@johnpoz said in freeRadius / Unifi AP / EAP-TTLS ?:

@furom said in freeRadius / Unifi AP / EAP-TTLS ?:

Samsung A8

I was looking at those for my train tablet, but ended up with the p11, slightly bigger screen and slightly more battery.

Yeah, the bigger screen would have been nice, but price jumped quite a bit for just those points of an inch, and when ordering I still wasn't sure I would make it work. Now I have two... But will keep the old one around for a while. It has some update I apparently haven't installed yet. Didn't have time today to verify if it actually is a legit one or not, but would really expect it to be. Just weird I haven't seen it before.

Documenting this all now, but the main issue all along was the 2100's switch...

@steveits Makes sense - will do. Thanks!

@dobby_ Perhaps my tunables is part of issues....

3a9eebce-21b7-4482-9dcf-cef2b7499b16-image.png

@shahidakhter
Does this also happen if you bypass HAproxy?
Simply add a NAT port forwarding rule on WAN to the backend server for testing.

@juanzelli
Hey juanzelli - thanks for sharing this post. Somehow i missed it the first time reading through the forum. I just tried that also,
System->Update->Update Settings and just clicking Save without making any other changes.
now it shows packages and when i select 13 from the console,
9c1ba1da-8cf4-45be-968c-6c378b51e8d0-image.png
Funny thing is i have rebooted this a few times since the initial upgrade, for other issues i am having. I was just about to do a factory reset, and thought, well, let me try that.... Thank you again!

@anthonys I found the wierd problrm if you click the update version there the plus and one says snapshot.

If it click on snapshot on update it will disable packages as there no two version in the update number as I am on Eufi plus version.

@diyhouse ah thank you for getting back to me. I wasn't able to get it working, but did find this,
udpbroadcastrelay for pfsense . It looks like it was released for 2.6 , but now is only available on 2.7 so I was thinking of giving that a shot when it comes around .
https://redmine.pfsense.org/issues/10818

Currently AVAHI does everything I want except allow me to play from VLC to my Chromecast across vlan or from something like jwplayer's cast function . For some reason it also doesn't work to use VLC render on Chromecast even on the same vlan.

Literally everything else works, cast tab, cast screen, YouTube case from a phone , mirror cast phone screen etc. Spotify works, printer works etc.

What I don't do is Sonos.

Well crap! I edited every cert I found with a X3 reference and it keeps coming back. It now only exists in the backup directory where I saved the unedited certs.

The strange thing is that not only is it still appearing in the FreeRadius chain, but also in the haproxy shared-frontend.pem.

What am I missing?

Maybe it's in the config.xml?

I made a copy of my config from /conf/config.xml at /root/backup

xmllint --xpath "//*/crt" /root/backup/config.xml > cert.base64 split -p "\n" ./cert.base64

Here is where I lost the will to script stuff out. All the certs are base64 encoded and there's no base64 tool installed and I was struggling with using openssl so I went back to basics.

cat xaa | perl -MMIME::Base64=decode_base64 -e 'print decode_base64 join"",<>' > xaa.b64 cat xab | perl -MMIME::Base64=decode_base64 -e 'print decode_base64 join"",<>' > xab.b64 cat xac ...

Now to see if any contain the dreaded and undying X3 cert

openssl crl2pkcs7 -nocrl -certfile /root/backup/xaa.b64 | openssl pkcs7 -print_certs -noout | grep -i x3 openssl crl2pkcs7 -nocrl -certfile /root/backup/xab.b64 | openssl pkcs7 -print_certs -noout | grep -i x3 openssl crl2pkcs7 -nocrl -certfile /root/backup/xac.b64...

