign the request by using OpenSSL's ca command:

$ openssl ca -config ./openssl.cnf \
-policy policy_anything -out server_cert.pem \
-extensions xpserver_ext -extfile ./xpextensions \
-infiles ./server_req.pem

(strongpasswordbebete)

This command reads the file server_req.pem and, after prompting for your CA key's passphrase, saves a signed version of it plus its corresponding private key to the file server_cert.pem. Notice the -extensions and -extfile options—this is why earlier we created the file xpextensions.
Open your signed certificate with the text editor of your choice and delete everything before the line -----BEGIN CERTIFICATE-----. Concatenate it and your key into a single file, like this:

$ cp server_cert.pem server_cert.pem-backup

$ cat server_key.pem server_cert.pem > \
server_keycert.pem

(strongpasswordbebete)

Now we've got a server certificate with a key that we can copy over to our FreeRADIUS server. Its private key isn't password-protected, however, so be sure to delete any extraneous copies after you've got it in place.

Now we need to create a client certificate signing request. The OpenSSL command to do this is similar to that used to create server certificates:

$ openssl req -new -keyout client_key.pem \
-out client_req.pem -days 730 -config ./openssl.cnf


As you can see, we're writing our signing request and key to the files client_req.pem and client_key, respectively. Unlike with the server signing requests, however, we're omitting the -nodes option. Therefore, when you run this command, you are prompted for a passphrase with which the certificate's private key can be encrypted.
Enter PEM pass phrase: devil1

Next we sign the client certificate's signing request:

$ openssl ca -config ./openssl.cnf \
-policy policy_anything -out client_cert.pem \
-extensions xpclient_ext -extfile ./xpextensions \
-infiles ./client_req.pem

(challenge password : telematique1)

Again, this is similar to the equivalent command for our server, except this time the -extensions command references a different entry in xpextensions. Also, if your clients run Linux, you should delete the extraneous stuff in the certificate, like you did with server_cert.pem. You then either can leave the certificate and key files separate or concatenate them. From there, copy your client certificate file(s) to your Linux client system.

If your certificate is to be used by a Windows XP client, you have one more step to take. You need to convert the certificate file(s) to a PKCS12-format file, with this command:

$ openssl pkcs12 -export -in client_cert.pem \
-inkey client_key.pem -out client_cert.p12 -clcerts

(enter passphrase for ./jhCA/private/cakey.pem devil1)

You are prompted for client_key.pem's passphrase and then for a new passphrase for the new file; you can use the same password as before if you like. You may be tempted simply to press Enter instead, especially given that the WPA supplicant in Windows XP works only when you store its certificates without passphrases. It could be dangerous to move private keys around networks unprotected, so It would be good practice if you remove the passphrase after this file is copied safely over to your Windows XP client.

The resulting file, in this example client_cert.p12, contains both your signed certificate and its private key. Copy it to your Windows XP client system.

So we have generated server and client certificates and transferred them to their respective hosts. Now we need to configure FreeRADIUS, our access point and our wireless clients.

The tasks at hand are:

To install the server and CA certificates we created last time onto our FreeRADIUS server.
To configure FreeRADIUS to use these certificates with EAP-TLS to authenticate users for our access point.
To configure our access point to redirect authentication to our FreeRADIUS server.
To install the client and CA certificates we created last time onto a Windows XP client and configure it to use WPA when connecting to the WLAN.


Configuring the freeradius server


We created three X.509 digital certificates: a certificate authority certificate, called cacert.pem; one server certificate, called server_keycert.pem; and a client certificate, called client_cert.p12. The server and client files contain both a certificate and its private key, so each of these must be handled carefully. The CA certificate, however, is stored separately from its key, so you can distribute cacert.pem freely.
FreeRADIUS stores its configuration files in /etc/freeradius/ in Debian lenny. This directory contains a subdirectory, certs/—this, naturally, is where you need to copy your CA certificate and your server certificate/key. Make sure that cacert.pem is owned by the user root and that its permissions are set to -r--r--r--.
server_keycert.pem, on the other hand, should be owned by the user freerad and its permissions set to -r--------.


cp /etc/ssl/jhCA/cacert.pem /etc/freeradius/certs/cacert.pem
cp /etc/ssl/server_keycert.pem /etc/freeradius/certs/server_keycert.pem

Hereafter, the listing shows the long directory listings for these two files.

