NEW Package: freeRADIUS 2.x

Nachtfalke · Jan 3, 2012, 4:48 PM

As long as you are doing all my work - please let me know if I could help you at least a bit :P

marcelloc · Jan 3, 2012, 5:00 PM

@Nachtfalke:

As long as you are doing all my work -

That's fun :D

Instead of pcbsd, try a pure freebsd.

please let me know if I could help you at least a bit :P

we are helping each other. I compile and you check dependencies

tritron · Jan 3, 2012, 7:20 PM

Is it posible to use existing users of activedirectory in this package ? Pfsense comes with certeficate managment and user list and works with active directory and also freeradius supports active directory.
So would be nice to remove certiificate option and user option and just use pfsense user list or other servers that are listed in user settings in pfsense. Does the current package supports active directory if i edit config by hand or the module is not compiled in ?

marcelloc · Jan 3, 2012, 7:30 PM

@tritron:

Does the current package supports active directory if i edit config by hand or the module is not compiled in ?

That's what we is trying to do. ;)

For now it's not supported as we are compiling freeradius with kerberos and etc.

After binaries are ok, Nachtfalke will continue package update.

marcelloc · Jan 3, 2012, 7:31 PM

Nachtfalke,

mysql5.5 and postgres9.1.2 are uploaded.

I'm also doind this job to i386 the link is

http://e-sac.siteseguro.ws/packages/8/All/

Nachtfalke · Jan 3, 2012, 7:59 PM

Okay, then I will reset my VMs and test. :)

Nachtfalke · Jan 3, 2012, 9:06 PM

Feedback for tested machine pfsense 2.0.1 amd64:
This installs without errors or missing dependencies:
http://e-sac.siteseguro.ws/packages/amd64/8/All/freeradius-2.1.12.tbz

I need to manually install these packages because ldap and *sql have missing files.

pkg_add -r http://e-sac.siteseguro.ws/packages/amd64/8/All/mysql-client-5.1.60.tbz
pkg_add -r http://e-sac.siteseguro.ws/packages/amd64/8/All/cyrus-sasl-2.1.25_1.tbz
pkg_add -r http://e-sac.siteseguro.ws/packages/amd64/8/All/openldap-sasl-client-2.4.26.tbz

Still the (minor) error with this package:
http://e-sac.siteseguro.ws/packages/amd64/8/All/cyrus-sasl-2.1.25_1.tbz

[2.0.1-RELEASE][admin@pfsense.localdomain]/root(13): pkg_add -r http://e-sac.siteseguro.ws/packages/8/All/cyrus-sasl-2.1.25_1.tbz
Fetching http://e-sac.siteseguro.ws/packages/8/All/cyrus-sasl-2.1.25_1.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/db41-4.1.25_4.tbz... Done.
*** Added group `cyrus' (id 60)
*** Added user `cyrus' (id 60)
/libexec/ld-elf.so.1: Shared object "libgssapi.so.10" not found, required by "saslpasswd2"
/libexec/ld-elf.so.1: Shared object "libgssapi.so.10" not found, required by "sasldblistusers2"
WARNING: Failed to create /usr/local/etc/sasldb2

You can use sasldb2 for authentication, to add users use:

        saslpasswd2 -c username

If you want to enable SMTP AUTH with the system Sendmail, read
Sendmail.README

NOTE: This port has been compiled with a default pwcheck_method of
      auxprop.  If you want to authenticate your user by /etc/passwd,
      PAM or LDAP, install ports/security/cyrus-sasl2-saslauthd and
      set sasl_pwcheck_method to saslauthd after installing the
      Cyrus-IMAPd 2.X port.  You should also check the
      /usr/local/lib/sasl2/*.conf files for the correct
      pwcheck_method.

After installing all above I can start radiusd. This is what I tested:
plain users file authentication using "radtest" tool.
Authentication works.

I enabled ldap and configured users file to only use ldap to authenticate users:
freeradius is starting, loading the ldap modules and default configuration. I have tested with "radtest" tool and the radius tries to connect to ldap. I do not have any LDAP/AD configured so I could not finally test that. But it looks like it should work.

I disabled ldap and enabled sql.
using "MYSQL" as datasbase and "POSTGRESSQL" is working. I still have no database to test but I did the tests from ldap and freeradius tries to connect to sql database.

We didn't compile ORACLE because this is still experimental.
Something what is a bit strange is that I could choose "MSSQL" in sql.conf but the there is the rlm_sql_mssql.sq module missing. But there is no build option in Makefile for this database support. Perhaps we could think about that in future versions but not at the moment.

