Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Win7 Supplicant Acting Weird (Unable to browse websites) q1 hr

    Scheduled Pinned Locked Moved Wireless
    6 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Finger79
      last edited by

      I'm normally a pretty good troubleshooter, but I'm not sure exactly when this issue started happening, so it's hard to narrow it down to any "changes" made to my environment.

      Supplicant:  My Windows 7 Pro x64 laptop
      Authenticator:  Asus RT-N66U running in AP mode.  Latest firmware.
      Authentication Server:  pfSense 2.3.4-p1 amd64 running freeradius3 package 0.8

      WLAN Architecture:  WPA2-Enterprise (EAP-TLS)

      Symptoms:  I've had no problems with this setup since Fall 2016, but for the past several weeks or so, every hour (ish), my laptop will lose connectivity, but it won't show any outward signs other than web pages suddenly not working.  It still shows connected to my wireless network.

      [Edited to Add:  The 1 hour mark came and went, and I didn't lose connectivity this time.  I saw a new "radiusd" entry in the pfsense System Logs showing a successful authentication attempt by my laptop, via the AP.  I guess this issue is inconsistent.]

      Workaround:  Manually disconnect from my wireless network then reconnect.  Everything immediately works again.  pfSense System logs show a fresh authentication attempt to FreeRADIUS.

      Possible causes:

      • Something changed with the latest June or July Windows Updates?

      • Something changed in the latest Asus RT-N66U firmware updates?

      • Something changed going from the freeradius2 to freeradius3 package?

      • Hardware failure?  Overheating?

      1 Reply Last reply Reply Quote 0
      • F
        Finger79
        last edited by

        Since this seems to be happening every 1 hour (it may be a different interval), that's a clue to look for something in a config somewhere…

        In the freeradius3 config, EAP tab:

        Expiration of EAP-Response / EAP-Request List:  60
        A list is maintained to correlate EAP-Response packets with EAP-Request packets. Define the expire time of the list here. (Default: 60)

        Could it possibly be this setting?  I haven't changed anything in freeradius configs ever since I got this running in 2016, so it's weird it would suddenly start giving me issues.

        1 Reply Last reply Reply Quote 0
        • F
          Finger79
          last edited by

          EAP config:

          /usr/local/etc/raddb/mods-enabled/eap

          EAP

          eap {
          default_eap_type = tls
          timer_expire    = 60  <–- This?
          ignore_unknown_eap_types = no
          cisco_accounting_username_bug = no
          max_sessions = 4096

          DISABLED WEAK EAP TYPES MD5, GTC, LEAP

          pwd {

          group = 19

          server_id = theserver@example.com

          fragment_size = 1020

          virtual_server = "inner-tunnel"

          }

          tls-config tls-common {

          private_key_password = <redacted>private_key_file = ${certdir}/server_key.pem

          certificate_file = ${certdir}/server_cert.pem
          ca_path = ${confdir}/certs
          ca_file = ${ca_path}/ca_cert.pem

          auto_chain = yes

          psk_identity = "test"

          psk_hexphrase =

          dh_file = ${certdir}/dh
          random_file = /dev/urandom
          fragment_size = 1024
          include_length = yes
          check_crl = no
          check_cert_issuer = <redacted>check_cert_cn = %{User-Name}
          cipher_list = "DEFAULT"
          cipher_server_preference = no

          disable_tlsv1_2 = no

          ecdh_curve = "prime256v1"
          cache {
          enable = no
          lifetime = 24
          max_entries = 255
          #name = "EAP module"
          #persist_dir = "/tlscache"
          }
          verify {

          skip_if_ocsp_ok = no

          tmpdir = /tmp/radiusd

          client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"