2 of these files actually contain the damn X3 cert.

xaj.b64 contains it, so I just searched the config.xml for the contents of the xaj file and found it here:

<ca> <refid>61563c252dbc8</refid> <descr><![CDATA[Acmecert: O=Internet Security Research Group, CN=ISRG Root X1, C=US]]></descr> <crt>LS0tLS1CRUdJ...S0tLS0=</crt> <serial>0</serial> </ca>

There was also another match I traced back to:

<ca> <refid>61578b1bd6592</refid> <descr><![CDATA[Acmecert: O=(STAGING) Internet Security Research Group, CN=(STAGING) Pretend Pear X1, C=US]]></descr> <crt>LS0tL...tLQ==</crt> <serial>0</serial> </ca>

I grabbed the serial number of the certs with X3 using this tool and then manually went through my cert manager looking for anything that matches. I found them in my cert manager and deleted them and nothing has changed. FreeRadius and HAProxy arestill somehow finding the X3 cert. I even extracted all the certs again from the updated config.xml, now with fewer certs and yet it's still appearing.

@yeahmagnets said in Restored /usr/local/etc/raddb/users file, users don't show up:

how is it possible?

You - us - need more details.

The 'system works :

[23.01-RELEASE][admin@pfSense.near.by]/usr/local/pkg: radtest x x 192.168.2.1 0 radius Sent Access-Request Id 84 from 0.0.0.0:37887 to 192.168.2.1:1812 length 71 User-Name = "x" User-Password = "a" NAS-IP-Address = 192.168.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "a" Received Access-Accept Id 84 from 192.168.2.1:1812 to 192.168.2.1:37887 length 57 Acct-Interim-Interval = 600 WISPr-Redirection-URL = "https://www.google.com/" [23.01-RELEASE][admin@pfSense.near.by]/usr/local/pkg: radtest x b 192.168.2.1 0 radius Sent Access-Request Id 32 from 0.0.0.0:43449 to 192.168.2.1:1812 length 71 User-Name = "x" User-Password = "b" NAS-IP-Address = 192.168.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "b" Received Access-Reject Id 32 from 192.168.2.1:1812 to 192.168.2.1:43449 length 20 (0) -: Expected Access-Accept got Access-Reject

Use x has password 'a' - and not password 'b'

Stop Freeradius in the GUI.
Open another console SSH access, and run

radiusd -X

Now you have details.

In the first console SSH do you test again.

Check the logs.
I'm pretty sure that it is a config issue.
It's already 'hard' to get radius answering "Access-Accept" ;)

@yeahmagnets said in Restored /usr/local/etc/raddb/users file, users don't show up:

we managed to save

You only need to take care of one little file : the config.xml as everything is in there.

Go here Diagnostics > Backup & Restore > Backup & Restore for a manual save.
I'm also using a PC (server) that auto logs in, and retrieves that file.
I'm also using Services > Auto Configuration Backup > Settings for the off-site backup.

@jonathanlee said in System Patches package version 2.2.x:

@steveits but for new OS updates do we remove before PfSense updates?

No, you do not need to do anything in this package before upgrading. Just leave it as-is.

In the majority of cases, what you are updating to will contain all of the patches available to previous versions. If you had custom patches that are not a part of pfSense software you might need to reapply those after upgrading, but otherwise you don't need to touch anything in the package before or after upgrading.

Steve,
Thanks for your help. I did not have any option to choose. During the initial install it performed an update automatically. I don't recall seeing any options for versions.

I just double checked my version here is what I have running:
22.05.1-releease (arm64)
built tues dec 6, 15:43.34 UTC 2022
FreeBSD 12.3-stable

I do now see a update available for 23.01. This was not showing yesterday.

Thanks in advanced Joe

I just followed these instructions:

https://benheater.com/integrating-pfsense-with-wazuh/

and I have the agent installed on pfSense 2.60 CE, with events registering in my Wazuh dashboard. So it works!

I installed directly from freeBSD ports. Conflict with openLDAP.

oh i forgot to tell that the packages are available before but when want to use it, it cant be use.

@krumx Hello,

This doesn't help much at the moment however, they do have an open ticket for this issue. Just not sure when it will be fixed but at least we can track it here and update as soon as possible:

https://redmine.pfsense.org/issues/13985