@Zizi:

Hi,
today I've set up freeradius3 for WPA-EAP, an it is working, but only with "clear text passwords".
If I change it to "MD5 Password", I get error "mschap: FAILED: No NT/LM-Password. Cannot perform authentication"

Is there any way to use non clear text password storage with working WPA-EAP?

Same here.

@Mateh:

Indeed.

pfSense 2.4.3 running Service_Watchdogs 1.8.4.

Settings from Notifications:

E-Mail server: smtp.mailgun.org
SMTP Port of e-Mail server: 465
Secure SMTP Connection: [tick]
From e-mail address: my@email.com
Notification E-mail address: my@email.com
Notification E-Mail auth username: my@login.email
Notification E-Mail auth password: mypass
Notification E-Mail auth mechanism: PLAIN

Looks fine to me.
I have exactly the same thing, with one difference : I'm not using some mail supplier, but my own mail server on a delicate server on the Internet (so I have full control on both sides).

You are using the right port (465 - which uses TLS from start) and you are identifying yourself correctly.
If this goes wrong ones in a while, answers should by found by the one running "smtp.mailgun.com".

Your last image : as per https://doc.pfsense.org/index.php/Using_Captive_Portal_with_FreeRADIUS - Section : Amount of Traffic the option "re-authenticate users every minute" should be set so the user gets disconnected.
Otherwise your limit of "1200" (Mbytes) will not work …

What I did to check / debug all this :
I read this : https://doc.pfsense.org/index.php/Testing_FreeRADIUS
This : https://doc.pfsense.org/index.php/Additional_Logging_for_FreeRADIUS (written for 2.x but useful).

Also : when your setup is ok, goto    Status => Services
STOP the radius daemon.

Acces the console. Take option 8 - SSH access.
Type```
radiusd -h

Read … Find the option -X Use it ! Start radfius by hand using **radiusd -X** (or **radiusd -X -xx**) Now you have all the info - there should be no red lines. Keep this console window open. Now login with a user on the captive portal. The entire login info will be laid out, and it's easy to find what went wrong. Questions about what being shown , Normal. Radius is not some small program, it's huge, took me days of just reading this one https://fr.wikipedia.org/wiki/FreeRADIUS and many others. With manuals, Radius (FreeRadius) is useless. > I added a cronjobe << 0 0 * * * root / bin / rm / var / log / radacct / datacounter / day / used-bytes - * >> This won't work  :) For example, "day" doesn't exist. See image for my cron entries, I used the the cron package of course.  

Duplicate of https://forum.pfsense.org/index.php?topic=145991.msg796861#msg796861 and it's an upstream issue:
https://redmine.pfsense.org/issues/8425#change-36362

Forget pfSense and use FreeNAS instead. It too is built on FreeBSD. However FreeNAS needs RAM–8 GB minimum.

this works, but revocation will not work. so if you revoke a cert, the authentication will still pass.  If you want to be able to revoke certs, and have free radius honor that, then follow what worked for me:

I have found the workaround solutions posted in the forums, for free radius and a functioning CRL, do not quite work.

The workarounds listed:
https://sites.google.com/site/techbobbins/home/articles/freeradius-and-crls

semi work.  The problem is, the manual changes are wiped away easily.  i.e. a change in the radius config (i.e. a user attribute), will cause the radius.conf and the cert files to be overwritten.  A little background on my system:

-Free radius v3
-pfsense v2.42 p1

Now, i think i may have found a workaround, that is "sticky".  It follows the same method as listed in this thread (https://sites.google.com/site/techbobbins/home/articles/freeradius-and-crls), but instead of appending the CA/CRL in the same file via the CAT command, append the CRL via the pfsense GUI to the CA cert body.  This way, every time you reload freeradius, it reads form the PFSENSE Cert files, and now everything works.

Also, i found if you configure sub CA's, free radius has issues with that.  So, a work around for that, is to:

-create your root CA
-create sub CA
-create crl for sub ca
-then, "import" a CA.  the cert body will be the root->sub->crl
-create free radius server cert
-in free radius, use the "import" CA, and the free radius server cert

..i found if you dont do this, free radius will error with error 19, self signed in the chain.  Understand the reason to use sub certs is for security, as i understand root CA's are designed to create sub CA's, not user or server certs.  This way, if sub CA is copromised, you dont have to recreate cert chain, just that particular sub ca.

I dont claim to be a PKI expert, but the above worked for me.

–-note, for revocation to work, you will have to re-paste the CRL info back into the "import" cert, and restart radius.  note, that restarting radius via the GUI, i.e services click the restart gear, does not work.  I found i needed to make a change to free radius, i.e change a setting in the eap config, save it, then set it back, svae it.  this seems to trigger a true radius restart.

hope this helps

@robert.herrmann:

I am a noob using pfSense and freebsd, so please be gentle.

pfSense is using FreeBSD is it's base OS.
But differences exists : one of them is the package handling.

@robert.herrmann:

I have a pfSense installation running version 2.4.1.  This system does not have access to the internet.  :(

Wait …
Your posting on a public forum, right ?
Bring your system along the next time - update - upgrade - done.

@robert.herrmann:

I would like to install freeradius but am struggling.  I have managed to download the .pbi (freeradius-2.2.5_3-i386.pbi) and get it copied into pfSense machine into the /tmp directory.  But I cannot seem to find a way to install this.

This situation was mentioned some time ago. I guess it was completely abandoned.
I guess you have to connect  it at least ones ….

edit : wait !
I guess it possible - it probably a manual job, not or very badly documented. Get out of the noob phase and you'll be fine.
I asked the world for advise ( pfsense install package without internet connection ) - it came back with https://forum.pfsense.org/index.php?topic=130966.0

Thank you! I will take a look

Hi there,

I just registered to comment that I got OTP to work with PAP protocol only.

Set it up in System > User Manager > Authentication Servers > your FreeRADIUS auth server > Server Settings > Protocol: PAP. Note that MS-CHAPv2 is the default option.

I hope this helps someone!

Seems to work protocol any.

I'd do the schedule like my second attachment, where 172.16.3.100 is the iDevice IP or an alias that contains multiple IP addresses.

Untitled.jpg
Untitled.jpg_thumb
Untitled.jpg_thumb
Untitled.jpg

@biggsy:

I agree with pete35.  I used to run the postfix package on the firewall but there are some good reasons not to do that.

What are the good reasons out of interest ?

BA