-r--r--r-- 1 root freerad 1294 2009-02-10 01:05 cacert.pem
-r-------- 1 freerad freerad 1894 2009-02-10 01:00 server_keycert.pem

You also should make sure that the file /var/log/freeradius/radius.log and the directory /var/run/freeradius/ are writable by freerad. Both radius.log and freeradius/ may be owned by freerad.

Before we edit freeradius' configuration files, we need to create two files that freeradius must have in order to use TLS. The first is a Diffie-Hellman parameters file, or dh file, which is used for negotiating TLS session keys. To create a dh file, change your working directory to /etc/freeradius/certs/ directory and issue this command:

# openssl dhparam -check -text -5 512 -out dh

The second file you need is a data file that contains a random bitstream that also is used in TLS operations. From within certs, run this command:

# dd if=/dev/urandom of=random count=2

Both of these files need to be readable by the user freerad, but they should not be writable by anybody.

# chown freerad dh
# chmod o-w dh


We're finally ready to configure freeradius. You may be afraid when you see the long list of files in /etc/freeradius, but don't be. For WPA with EAP-TLS, we need to edit only three files: radiusd.conf, eap.conf and clients.conf.

In radiusd.conf, all we need to do is verify the user and group accounts that the radiusd process runs as. By default these are inherited from whatever user starts the dæmon. If you run radiusd from a startup script, this is root; however, you definitely do not want to run radiusd as root. Therefore, you should set the user and group parameters in radiusd.conf, both set to freerad, as shown below.

Two Parameters to verify in radiusd.conf

user = freerad
group = freerad

Naturally you can choose different nonprivileged user and group accounts instead of freerad and freerad, but if you do so, you need to adjust the ownerships and permissions on the certificate files we created earlier. Regardless, make sure your nonprivileged user's entry in /etc/password sets the user's shell to a non-shell, such as /bin/false or /bin/true—this account should not be usable for SSH, telnet or similar programs. For that matter, make sure both the user and group accounts exist in the first place, and create them if they don't.
Other parameters may be set in radiusd.conf, but these really are the most important parameters we have to check.

The next file we need to edit is eap.conf; here's where the real heavy lifting occurs. Listing below shows the lines you need to edit in eap.conf.

Changes in eap.conf

eap {
# There are several generic EAP parameters you can
# set here, but the important one for our purposes
# is default_eap_type:

default_eap_type = tls

# Next come parameters for specific EAP types. Since
# we're going to use EAP-TLS, the tls{} section is
# the one we care about:

tls {
#
# These is used to simplify later configurations.
#
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server_keycert.pem

# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server_keycert.pem

# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
# to issue client certificates for authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
#
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you do
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
CA_file = ${cadir}/cacert.pem

#
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
#
# openssl dhparam -out certs/dh 1024
#
dh_file = ${certdir}/dh
random_file = ${certdir}/random

#
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
#
fragment_size = 1024

# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
include_length = yes

# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash '.
# 'c_rehash' is OpenSSL's command.
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
# CA_path = /path/to/directory/with/ca_certs/and/crls/

#
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
# match, the cerficate verification will fail,
# rejecting the user.
#
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"

#
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
# This check is done only if the previous
# "check_cert_issuer" is not set, or if
# the check succeeds.
#
check_cert_cn = %{User-Name}
#
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
cipher_list = "DEFAULT"

#

# This configuration entry should be deleted
# once the server is running in a normal
# configuration. It is here ONLY to make
# initial deployments easier
# make_cert_command = "${certdir}/bootstrap"
}

}


We have specified a server-key passphrase with the private_key_password parameter. This actually should be empty if you created your server certificate and key with OpenSSL's -nodes option.
Make sure that eap.conf is owned and readable only by root . This may seem paradoxical doesn't freerad need to be able to read configuration files? But, if you start the freeradius daemon as root, it reads its configuration files, including radiusd.conf, eap.conf and clients.conf, before demoting itself to freerad.
Finally, you need to create an entry for your access point in clients.conf. The listing below shows such an entry for a 3com 7760 a/b/g Access Point (default IP address is 169.254.2.2 when no DHCP server is answering its request).

Access Point Entry in clients.conf
client 169.254.2.2/32 {
secret = testing123
shortname = liv1

}

The client statement specifies the access point's IP address. Its secret parameter specifies a string that your access point uses as an encryption key for all queries it sends to your FreeRADIUS server. shortname simply is an alias for your access point to be used in log entries and so on.
You now can (re)start freeradius by using the rc.radiusd script, for e0xample, rc.radiusd start or by typing freeradius -X -f.


