Configure FreeRADIUS with eDirectory CRL for revoking certificates


FreeRADIUS is an effective and free product for setting up secure authentication to your wireless network by using the WPA2 Enterprise standard.

You can use client certificates issued by the eDirectory Certificate Authority to authenticate your devices to eDirectory instead of using usernames and passwords. A benefit is that the password doesn't need to be stored on each device. Also, when a user changes their eDirectory password they won't need to change it on each device to be able to connect.

A drawback is of course that you need a way to manage the issuance, distribution, and installation of client certificates.

This article assumes that those issues are solved and that you have a functioning installation.

Now you need to prevent users with valid certificates from connecting.

If a user quits then it's easy, you can just disable their eDirectory account, and even if they have valid certificates FreeRADIUS won't allow them to connect.

If that is not the case, you need to solve the issue of revoking client certificates when a user loses a device in some way, for example it is stolen.

Let's assume that you are issuing one client certificate per device, so a user with 3 devices will have 3 different certificates.

Getting FreeRADIUS to check a CRL can be tricky as I have learned. My searching led me to a website that described what had to be done when using OpenSSL as the CA.

Basically you need to concatenate the CA root certificate with the CRL in a single file, tell FreeRADIUS where to find the file, enable CRL checking, and restart FreeRADIUS every time the CRL changes. The website with this valuable information is this one:

Let's look at how to get this working with eDirectory.

First you need to revoke the certificate using iManager.

Navigate to NetIQ Certificate Access -> User Certificates, locate the user, and revoke the affected certificate.

If you now try to validate the certificate in iManager you will see that is still valid.

The reason is that it is not in the CRL yet, you need to issue a new CRL.

In iManager, navigate to NetIQ Certificate Server -> Configure Certificate Authority.

Click on the CRL tab and then on your CRL. In my case I have two CRL objects, one for RSA certificates and one for Elliptic Curve Cryptography certificates.

Available CRL objects

Click on the CRL object and you will see the Configuration tab. Here you can issue a new CRL at once or you can schedule a CRL issuance. In my setup I'm issuing a new CRL every hour. That means that if I revoke a certificate I won't wait more than 1 hour before it is added to the CRL and blocked by FreeRADIUS.

On the bottom of this page you will see "CRL Distribution Points", make a note of the http URL to the CRL. You will need this later when setting up the CRL check for FreeRADIUS.

In this example it is:

CRL details

OK, so now we have configured the eDirectory CA to issue a new CRL every hour and we have a URL to the CRL.

Make sure that the FreeRADIUS server can access that URL if you have any firewalls between servers.

Next, you'll want to stop FreeRADIUS:

systemctl stop radiusd.service

Make a backup of the EAP configuration file used by FreeRADIUS, the one that the symlink in /etc/raddb/mods-enabled points to.

We will make two changes to that file.

Edit the EAP configuration file.

    1. Uncomment check_crl = yes


    1. Find ca_file = xxxxxxx <-- The content will vary depending on where your eDirectory CA root certificate file is stored. In my case it was: ca_file = ${certdir}/idmdevca-ecc.pem

        1. We will change this to point to another file which will be concatenation of your eDirectory CA root certificate and the CRL.

        1. I have chosen to name the file ca_and_crl.pem as in the example on the site above.

        1. After the changes the row looks like this: ca_file = ${certdir}/ca_and_crl.pem

Save the EAP configuration file.

Next we will create a small script that will download the CRL from the CRL URL we have seen in iManager.

I have decided to name the script file /etc/raddb/certs/

It looks like this:

cd $DIR
#Delete old CRL
rm $DIR/oneec.crl
#Get new CRL
# Convert from DER to PEM
openssl crl -in $DIR/oneec.crl -inform DER -outform PEM -out $DIR/oneec.pem
#Combine eDirectory CA certificate with CRL
cat $DIR/idmdevca-ecc.pem $DIR/oneec.pem > $DIR/ca_and_crl.pem
# Restart FreeRADIUS
systemctl restart radiusd.service

You will need to adapt the script to your needs, change the URL and the file names to match your environment.

Afterwards make the script executable:

chmod x

Schedule it with crontab -e:

0 * * * * /etc/raddb/certs/ >/dev/null 2>&1

Now it's time to test the script. I recommend commenting the last line in the script:
#systemctl restart radiusd.service

The reason is that we want to run FreeRADIUS in debug mode until we get it working.

So run the script and fix any errors such as wrong filenames, etc.

Check the file ca_and_crl.pem, it should contain:

<Your eDirectory CA root certificate>
-----BEGIN X509 CRL-----
<The CRL>
-----END X509 CRL-----

In my case, I had to edit my eDirectory CA root certificate file (idmdevca-ecc.pem) and add a new line after the last line.

If it looks OK try to start FreeRADIUS in debug mode:

radiusd -X

It will show a lot of information and if there is anything wrong with your configuration it will tell you and refuse to start.

If it starts you can try WLAN authentication on your device with a certificate that is not revoked and you should be able to connect.

Now try it on another device that has a revoked certificate and the FreeRADIUS will output information that the certificate is revoked!

When you are satisfied, press Ctrl-C to end the debug mode.

Uncomment the last line in the script:
systemctl restart radiusd.service

Run the script again and redo the entire testing procedure.

This article is based on the following versions:

    • NetIQ eDirectory 9.0.3


    • FreeRADIUS 3.0.15


    • SUSE Linux Enterprise Server 12 SP3




How To-Best Practice
Comment List