SmartBridges sB3210 manual Configure Server for TLS

For TLS and PEAP, the server needs root.pem and cert-srv.pem. For TLS, the Windows XP client needs root.der and cert-clt.p12. For PEAP, the Windows XP client needs root.der.

In the event that you want to use TLS authentication with multiple clients, Document 3 provides the needed script. Look for the CA.clt script in Section 6.

3. Configure Server for TLS

There are only a few changes and additions needed for TLS authentication. The clients.conf, users, and radiusd.conf are located at:

/usr/local/radius/etc/raddb

a. clients.conf -- This file contains the basic configuration for the Access Point. Look for the following line then uncomment and modify as appropriate:

#client 192.168.0.0/24 {

client 192.168.1.0/24 {

secret = AP_Shared_Secret shortname = WLAN

}

b. users -- This file contains the basic user information. Look for the following line and then add the user name:

#"John Doe" Auth-Type := Local, User-Password == "hello"

#

jbibe

Note that for TLS, you should not include an Auth-Type or a password. The server is able to determine the correct Auth-Type, and a password is not needed because the client uses a client certificate for authentication.

c. radiusd.conf -- This file contains the server configuration information. Look for the following lines and then change the default_eap_type from md5 to tls:

eap {

default_eap_type = md5

Change md5 to tls.

Move down to the following line, and then uncomment and modify the information, as shown below. Note that I placed the server certificates, dh file and random file in a new directory 1x on our system. Modify the path as needed for your server:

#tls {

tls {

private_key_password = whatever

private_key_file = /usr/local/radius/etc/1x/cert-srv.pem certificate_file = /usr/local/radius/etc/1x/cert-srv.pem CA_file = /usr/local/radius/etc/1x/root.pem