NEW Package: freeRADIUS 2.x
-
Updates: pkg v1.1.1:
-
disabled virtual-server "control-socket" which is experimental and if misconfigured a security issue
-
disabled module proxy because in most environments we do not need to proxy requests to another RADIUS PROXY server
-
-
Updates: pkg v1.2.0
- Added GUI to configure eap.conf (EAP, EAP-TLS, EAP-TLS with OCSP support, EAP-TTLS, EAP-PEAP with MSCHAPv2
The GUI contains the by default "uncommented" options in the eap.conf
This authentication methods were tested and work:
-
PAP
-
CHAP
-
MSCHAP
-
EAP-MD5
Added "CDATA" for all <description>parts in .XML files.</description>
-
Updates: pkg v1.3.0
-
Added GUI to configure sql.conf
-
Just some small typo/cosmetic GUI fixes
–- edit ---
The GUI is working but I found out that the precompiled freeradius-2.1.12 package is not compiled with MySQL, PostgreSQL.
So there are modules (rlm_sql) missing. We need to build a package from source with additional build_options to support these features.
Help would be appreciated!Further I would like to have LDAP and KERBEROS support so that we can build a GUI for connecting to LDAP and/or AD.
-
-
Updates: pkg v1.3.1
- Some small fixes with empty variables after installation
Thank you marcelloc for your help!
-
Updates: pkg v1.3.2
-
Check and only enable virtual-server "coa" if there is a need from interface-type "coa"
-
Put virtual-server "default" into .inc file. We need this in future for LDAP, SQL and other modules
-
-
-
Updates: pkg v1.3.4
-
freeradius2 is working on pfsense 2.0.1 (i386 and amd64)
-
added GUI to create certificates (CA, Server, Client) for EAP-TLS
-
extended "view config" tab to view certificate files
-
-
Updates: pkg 1.3.5
-
Added some info about dis-/advantages of pfsense cert-manager compared to freeradius-cert editor. pfsense cert-manager should be the first manager to use!
-
freeradius server is starting with certs and keys (different typs) from pfsense built-in manager but this needs more testing with clients and real NAS
-
Some small typo fixes in freeradiuseapconf.xml with double entry
-
Added some checks and renamings on client cert building script (Thanks to marcelloc)
-
-
Updates: pkg v1.3.6
- Added ability to choose between the freeradius cert manager or the pfsense built-in cert manager. (Thank you very much jimp and sullrich)
-
Updates: pkg v1.3.7
-
Corrected starting parameters of variables for "Settings"
-
Enabled logging and logging to syslog is now default
-
DH and RANDOM file will be created new when changing to "pfsense cert-manager". So not everybody will use the same files delivered with the freeradius package.
-
Adding Custom-Options on TOP and BOTTOM of all other user options
-
New variables and structur of the "users"-file creation. It was neccessary to add additional custom options on TOP and BOTTOM. User entries from older freeradius2 versions are NOT compatible. You need to add them again. Sorry.
-
Username can now contain whitespaces
-
Added Copyright
-
Added new features to dis-/enable SQL (Instantiate, authorize, accounting, session, post-auth) - we still need to build freeradius2 package with additional modules.
-
-
Updates: pkg v1.3.8
-
fixed empty password after installation in default cert (eap)
-
fixed typo in description (eap)
-
small change in <custom_php_install_commands>order in freeradius.xml</custom_php_install_commands>
-
Added radiusd.conf to "view config" tab
-
fixed "include sql.conf" in (sql/radiusd)
-
Added some comments in freeradius.inc
-
-
If its not much work to implement, beside user authentication, it would be nice to also support mac authentication. (http://wiki.freeradius.org/Mac-Auth)
Nice work so far!
-
If its not much work to implement, beside user authentication, it would be nice to also support mac authentication. (http://wiki.freeradius.org/Mac-Auth)
Nice work so far!
This should work by default as far as I know for now. The CISCO SG300-28 switch for example is sending the MAC address in username and password, all small letters without whitespace.
So you take a look on the user's guide and check the format the MAC address is sent.If the PCs MAC address is for example:
00:11:AA:BC:DE:FFThan the username and password in freeradius users should be:
0011aabcdeffThe users file should look like this afterwards:
"0011aabcdeff" Cleartext-Password := "0011aabcdeff" Simultaneous-Use := 1
Please post back if you could try this and if it is working or not.
I am on vacation until 09 january 2012 and do not have the chance to test this all on a real switch and environment.
