manual
Use 802.1x Security with AT-WA7400 APs, AT-8624PoE Switches, and Linux’s freeRADIUS and Xsupplicant 5
You can use the OpenSSL RPM that is available on Mandrake CDROMs, or you can download
it from www.openssl.org and compile it for your platform. Install it in whichever manner you
prefer.
This step describes how to generate a self-signed certificate and copy it into the RADIUS
directory.
The following commands should generate as much as you need to get a valid certificate. You
will be prompted to answer a series of questions to put in the certificate. Enter the following
commands:
# mkdir morecerts
# cd morecerts
# mkdir private
# mkdir backup
# openssl req -config /usr/lib/ssl/openssl.cnf -new -x509 -keyout private/
cakey.pem -out cacert.pem -days 3650
# openssl x509 -in cacert.pem -out cacert.crt
# cp cacert.pem /usr/local/etc/raddb/certs/
# cp cacert.crt /usr/local/etc/raddb/certs/
# cp private/cakey.pem /usr/local/etc/raddb/certs/
Copy the RADIUS server’s public certificate to the client so that the client’s Xsupplicant will
be able to recognise it. This example uses secure copy, which only works if your client and
server currently have IP connectivity. Otherwise you need to copy the cacert.crt file by some
other means (such as sneakernet).
# scp cacert.crt root@<client_ip>:/usr/local/etc/1x/certs/cacert.crt
If you are using a Windows PC as the supplicant, you can also import the cacert.crt file into
the list of certificates. For more information on configuring a Windows supplicant, please
consult the How To Note “How To Use 802.1x EAP-TLS or PEAP-MS-CHAP v2 with
Microsoft Windows Server 2003 to Make a Secure Network”.
3. Install OpenSSL unless it is already installed
4. Generate a self-signed public certificate unless you already have a valid one
5. Copy the public certificate to the client