Configuring the Access Point


The next step is the easiest part of this entire process: configure your wireless access point to use WPA and to point to your FreeRADIUS server. This requires only two pieces of information, the RADIUS secret you entered in your FreeRADIUS server's clients.conf file and the IP address of your FreeRADIUS server.
How you present those two pieces of information to your access point depends on your particular hardware and software. The access point used in this howto is a 3com 7760 configuring it via http is a piece of cake.

If your access point and RADIUS server are separated by a firewall, you need to allow the access point to reach the RADIUS server on UDP ports 1812 and 1813. Doing so also allows the RADIUS server to send packets back from those ports.

Configuring Windows XP Clients


Configuring a Windows XP wireless client to use your WPA-enabled access point.
In summary, you need to:
Run the command mmc from Start→Run....
In Microsoft Management Console, select File→Add/Remove Snap-in, add the Certificates snap-in and set it to manage certificates for My user account and, on the next screen, only for the Local computer.
Copy your CA (cacert.pem) certificate to your Windows system's hard drive, for example, to C:\cacert.pem.
From within MMC, expand Console Root and Certificates - Current User and right-click on Trusted Root Certification Authorities. In the pop-up menu, select All Tasks→Import. Tell the subsequent wizard to import the file C:\cacert.pem and to store it in Trusted Root Certification Authorities.
Copy your client certificate/key file to your Windows system, for example, to C:\client_cert.p12.
From within MMC→Console Root→Certificates, expand Personal and right-click on Certificates. In the pop-up menu, select All Tasks→Import. Tell the subsequent wizard to import the file C:\client_cert.p12.
The certificate-import wizard then prompts you for the certificate's passphrase. In the same dialog, it offers the option to enable strong private key protection. Unfortunately, enabling this breaks WPA, so be sure to leave this option unchecked. Also, leave the option to mark this key as exportable unchecked—you're better off backing up the password-protected file you just imported rather than allowing the imported nonprotected version to be exportable.
In the subsequent screen, let the wizard Automatically select the certificate store.
Now your Windows XP system is ready to go—all that remains is to create a wireless network profile. This, however, varies depending on your wireless card's drivers and which Windows XP Service Pack you're running. According to my little experience on using WPA entreprise on Windows XP, SP2 is a minimal requisite if you want a quite functional and stable connection. I set Network Authentication to WPA, Data encryption to TKIP and EAP type to Smart Card or other Certificate. Windows automatically determined which client certificate I used—this is because we took pains to create a client certificate that references Windows XP's extended attributes
.
After you configure your wireless network profile, your Windows system should connect automatically to your access point and negotiate a WPA connection. If this succeeds, Network Connections should show a status of Authentication succeeded for your Wireless Network Connection entry.

80 commentaires:

matthieu/ergosteur a dit…

Merci, je cherchais un guide pour faire ceci.

Anonyme a dit…

Splendidly done is better than spectacularly said.

Anonyme a dit…

Artistically done is better than comfortably said.

Anonyme a dit…

Just want to say what a great blog you got here!
I've been around for quite a lot of time, but finally decided to show my appreciation of your work!

Thumbs up, and keep it going!

Cheers
Christian, iwspo.net

Anonyme a dit…

It is a valuable piece

raerek a dit…

Thank you Jéróme.
I found your post from http://www.wains.be/index.php/2009/09/13/wpa2-freeradius-eap-tls, and using your help I set up my radius on a Ubuntu lucid server, and was able to connect to from WinXP. My question is if you could connect to the wireless net form ubuntu desktop? In the Network Manager I can tell the location of the cacert file, but where do I tell that i have a client cert file as well?