This is on my "todo" list - to check all features I added just from How-To's in real ;-)–-- edit ----
This is from the CISCO users guide:The authentication methods can be:
• 802.1x—The switch supports the authentication mechanism as described in
the standard to authenticate and authorize 802.1x supplicants.• MAC-based—The switch can be configured to use this mode to
authenticate and authorized devices that do not support 802.1x. The switch
emulates the supplicant role on behalf of the non 802.1x capable devices,
and uses the MAC address of the devices as the username and password
when communicating with the RADIUS servers. MAC addresses for
username and password must be entered in lower case and with no
delimiting characters (for example: aaccbb55ccff). To use MAC-based
authentication at a port: -
Updates: pkg v1.3.9
-
small changes in if/else syntax (freeradius.inc)
-
deleted uneccessary <custom_php_resync_config_command>entries (freeradiuscerts.xml)</custom_php_resync_config_command>
-
fixed some typos in description and titel (eap, view config)
-
cosmetic fix: changed order of columns (users)
-
added XMLRPC Sync for syncing "users" and "NAS / clients" with other hosts. No other parts of freeradius2 config will be synced. The XMLRPC code I use isn't optimized for syncing so much parts like I use them in my package. Syncing more parts will increase the reload time after any change because there are so much dependencies and reloads neccessary.
Special thanks goes to: marcelloc :D
Thank you for allowing me to use the pfblocker-xmlrpc code :) -
-
Updates: pkg v1.4.0
-
improved first start of freeradius service after package installation
-
fixed double restart of freeradius service (sql)
-
added some additional output in syslog when creating certs with freeRADIUS Cert-Manager (certs)
-
added some additional output in syslog when changing TO pfSense Cert-Manager (eap)
-
added some comments in freeradius.inc for better understanding
-
-
Updates: pkg v1.4.1
-
enabled: module "attr_filter" in "pre-proxy" and "post-proxy" section
-
enabled: module "counter" (daily, weekly, monthly, forever) in "authorize" and "accounting" section
-
enabled: module "checkval" in "authorize" section
-
enabled: "with_ntdomain_hack = yes" in module "realm", module "mschap" and virtual-server "default"
-
enabled: use of more than one realm at one time in module "realm"
-
fixed: "users" file. we need to handel "check-items" different from "reply-items" (users)
-
added: support for Microsoft Statement-of-Health (SoH), which is a form of network access protection present in Windows XP SP3, Vista and 7. Enabled virtual-server "soh". (eap)
-
-
Updates: pkg v1.4.2
-
Added/Modified: Additional custom options for CHECK-ITEMs and REPLY-ITEMs (users)
-
fixed: typos in descriptions (users,settings,clients)
There is now a wiki about freeradius2 in the pfSense docs. You are welcome to contribute!
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package -
-
I saw some features not compiled for it like:
-
ActiveDirectory
-
LDAP
-
SQL
Do you need help on trying to compile it and find a <build_options>for pkg_config ?</build_options>
-
-
I saw some features not compiled for it like:
-
ActiveDirectory
-
LDAP
-
SQL
Do you need help on trying to compile it and find a <build_options>for pkg_config ?</build_options>
Hi,
yes there are features which are not compiled yet. I posted on dev-mailinglist last year with the build options I need.
Take a look here:
http://lists.pfsense.org/pipermail/dev/2011-December/000100.htmlWITH_KERBEROS=yes (I need this for ActiveDirectory I think + samba) WITH_LDAP=yes WITH_MYSQL=yes WITH PGSQL=yes WITH_EXPERIMENTAL=yes WITH_PERL=yes (on by default) WITH_PYTHON=yes (on by default) WITHOUT_USER=yes (I do not want to chroot and so this feature makes no sense)
I talked with mdima and he pointed me to the ports and the available build options I posted on dev-list.
If you could help it would be great, of course :-)
-
-
there is a field in pkg_info for compile options:
. . . <build_port_path>/usr/ports/mail/postfix</build_port_path> <build_options>WITH_PCRE=true WITH_SPF=true WITH_SASL2=true WITH_TLS=true</build_options>
The best way before editing pkg_config is:
-
build a virtual machine with freebsd 8.1
-
update freebsd to get current version using freebsd-update
-
fetch ports with portsnap fetch && portsnap extract
-
build freeradius with selected options
-
make freeradius and dependecies packages
-
install this package on pfsense(lab)
-
If nothing is break after that, include <build_options>to pkg_config</build_options>
Not that simple but not that hard. ;)
I'll compile freeradius with these options and feedback.
-