NEW Package: freeRADIUS 2.x
-
I have got these problems on freeradius and freeradius2.
But only after reboot of pfsense.
I pushed a fix for freeradius2.Try with package version 0.3
-
I updated freeradius2 from 0.3 ALPHA up to 1.0 BETA.
The freeradius2 package should now have all the features that freeradius has and some improvements.
New freeradius2 features:
-
IPv6 for clients and listening interfaces
-
select different interfaces for different tasks (auth, acct, proxy, status, detail, CoA)
-
additional parameters added in settings
-
enable server to run in threaded mode
-
-
hello,
I wanted to understand how to implement freeradius2 of a system that works with version 1.Uninstalled the previous version and then installed version 2 the applications that worked now no longer work. Specifically, the authentication for openvpn road warriors no longer works. A log level I do not see things very useful. Just somthing about "0 packets in queue".
What are the steps to authenticate freeradius2 of openvpn? I have to do something different?
Summing up I set like this:
Services -> "freeradius"
User: test pass: test
NAS: 192.168.1.1 (ip of the router), ShortNome: pfSense, secret: testingunder "users" -> "server"
RADIUS: 192.168.1.1
Secret: test
description : Local Radius Serverunder "openvpn"
Selected > Local Radius serverI've done something wrong?
thanks
(pfsense 2.0)
-
Hi,
I do not know, how to use OpenVPN RoadWarrior with RADIUS. Is there any tutorial ?
Generally I didn't change much in the background.In the users tab I didn't change anything
The settings tab is the same as before just some different syntax for logging and some additional parameters but they are all at default.
In the client tab I had to change the syntax of the clients.conf to new freeradius2 version but the parameters are still the same.Where I did many changes is the "interfaces" tab.
If you have one Interface (LAN) which should do authentication and accounting than you need two entries:Interface IP: 192.168.100.1
Port: 1812
type: authInterface IP: 192.168.100.1
Port: 1813
type: acctIf radius should listen on any interface than you can use a * instead of the IP.
Not sure if * is listening on 127.0.0.1PS: Further it would/could help if you delete all freeradius entries from your config.xml
/conf/config.xml
and reboot and reconfigure freeradius2.
Your old settings from freeradius1 are NOT compatible with freeradius2
-
also installed in a fresh installed system…
same problemused * insted of the real ip...
Still testing
-
Hi,
I read short through this:
http://doc.pfsense.org/index.php/Using_OpenVPN_With_FreeRADIUS
This needs PAM authentication as far as I understand this.I took a look at
/usr/local/pkg/freeradius.inc
And changed line 432:
#pam
to this line:
pam
Save the file and then go to the freeRADIUS GUI -> Settings -> Save and try again.
-
Hi,
I tested the freeRADIUS2 package with this tool:
http://www.novell.com/coolsolutions/tools/14377.htmlThe problem is the freeRADIUS. I think there are some bigger changes in module handling in the new radiusd.conf. We need to enable/link to the modules listed in the /usr/local/etc/raddb/sites-enabled/ directory.
In the old freeRADIUS 1.x configuration the modules were configured only in radiud.conf.
FreeRADIUS is starting and listening on requests but there seems to be no "Auth-type" selected so that the request could not be used with and authorization module.If someone could/would fix that - don't hesitate. I will try as far as I found time. Next week I am on vacation and I think I will find some time to work on this problem and hopefully fix it.
-
@gionag
I could reproduce this error.
There was a bug in creating the "users" file. I think I fixed this so it should now authenticate fine.Additional changes pkg v1.1.0 Beta:
-
Added some code which prevents that freeradius service isn't starting if interface typ is "detail"
-
Swaped authorize, authenticate, … sections from radiusd.conf to the correct place (/usr/local/etc/raddb/sites-enabled/default && /usr/local/etc/raddb/sites-enabled/inner-tunnel)
-
-
Updates: pkg v1.1.1:
-
disabled virtual-server "control-socket" which is experimental and if misconfigured a security issue
-
disabled module proxy because in most environments we do not need to proxy requests to another RADIUS PROXY server
-
-
Updates: pkg v1.2.0
- Added GUI to configure eap.conf (EAP, EAP-TLS, EAP-TLS with OCSP support, EAP-TTLS, EAP-PEAP with MSCHAPv2
The GUI contains the by default "uncommented" options in the eap.conf
This authentication methods were tested and work:
-
PAP
-
CHAP
-
MSCHAP
-
EAP-MD5
Added "CDATA" for all <description>parts in .XML files.</description>
-
Updates: pkg v1.3.0
-
Added GUI to configure sql.conf
-
Just some small typo/cosmetic GUI fixes
–- edit ---
The GUI is working but I found out that the precompiled freeradius-2.1.12 package is not compiled with MySQL, PostgreSQL.
So there are modules (rlm_sql) missing. We need to build a package from source with additional build_options to support these features.
Help would be appreciated!Further I would like to have LDAP and KERBEROS support so that we can build a GUI for connecting to LDAP and/or AD.
-
-
Updates: pkg v1.3.1
- Some small fixes with empty variables after installation
Thank you marcelloc for your help!
-
Updates: pkg v1.3.2
-
Check and only enable virtual-server "coa" if there is a need from interface-type "coa"
-
Put virtual-server "default" into .inc file. We need this in future for LDAP, SQL and other modules
-
-
-
Updates: pkg v1.3.4
-
freeradius2 is working on pfsense 2.0.1 (i386 and amd64)
-
added GUI to create certificates (CA, Server, Client) for EAP-TLS
-
extended "view config" tab to view certificate files
-
-
Updates: pkg 1.3.5
-
Added some info about dis-/advantages of pfsense cert-manager compared to freeradius-cert editor. pfsense cert-manager should be the first manager to use!
-
freeradius server is starting with certs and keys (different typs) from pfsense built-in manager but this needs more testing with clients and real NAS
-
Some small typo fixes in freeradiuseapconf.xml with double entry
-
Added some checks and renamings on client cert building script (Thanks to marcelloc)
-
-
Updates: pkg v1.3.6
- Added ability to choose between the freeradius cert manager or the pfsense built-in cert manager. (Thank you very much jimp and sullrich)
-
Updates: pkg v1.3.7
-
Corrected starting parameters of variables for "Settings"
-
Enabled logging and logging to syslog is now default
-
DH and RANDOM file will be created new when changing to "pfsense cert-manager". So not everybody will use the same files delivered with the freeradius package.
-
Adding Custom-Options on TOP and BOTTOM of all other user options
-
New variables and structur of the "users"-file creation. It was neccessary to add additional custom options on TOP and BOTTOM. User entries from older freeradius2 versions are NOT compatible. You need to add them again. Sorry.
-
Username can now contain whitespaces
-
Added Copyright
-
Added new features to dis-/enable SQL (Instantiate, authorize, accounting, session, post-auth) - we still need to build freeradius2 package with additional modules.
-
-
Updates: pkg v1.3.8
-
fixed empty password after installation in default cert (eap)
-
fixed typo in description (eap)
-
small change in <custom_php_install_commands>order in freeradius.xml</custom_php_install_commands>
-
Added radiusd.conf to "view config" tab
-
fixed "include sql.conf" in (sql/radiusd)
-
Added some comments in freeradius.inc
-
-
If its not much work to implement, beside user authentication, it would be nice to also support mac authentication. (http://wiki.freeradius.org/Mac-Auth)
Nice work so far!