Anonyme a dit…

how to configure client with windows 7 OS?
thanks

bala murugan a dit…

I enjoyed every little bit of it, I have you bookmarked and waiting for all the new stuff you post. Windows Network Setup

Anonyme a dit…

check JfOaLzOn [URL=http://www.spyder-jackets2013.com/]cheap spyder jackets[/URL][URL=http://www.ralph--lauren.org/]ralph lauren polo outlet[/URL][URL=http://www.replica-handbags2013.com/]replicas handbags[/URL][URL=http://www.replica-handbags2013.com/]knockoff bags[/URL][URL=http://www.ralph--lauren.org/]ralph lauren dresses[/URL][URL=http://www.ugg-boots-uk2013.com/]ugg boots clearance uk[/URL][URL=http://www.louis--vuitton--online--shop.org/]boutique louis vuitton[/URL][URL=http://www.louis-vuitton-uk2013.com/]louis vuitton online store usa[/URL][URL=http://www.ralph--lauren.org/]ralph lauren hats[/URL][URL=http://www.ralph--lauren.org/]ralph lauren hot[/URL][URL=http://www.ralph--lauren.org/]ralph lauren caps[/URL] for more detail jPSnvaxn [URL=http://www.ralph--lauren.org/ ] http://www.chanel--online-shop.org/ [/URL]

Anonyme a dit…

beats by dr dre yyzpryqj beats by dre glnkuzsw beats dr dre vyfmkobq beats for sale qjrnbgmq beats headphones fqsicjzf cheap monster beats odegxvfg dr dre beats eifqpsma dr dre headphones uwedgsls monster beats by dre xcsowoiv monster beats headphones lniusblp monster beats ibellzyr monster headphones lfxklseo

Anonyme a dit…

ghd nz mscoaleb ghd nz sale vbvrrrom ghd hjoatwwe

Anonyme a dit…

ghd hair straightener dbxnwyrx ghd australia xilcyxas ghd hair straighteners kpyfdqus

Anonyme a dit…

ghd france qwodvfuh ghd lisseur aeudovyk GHD Pas Cher ojiecpjt ghd ysfxbqru lisseur ghd pas cher llveaqkn Lisseur GHD pnzeagsy

Anonyme a dit…

cheap ugg boots ughrpyzx cheap uggs npnvtquq ugg boots sale pstovusk ugg boots uk oshkfcio ugg boots zkkdooui ugg sale abvqdbnp

Anonyme a dit…

Longchamp xhzjwemn Longchamp Pas Cher mzrkpdpq Sac Longchamp fmtqbkfc Longchamp Soldes kfdqrlvp Longchamps siscmwde

Anonyme a dit…

I'm not sure exactly why but this weblog is loading extremely slow for me. Is anyone else having this issue or is it a issue on my end? I'll check back later and see if the
problem still exists.

Here is my page :: airplane landing games

Anonyme a dit…

cheap toms shoes swkqppkh cheap toms luvodosf toms coupon code yizxducv toms on sale ntlsqayy toms outlet wynrbbxc toms sale cllslpdr toms shoes on sale bibcgcvo toms shoes sale otuddvbe toms shoes ywtegvvk

Anonyme a dit…

Now this should be done carefully as different Xbox games
offers different amount of free codes. The best time to visit the Microsoft website is when there happens
to be an event that touches on gaming such as
the launch of an entirely new game. The second type is the almost legitimate programs that are encountered less than the fake
type and has been created with good intentions and was filled with
legal, valid codes.

My web-site ... free xbox live

Anonyme a dit…

Valuable info. Lucky me I discovered your
site by accident, and I'm surprised why this coincidence did not took place earlier! I bookmarked it.

Feel free to visit my web site - green coffee bean extract for weight loss

Anonyme a dit…

Everyone loves what you guys are up too.
This kind of clever work and reporting! Keep up the
very good works guys I've incorporated you guys to blogroll.

Look at my blog post - No deposit Casino bonus codes

Anonyme a dit…

Incredible story there. What happened after? Good luck!


Here is my homepage :: www.originalbugpatch.com

Anonyme a dit…

I absolutely love your blog and find most of
your post's to be just what I'm looking for. can you offer
guest writers to write content to suit your needs?
I wouldn't mind writing a post or elaborating on many of the subjects you write with regards to here. Again, awesome website!

Here is my homepage WüNschen

Anonyme a dit…

I just wanted to notify you that I found your page on and while I enjoyed looking at your article, it
appears your blog acts up in a couple web browsers.
If I view it in Firefox, it loads just fine, but if I use Chrome, it pulls up appearing overlapped and off-kilter.
I just wanted to give you with a quick bit of info, that's all.

my page :: mother of the bride dresses

Anonyme a dit…

Thanks so much for this. I'm a writer coming from Alten, Switzerland and what you've said
here on blogger.com could not be said much better.
Reading through this post reminds me of my previous roommate, Phillip.