          }
          ocsp {
          enable = no
          override_cert_url = no
          url = "http://127.0.0.1/ocsp/"

          use_nonce = yes

          timeout = 0

          softfail = no

          }
          }
          tls {
          tls = tls-common

          virtual_server = check-eap-tls

          }
          ttls {
          tls = tls-common
          default_eap_type = tls
          copy_request_to_tunnel = no
          include_length = yes

          require_client_cert = yes

          virtual_server = "inner-tunnel-ttls"
          #use_tunneled_reply is deprecated, new method happens in virtual-server
          } ### end ttls
          peap {
          tls = tls-common
          default_eap_type = mschapv2
          copy_request_to_tunnel = no

          proxy_tunneled_request_as_eap = yes

          require_client_cert = yes

          MS SoH Server is disabled

          virtual_server = "inner-tunnel-peap"
          #use_tunneled_reply is deprecated, new method happens in virtual-server
          }
          mschapv2 {

          send_error = no

          identity = "FreeRADIUS"

          }

          fast {

          tls = tls-common

          pac_lifetime = 604800

          authority_identity = "1234"

          pac_opaque_key = "0123456789abcdef0123456789ABCDEF"

          virtual_server = inner-tunnel

          }

          }</redacted></redacted>

          1 Reply Last reply Reply Quote 0
          • F
            Finger79
            last edited by

            Bump.  Some help would be greatly appreciated.

            It just happened again, and here are the results of more testing:

            PING

            • Can ping internal and external IPs
            • Can NOT ping by hostname or FQDN

            NSLOOKUP

            • Can lookup internal and external hosts

            Non-authoritative answer:
            Name:    forum.pfsense.org
            Addresses:  2610:160:11:1000::18
                      208.123.73.18

            TRACERT

            • Can tracert internal and external IPs.
            • Cannot tracert when using hostnames

            tracert forum.pfsense.org
            Unable to resolve target system name forum.pfsense.org.

            WEB BROWSING

            • Can NOT browse using FQDN
            • CAN browse using IP.
              Example:  Can navigate to https://208.123.73.18 but not https://forum.pfsense.org

            Verified:

            • DHCP lease has not expired.
            • Power saving on WLAN adapter is not enabled.
            • Bitdefender and Malwarebytes Full System Scans show clean.
            1 Reply Last reply Reply Quote 0
            • F
              Finger79
              last edited by

              I noticed in System Logs that php-fpm is signalling to restart other packages, including radiusd.

              I'll try to observe if this is correlated to the symptoms I'm experiencing.

              Aug 2 18:32:51 php-fpm 28550 /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 10.65.10.6 -> 10.21.10.10 - Restarting packages.
              Aug 2 18:32:51 check_reload_status Starting packages
              Aug 2 18:32:52 php-fpm 28550 /rc.start_packages: Restarting/Starting all packages.
              Aug 2 18:32:52 php-fpm 28550 lcdproc: Sync: Begin package sync
              Aug 2 18:32:52 php-fpm 28550 lcdproc: Sync: End package sync
              Aug 2 18:32:52 php-fpm 28550 [pfBlockerNG] Starting cron process.
              Aug 2 18:32:56 radiusd 76053 Signalled to terminate

              Does anyone know what php-fpm is and why it's sending signals to restart other packages?

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by

                @Finger79:

                I noticed in System Logs that php-fpm is signalling to restart other packages, including radiusd.

                Simple to answer this one : pfSEnse is using a GUI for setuo.
                This means it uses a web server and some "extension" that executes scripts that make the GUI web pages. As you might guess, this PHP (half of the Interweb web sites uses PHP).
                "php-fpm" is you the name of the mode how PHP is executed and communicates web the web server (nginx).

                Somehow, pfSEnse IS actually all these PHP scripts (well, not entirely, but mostly). So, yes, it is PHP that restarts packages is some system wide settings are changed, interface drop and repop and other conditions.
                Should it restart "radiusd', that is the real question : it depends what happened. A new WAN IP is such a condition. It's probably non needed to restart radiusd when the WAN IP restarts ….
                Of course, the time radiusb restarts, all communication (authentication) is out of business. If this happens very often, well, the issue would pop up more often.

                Btw : I'm not using radius myself, but your question proves me that it wouldn't be a bad idea NOT to run radius on the firewall - if possible (needs another local (LAN) server device).

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.