Kerberos module has all dependencies but could not test it. Kerberos together with samba to use MS AD to authenticate.
That is something what isn't really clear for me at the moment and the freeradius documentation isn't, too. Is the ldap module enough to connect to an MS AD or do we really need to go the way using kerberos and samba. perhaps the second way is the way which fully sopports MS AD. As far as I know Windows Server 2003 and high have the ability to communicate with the LDAP protocol.
But there is nothing we can do now - I think.

I will go on testing i386 as I did it with amd64.

marcelloc · Jan 3, 2012, 9:12 PM

The missing Shared object are not related to cyrus packages but on files not included in pfSense. That why I created a folder with missing libs

It's easy to work around in xml instalation.

cyrus is also used in postfix for authentication in smtp.

Nachtfalke · Jan 3, 2012, 9:45 PM

@marcelloc:

The missing Shared object are not related to cyrus packages but on files not included in pfSense. That why I created a folder with missing libs

It's easy to work around in xml instalation.

cyrus is also used in postfix for authentication in smtp.

Yes, we can use "additionalfilesneeded" right ?

i386:
It is not build with PostgreSQL.
And "openldap-sasl-client-2.4.26.tbz" is missing on your server.
"Cyrus-sasl" installs fine when I add the "ldd" files before.
krb5 is ok with dependencies, mysql is too.

Puhhh, that was really hard work on this package…for you :P
But great job till now. SQL and LDAP support will make this package interesting for some people :)

gettons · Jan 3, 2012, 9:55 PM

Hi,

I have just removed the old package and installed the current one 2.1.12 pkg v1.4.2
The configuration has been kept back, but now I cannot login properly.

This is the log :

Tue Jan 3 21:52:49 2012 : Auth: Login incorrect: [$MYUSER/<via auth-type="EAP">] (from client pfsenselocal port 0 cli B4-07-F9-E5-9F-81)</via>

I have also tried to reset the username and pass but It did not work.

It was fine before upgrading though.

Thanks

Nachtfalke · Jan 3, 2012, 10:05 PM

@gettons:

Hi,

I have just removed the old package and installed the current one 2.1.12 pkg v1.4.2
The configuration has been kept back, but now I cannot login properly.

This is the log :

Tue Jan 3 21:52:49 2012 : Auth: Login incorrect: [$MYUSER/<via auth-type="EAP">] (from client pfsenselocal port 0 cli B4-07-F9-E5-9F-81)</via>

I have also tried to reset the username and pass but It did not work.

It was fine before upgrading though.

Thanks

Which pkg version did you use before ?
Do you user certificates or just username/password ?
Do you connect from a windows client ?

Can you post output of "users" file ? (View Config -> users)

gettons · Jan 3, 2012, 11:16 PM

Hi thanks for you quick reply :-)

I used the 1.4.0 I think, I did upgrade yesterday if I am not wrong. Today I found there was a new update so I have upgraded straightaway as I have never had any problems in the past to upgrade to the very next version.

I use only username and password, not any certificate at the moment, but it's something I will look into.

I am using my android mobile phone gingerbread v. 2.3.6 ( used to work yesterday ).

The config file is :

/usr/local/etc/raddb/users

"myuser" Cleartext-Password := "mypass", Simultaneous-Use := "3"

Nachtfalke · Jan 3, 2012, 11:33 PM

Is this the only output in syslog according freeradius ?

Cann you stop freeradius service in GUI, SSH to your machine and start radiusd in debug mode.
Just type in:

radiusd -X

This is a capital X

Then the last lines of the output should be
"Ready to process requests"

Then try to connect with your client/phone and post the output of freeradius when the client tries to connect.

gettons · Jan 3, 2012, 11:55 PM

nope, that is the output of catting users.
But what I noticed something weird:

1)I can connect if I choose TLS instead of PEAP.
2)then if I disconnect and use PEAP again it does work ( guess it does not do any further check as if successfully logged in minutes ago

But If I reboot the pfsense box and try to connect using PEAP first it won't work.

This is from my laptop, which is a ubuntu oneiric 32bit using ralink chipset.