He persistently kept preaching about this. I most certainly will send this material to him.
Pretty sure he will have a very good read.
I am grateful to you you for revealing this.

Feel free to surf to my web site :: HSBS

Anonyme a dit…

I’ve been browsing online in excess of four hrs now, and after noticing you on http://hanoteau.
blogspot.com/, I definitely haven't discovered any enjoyable posts such as yours. Honestly, I think that if more bloggers and siteowners created content like your site, the internet would be even more useful than it already is.

my web blog; gastro-entérologie

Anonyme a dit…

І simplу coulԁn't go away your site prior to suggesting that I extremely enjoyed the standard information an individual supply in your visitors? Is going to be back often in order to investigate cross-check new posts

Also visit my blog post: target coupon deals

Anonyme a dit…

Excellent site. Lots of helpful information here. I'm sending it to a few pals ans also sharing in delicious. And obviously, thanks on your sweat!

Here is my web site: Air Max

Anonyme a dit…

I could not resist commenting. Exceptionally
well written!

Also visit my web site: Louis Vuitton Outlet

Anonyme a dit…

Hello, this weekend is good designed for me, as this moment
i am reading this impressive informative paragraph here at my residence.



Here is my web site :: Abercrombie and Fitch

Anonyme a dit…

My brother recommended I might like this web site.

He was entirely right. This post actually made my day.
You can not imagine simply how much time I had spent for
this information! Thanks!

Feel free to visit my web-site ... monster ヘッドホン

Anonyme a dit…

With havin so much content do you ever run into any issues of plagorism or copyright violation?

My website has a lot of unique content I've either written myself or outsourced but it appears a lot of it is popping it up all over the internet without my agreement. Do you know any techniques to help reduce content from being ripped off? I'd definitely appreciate it.


my page; monster beats

Anonyme a dit…

Thank you for the good writeup. It in fact used
to be a enjoyment account it. Look complex to far added agreeable from you!
However, how could we keep in touch?

Take a look at my blog post :: monster beats

Anonyme a dit…

Hurrah! After all I got a blog from where I can truly take useful facts regarding my study and
knowledge.

My page; エアジョーダン

Anonyme a dit…

I'm curious to find out what blog platform you have been working with? I'm experiencing some minor
security problems with my latest site and I would like to find something more
safeguarded. Do you have any solutions?

Feel free to visit my web blog: NFL Jerseys Wholesale

Anonyme a dit…

I blog quite often and I really appreciate your information.
This article has truly peaked my interest. I am going to take
a note of your site and keep checking for new details
about once a week. I subscribed to your RSS feed too.


My webpage; monster beats

Anonyme a dit…

I'm curious to find out what blog platform you are working with? I'm having some minor security problems with my latest website and I'd like to find something more safe. Do you have any recommendations?

My page the tao of badass

Anonyme a dit…

Hello there, just became aware of your blog through Google, and found that it is truly informative.
I'm going to watch out for brussels. I'll be grateful if you continue this in future.
Lots of people will be benefited from your writing.
Cheers!

Also visit my webpage ... Wholesale Jerseys

Anonyme a dit…

I don't even know the way I stopped up here, but I thought this publish was great. I don't recognise who
you are but certainly you are going to a famous blogger
if you are not already. Cheers!

Feel free to visit my weblog - Evgeni Malkin Authentic Jersey

Anonyme a dit…

you are in reality a just right webmaster.
The site loading velocity is amazing. It seems that you're doing any unique trick. Furthermore, The contents are masterwork. you have performed a fantastic process in this matter!

Feel free to visit my website Sidney Crosby Black Jersey

Anonyme a dit…

you are really a good webmaster. The web site loading pace
is amazing. It kind of feels that you're doing any unique trick. Furthermore, The contents are masterpiece. you've performed
a magnificent process on this subject!

Visit my website ... doc.silvercart.org

Anonyme a dit…

I think this is among the most important information for me.

And i'm glad reading your article. But wanna remark on few general things, The website style is perfect, the articles is really excellent : D. Good job, cheers

my weblog :: air jordan

Anonyme a dit…

Hi there I am so glad I found your web site,
I really found you by mistake, while I was researching on
Google for something else, Anyhow I am here now and would
just like to say thank you for a incredible post and a all round enjoyable blog
(I also love the theme/design), I don't have time to read it all at the minute but I have saved it and also added your RSS feeds, so when I have time I will be back to read more, Please do keep up the fantastic work.

