Background Image

Blog Post

Mar 01

Figure 2: ISE Lifecycle pattern* Conclusion Cisco didn’t indicate whether STR and LTR would differ


Lab testing Radius Policies – Part 3

Introduction

This is part 3 of my blog series on rapid prototyping in ISE without requiring any networking equipment. This time we’re going to perform EAP-TLS (X.509 certificate based) authentication. This scenario is very similar to EAP-PEAP which we discussed in Part 2, but now in addition to the Radius server presenting its certificate, the client will present its certificate to the Radius server. This is called mutual certificate authentication. This trickiest part of this process is the client certificate creation this puts off many people due to perceived complexity. To create a client certificate for rapid prototyping testing, I believe you have three options: Ask an expert to deliver one on a silver platter for you (e.g. a Microsoft PKI security admin) Build your own Windows 2012 R2 lab VM and invest time understanding this – most enterprises use this. Use openssl tools and do it all via cli or xca (GUI front end to openssl http://xca.sourceforge.net/ ).

 

We will use the openssl command line to create a Root CA. Using that Root CA we shall issue a client certificates for our wpa_supplicant testing purposes.Using your Linux terminal session, create a directory called 'ca' and use it as your current directory. For the purpose of illustration I have used /home/abier/ca I chose two relatively simple and weak pass phrases for illustration purposes and also to guide you when openssl prompts for passwords. In practice, please use stronger passwords! Please note that text shown in bold text is user input

Root CA certificate

Create a Root CA private key

<strong>openssl genrsa -aes256 -out ca.key.pem 4096</strong>

Generating RSA private key, 4096 bit long modulus

Enter pass phrase for ca.key.pem:  <strong>MyCertPr1vateKey</strong>

Verifying - Enter pass phrase for ca.key.pem: <strong>MyCertPr1vateKey</strong>

Create the Root CA self-signed certificate

<strong>openssl req -key ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out ca.cert.pem</strong>

Enter pass phrase for ca.key.pem: <strong>MyCertPr1vateKey</strong>

Country Name (2 letter code) [XX]:<strong>AU</strong>

State or Province Name (full name) []:<strong>QLD</strong>

Locality Name (eg, city) [Default City]:<strong>BNE</strong>

Organization Name (eg, company) [Default Company Ltd]:<strong>Acme</strong>

Organizational Unit Name (eg, section) []:<strong>IT</strong>

Common Name (eg, your name or your server's hostname) []:<strong>AcmeCorp</strong>

Email Address []:

You can install the above Root CA certificate in your Radius server.

 

Client Certificate

Create the Client private key

<strong>openssl genrsa -aes256 -out client.key.pem 2048</strong>

Generating RSA private key, 2048 bit long modulus

Enter pass phrase for client.key.pem:  <strong>MyCl1entKey</strong>

Verifying - Enter pass phrase for client.key.pem: <strong>MyCl1entKey</strong>

Create a CSR (certificate signing request)

The CSR is submitted to the issuing CA, which is our Root CA we just created above.

 

<strong>openssl req -key client.key.pem -new -sha256 -out client.csr.pem</strong>

Enter pass phrase for client.key.pem:  <strong>MyCl1entKey</strong>

Country Name (2 letter code) [XX]:<strong>AU</strong>

State or Province Name (full name) []:<strong>QLD</strong>

Locality Name (eg, city) [Default City]:<strong>BNE</strong>

Organization Name (eg, company) [Default Company Ltd]:<strong>Acme</strong>

Organizational Unit Name (eg, section) []:<strong>IT</strong>

Common Name (eg, your name or your server's hostname) []:<strong>abier</strong>

Email Address []:

Please enter the following 'extra' attributes to be sent with your certificate request

A challenge password []:

An optional company name []: An optional company name []:

Prepare the CA for certificate creation duties

This requires a directory structure, because when a CA creates certificates, it must maintain them as well, which means, a little bit of administrative data – but this is easily done. Please note that you will need to be root user because there are files written to the /etc system directory. The following commands will prepare the CA infrastructure (the final ‘exit’ will exit the root mode)

 

<strong>touch /etc/pki/CA/index.txt</strong>

<strong>echo '1000' > /etc/pki/CA/serial</strong>

<strong>touch /etc/pki/CA/serial.new</strong>

<strong>touch /etc/pki/CA/index.txt.new</strong>

<strong>touch /etc/pki/CA/index.txt.attr.new</strong>

<strong>exit</strong>

In your ‘ca’ working directory you need to create a small file called extensions.txt containing the certificate extensions you need. In the example below the EKU is client auth (Extended Key Usage).

 

<strong>[ext]</strong>

<strong>basicConstraints=CA:FALSE</strong>

<strong>nsCertType = client</strong>

<strong>keyUsage = digitalSignature, keyEncipherment</strong>

<strong>extendedKeyUsage = clientAuth</strong>

Create the client certificate

Finally we are ready to create the client certificate. Since I am using all the defaults here, openssl wants to write in directories that need root access – it’s easier to run the command with sudo to allow it to write in the /etc/pki/CA directory. 

<strong>sudo openssl ca -extfile extensions.txt  -extensions ext -days 365 -notext -md sha256 -in client.csr.pem -cert ca.cert.pem -keyfile ca.key.pem  -outdir . -out client.cert.pem</strong>

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for ca.key.pem: <strong>MyCertPr1vateKey</strong>

Check that the request matches the signature

Signature ok

 

 

Back   
 
Add Comment:
Please login or register to add your comment or get notified when a comment is added.