2. Obtaining Certificates
OpenSSL must be installed to use either EAP-TLS, EAP-TTLS, or PEAP! |
When using EAP-TLS, both the Authentication Server and all the Supplicants (clients) need certificates [RFC2459] . Using EAP-TTLS or PEAP, only the Authentication Server requires certificates; Supplicant certificates are optional.
You get certificates from the local certificate authority (CA). If there is no local CA available, OpenSSL may be used to generate self-signed certificates.
Included with the FreeRADIUS source are some helper scripts to generate self-signed certificates. The scripts are located under the scripts/ folder included with the FreeRADIUS source:
CA.all is a shell script that generates certificates based on some questions it ask. CA.certs generates certificates non-interactively based on pre-defined information at the start of the script.
The scripts uses a Perl script called CA.pl, included with OpenSSL. The path to this Perl script in CA.all and CA.certs may need to be changed to make it work. |
More information on how to generate your own certificates can be found in the SSL certificates HOWTO. |