My web site ... christianlouboutinoutletshop2013.com

Anonyme a dit…

Hello! I know this is kinda off topic but I
was wondering if you knew where I could locate
a captcha plugin for my comment form? I'm using the same blog platform as yours and I'm having trouble
finding one? Thanks a lot!

Here is my web-site ... http://www.christianlouboutinoutletshopx.com

Anonyme a dit…

These are in fact impressive ideas in concerning blogging.
You have touched some pleasant things here.
Any way keep up wrinting.

Feel free to visit my web-site http://10e.org/

Anonyme a dit…

I couldn't refrain from commenting. Very well written!

Take a look at my web site: エアジョーダン

Anonyme a dit…

When I initially commented I clicked the "Notify me when new comments are added" checkbox and now each time
a comment is added I get four e-mails with the same comment.
Is there any way you can remove me from that service? Thanks!



Here is my weblog - monster beats

Anonyme a dit…

I drop a leave a response whenever I like a post on a
site or I have something to contribute to the conversation.

Usually it's a result of the passion communicated in the article I read. And after this article "Howto setup an EAP-TLS WPA network with freeradius". I was moved enough to post a comment :-P I actually do have a couple of questions for you if you usually do not mind. Could it be just me or does it give the impression like a few of the comments look as if they are left by brain dead visitors? :-P And, if you are writing at additional places, I'd like
to keep up with you. Could you list all of all your communal
sites like your linkedin profile, Facebook page or twitter feed?


Here is my blog post; www.airjordansale-shop.com

Anonyme a dit…

Just desire to say your article is as amazing. The clearness in your post is just excellent
and i can assume you're an expert on this subject. Fine with your permission let me to grab your feed to keep updated with forthcoming post. Thanks a million and please carry on the enjoyable work.

Also visit my web site :: NFL Jerseys Cheap

Anonyme a dit…

You could definitely see your expertise within the article you write.
The sector hopes for more passionate writers such as you who are not afraid to mention how they believe.
Always go after your heart.

Feel free to surf to my webpage - エアジョーダン

Anonyme a dit…

It's appropriate time to make some plans for the long run and it is time to be happy. I've learn this put up and if I could I
desire to recommend you some fascinating things or advice.
Perhaps you could write next articles referring to this article.

I wish to learn even more issues about it!

my web site: wholesale Jerseys cheap

Anonyme a dit…

No matter if some one searches for his vital thing,
therefore he/she wishes to be available that in detail,
therefore that thing is maintained over here.

Here is my blog - Louis Vuitton Handbags Outlet

Anonyme a dit…

Hi i am kavin, its my first occasion to commenting anywhere,
when i read this article i thought i could also make comment due
to this sensible post.

My website: Mario Lemieux Black Jersey

Anonyme a dit…

I have been exploring for a bit for any high quality articles or blog posts in
this sort of space . Exploring in Yahoo I finally stumbled
upon this web site. Reading this information So i am glad to
show that I've an incredibly good uncanny feeling I found out just what I needed. I most indubitably will make sure to don?t put out of your mind this web site and give it a look on a continuing basis.

Also visit my web blog :: Abercrombie Pas Cher

Anonyme a dit…

Hello very nice website!! Man .. Excellent .. Superb ..
I will bookmark your site and take the feeds also?
I am satisfied to seek out a lot of helpful information here within the submit, we need work out extra techniques in this regard, thanks for sharing.
. . . . .

Here is my web-site Louis Vuitton Outlet

Anonyme a dit…

Hey there! I simply would like to offer you a huge thumbs up
for your great information you have got right here on
this post. I'll be returning to your web site for more soon.

Also visit my web page :: cheap polo ralph lauren

Anonyme a dit…

I do trust all the ideas you've presented to your post. They're very convincing and
can certainly work. Still, the posts are too quick for
starters. May just you please extend them a little from next time?
Thank you for the post.

my homepage - http://www.monsterbeatssale-shop.com

Anonyme a dit…

I love your blog.. very nice colors & theme. Did you make this website
yourself or did you hire someone to do it for you?

Plz respond as I'm looking to construct my own blog and would like to know where u got this from. thank you

Here is my site :: fundmixers.com

Anonyme a dit…

Its such as you learn my thoughts! You seem to understand a lot
approximately this, such as you wrote the e-book
in it or something. I believe that you just can do with some % to power the message house
a little bit, but instead of that, that is excellent blog.

A great read. I'll certainly be back.

my website ... Jordan Femme

Anonyme a dit…

This website was... how do I say it? Relevant!
! Finally I have found something that helped me. Thank you!


Review my web page; クリスチャンルブタン

Anonyme a dit…

May I simply just say what a relief to discover a person that
actually knows what they are talking about
over the internet. You actually know how to bring an issue to light
and make it important. More people need to check this out and
understand this side of your story. I was surprised that
you are not more popular since you certainly possess
the gift.

my web page - ジョーダン スニーカー

Anonyme a dit…

People that employ a great property as well as a decent revenue aren't usually determined within the no cost web sites. If they cannot find the money for in order to enroll in an affiliate site then you should speculate why and if the following man or women is good for [url=http://coachfactoryoutlet2w.webs.com/]coach online factory[/url] you. I know that I have spoken to people who tell me they cannot afford to pay to join a website for dating and they then go on to tell me they have no job, they cannot afford a phone, they cannot afford to [url=http://coachfactoryoutlet2w.webs.com/]http://coachfactoryoutlet2w.webs.com/[/url] take someone out, they go to a charity shop to buy their clothes and so on. This is fine if this is your lifestyle to but for people who have a better lifestyle there is no need to get involved.A word of warning for females only. Women should beware of the men who want to rush them into meeting very quickly, they will get lots of such offers, usually from people who have a lot to hide or who are not fussy about who they spend time with. The chances are that the guy who is in a huge rush to meet you was saying the same thing to another woman an hour ago and a different one this morning. Either they are extremely [url=http://cheapcoachfactorybackpacks2i.webs.com/]cheap coach factory backpacks[/url] lonely and longing for some company - in which case wonder why - or they are simply not bothered about what you are like or your personality or how compatible you are, which makes the either very stupid, married, only seeking a quick fling or desperate.
You need to ensure you have got spoken in order to all of them to get a long time before you connect with and not simply online but within the cellphone as well. Be wary associated with any kind of dude exactly who says she has possibly not received an average [url=http://cheapcoachfactorybackpacks2i.webs.com/]http://cheapcoachfactorybackpacks2i.webs.com/[/url] land line phone at home or is never able to take your calls straight away evenings or weekends. Likewise be suspicious if he is usually unable to meet up then and wants to meet you for just an hour or so during the day.Profiles should be honest. They have a right to know that you are divorced but they do not have a right to immediately know why and how long for. You are competing with thousands of people on the same site [url=http://bagsoutletsonlines.com/]coach factory outlet[/url] so you have to shine out over and above the others. Do not tell lies in order to make yourself sound more successful or exciting. Pretending to be much younger or saying you own a successful business when you do not will only backfire later and watch out for the others online that do that.

Anonyme a dit…

There are a huge number of web-sites that include online dating services, lots of people are target designed to suit person requires, like courting for the around 40s, courting pertaining to lesbians, courting pertaining to very large [url=http://coachfactoryhandbagoutlet2u.webs.com/]Coach factory outlet online[/url] people, dating for nudists, which makes it easier and easier to make sure that you join the sites that suit your needs rather than wasting money and time on ones that do not. Some sites are totally free [url=http://coachfactoryhandbagoutlet2u.webs.com/]http://coachfactoryhandbagoutlet2u.webs.com/[/url] to join but then charge you if you send or receive messages, others are completely free to join and use and you can send and receive messages without ever spending any money. Word of warning - keep your feet on the ground, some of these tailor made sites are pandering to people who fantasise, such as the ones that offer women the chance to date a good looking, young, millionaire. Millionaires do join such sites but you will find [url=http://www.aicon.com/coachfactory.html]coach factory online[/url] that most of the members on such sites are the needy poor women wanting to meet them. The sites that are specifically for people wanting casual sex and for married people wanting secret liaisons are usually frequented by men and they tend to become very disappointed when they find out that most of the other members are men like themselves.
Yes you decide to do get peculiar people in like web-sites however the individuals are living plus inhale while in the real life too plus you may have realized these merely around the next corner whenever you left for your club. Peculiar [url=http://www.aicon.com/coachfactory.html]http://www.aicon.com/coachfactory.html[/url] people are not exclusive to online dating.Do not let the cost of a paid for site worry you. They are a good investment. For the price of a few drinks you could end up with a fantastic partner. A lot of the paid for sites are very good and do not cost much. Another word of warning - beware of the totally free sites. They seem like a bargain, but you often get riff raff on them and because those sites are free the people do not take it so seriously. A [url=http://coachfactorystore3w.webs.com/]coach factory online store[/url] lot of them sign up and do not even bother to go back and check their messages. People who are unemployed and unemployable and who can spend all day long sitting at their computer.

Anonyme a dit…

I got this web page from my pal who told me about this web page and now this time I am visiting this web site
and reading very informative articles at this time.

Also visit my web page :: オークリー

Anonyme a dit…

What's up colleagues, how is everything, and what you would like to say concerning this paragraph, in my view its actually remarkable for me.

Also visit my webpage; ルブタン 店舗

Anonyme a dit…

I couldn't resist commenting. Exceptionally well written!

Stop by my web-site; エアジョーダンスニーカー

Anonyme a dit…

I'm truly enjoying the design and layout of your website. It's
a very easy on the eyes which makes it much more pleasant for me to come here and visit more often.
Did you hire out a developer to create your theme? Outstanding
work!

Feel free to surf to my weblog :: http://multimedia.stisitelkom.ac.id/

Anonyme a dit…

Wonderful work! This is the kind of info that should be shared across the web.

Disgrace on the search engines for now not positioning this put up upper!

Come on over and seek advice from my site . Thank you =)

Here is my page: monster beats

Anonyme a dit…

Hi, I log on to your blog daily. Your writing style is awesome, keep
it up!

my web blog エアジョーダン

Anonyme a dit…

Hello! This is kind of off topic but I need some guidance from an established blog.
Is it tough to set up your own blog? I'm not very techincal but I can figure things out pretty quick. I'm thinking about setting up my
own but I'm not sure where to start. Do you have any ideas or suggestions? With thanks

Here is my web site; トリーバーチ

Anonyme a dit…

I've learn a few good stuff here. Definitely value bookmarking for revisiting. I surprise how so much attempt you put to make this type of magnificent informative site.

my web-site :: http://smvpd.edu.my/

Anonyme a dit…

Having read this I believed it was really enlightening.
I appreciate you finding the time and energy to put
this article together. I once again find myself spending a lot of time both reading and posting comments.

But so what, it was still worthwhile!

Here is my weblog; トリーバーチ店舗

Anonyme a dit…

We absolutely love your blog and find the majority of
your post's to be exactly what I'm looking for.
can you offer guest writers to write content to suit your needs?
I wouldn't mind composing a post or elaborating on some of the subjects you write about here. Again, awesome blog!

Here is my blog :: www.wolfandassociates.com

Anonyme a dit…

Hey There. I found your blog using msn. This is a very well written article.
I'll be sure to bookmark it and return to read more of your useful information. Thanks for the post. I will certainly return.

My web-site: エアジョーダン

Anonyme a dit…

Good web site you have here.. It's hard to find high-quality writing like yours nowadays. I honestly appreciate individuals like you! Take care!!

Here is my site - http://www.rolexwatchoutletsale.com/

Anonyme a dit…

Hello just wanted to give you a quick heads up. The text in your content seem
to be running off the screen in Chrome. I'm not sure if this is a formatting issue or something to do with internet browser compatibility but I thought I'd post to let you
know. The design and style look great though! Hope you get the problem solved
soon. Thanks

Here is my web-site: オークリーメガネ

Anonyme a dit…

Heya! I just wanted to ask if you ever have any problems with hackers?
My last blog (wordpress) was hacked and I ended up losing many
months of hard work due to no back up. Do you have any solutions to protect against hackers?



My website - www.raybansunglassesoutletsales.com

Anonyme a dit…

Hello Dear, are you genuinely visiting this website regularly, if so afterward you will without doubt get nice know-how.


Also visit my webpage エアジョーダン

Anonyme a dit…

At this time it seems like Drupal is the best blogging platform available right now.
(from what I've read) Is that what you are using on your blog?

Feel free to visit my site; prada バッグ

Anonyme a dit…

This post presents clear idea in support of the new viewers of blogging, that truly how
to do blogging.

Look into my web site: Michael Kors Bags

Jolly a dit…

Hi,

You have done good job. You have explained very clearly. I would like know, whether above procedure is for testing self signed certificates or it is for EAP-TLS with separate CA?.

Thanks,
Janardhan.