$ cat /var/log/radius.log
Tue Jan 3 23:50:19 2012 : Info: Loaded virtual server <default>Tue Jan 3 23:50:19 2012 : Info: Loaded virtual server soh-server
Tue Jan 3 23:50:19 2012 : Info: Ready to process requests.
Tue Jan 3 23:50:20 2012 : Info: Signalled to terminate
Tue Jan 3 23:50:20 2012 : Info: Exiting normally.
Tue Jan 3 23:50:28 2012 : Info: Loaded virtual server <default>Tue Jan 3 23:50:28 2012 : Info: Loaded virtual server soh-server
Tue Jan 3 23:50:28 2012 : Info: Ready to process requests.
Tue Jan 3 23:51:02 2012 : Auth: Invalid user: [gettons/<no user-password="" attribute="">] (from client wifi-ap port 0 via TLS tunnel)
Tue Jan 3 23:51:02 2012 : Auth: Login incorrect: [gettons/<via auth-type="EAP">] (from client wifi-ap port 0 cli E0-CA-94-36-3E-68)
Tue Jan 3 23:51:09 2012 : Auth: Invalid user: [gettons/<no user-password="" attribute="">] (from client wifi-ap port 0 via TLS tunnel)
Tue Jan 3 23:51:09 2012 : Auth: Login incorrect: [gettons/<via auth-type="EAP">] (from client wifi-ap port 0 cli E0-CA-94-36-3E-68)
Tue Jan 3 23:51:14 2012 : Auth: Invalid user: [gettons/<no user-password="" attribute="">] (from client wifi-ap port 0 via TLS tunnel)
Tue Jan 3 23:51:14 2012 : Auth: Login incorrect: [gettons/<via auth-type="EAP">] (from client wifi-ap port 0 cli E0-CA-94-36-3E-68)
Tue Jan 3 23:51:18 2012 : Auth: Invalid user: [gettons/<no user-password="" attribute="">] (from client wifi-ap port 0 via TLS tunnel)
Tue Jan 3 23:51:18 2012 : Auth: Login incorrect: [gettons/<via auth-type="EAP">] (from client wifi-ap port 0 cli E0-CA-94-36-3E-68)
Tue Jan 3 23:51:22 2012 : Auth: Invalid user: [gettons/<no user-password="" attribute="">] (from client wifi-ap port 0 via TLS tunnel)
Tue Jan 3 23:51:22 2012 : Auth: Login incorrect: [gettons/<via auth-type="EAP">] (from client wifi-ap port 0 cli E0-CA-94-36-3E-68)
Tue Jan 3 23:51:43 2012 : Auth: Login OK: [gettons/<via auth-type="mschap">] (from client wifi-ap port 0 via TLS tunnel)
Tue Jan 3 23:51:43 2012 : Auth: Login OK: [gettons/<via auth-type="EAP">] (from client wifi-ap port 0 cli E0-CA-94-36-3E-68)</via></via></via></no></via></no></via></no></via></no></via></no></default></default>

marcelloc · Jan 4, 2012, 12:00 AM

Nachtfalke,

I've just uploaded freeradius2 and openldap-sasl.

Nachtfalke · Jan 4, 2012, 12:23 AM

@gettons
Not sure if this is an problem of freeradius or a configuration "problem" of your AP or freeradius-EAP setup.
The package offers the default settings which are in the eap.conf file. I am unsure what you have to change as I need to read the docs and wikis on freeradius first.

You could try with "copy reply to tunnel".

You further did not post the output of what "radiusd -X" is showing. radius.log and system.log do not offer all "errors".

@marcelloc,
I will test the i386 package as far as I get some time. It is late now in middle europe :P
You will get my feedback tomorrow morning.

sandern · Jan 4, 2012, 10:53 AM

@Nachtfalke:

This should work by default as far as I know for now. The CISCO SG300-28 switch for example is sending the MAC address in username and password, all small letters without whitespace.
So you take a look on the user's guide and check the format the MAC address is sent.

If the PCs MAC address is for example:
00:11:AA:BC:DE:FF

Than the username and password in freeradius users should be:
0011aabcdeff

Please post back if you could try this and if it is working or not.
I am on vacation until 09 january 2012 and do not have the chance to test this all on a real switch and environment.
This is on my "todo" list - to check all features I added just from How-To's in real ;-)

I'm afraid I can't test this as our switches don't support 802.1x mac authentication, only port based. (With the Calling-Station-ID attribute) but by looking to the Mac-Auth info on the freeradius website it looks very easy to implement both a user auth and if that should fail, try the Calling-Station-ID for mac-auth.

In that way also switches that won't support 802.1x mac auth could be supported.

I'll test this out tomorrow if I can modify your config file a bit to make this work.

Nachtfalke · Jan 4, 2012, 11:03 AM

@sander
Yes, of course, you are welcome! :-)
freeRADIUS offers so much options and I really do not know all of them or used them. So it is really great if someone could help and test things :-)

@marcelloc
I tested the package you compiled on i386
It is working as well as the amd64 but a little bit better ;o)

freeradius-2.1.12.tbz is now installing the dependencies "postgresql" and "mysql-client" on its own.
I then copied the missing files from your "ldd" folder to /usr/local/lib/ and installed the "openldap-client" which automatically installed the "cyrus-sasl" dependency.

The tests I did above with amd64 (mysql, postgresql, ldap) had the same (positiv) result as on i386. :D

Ok, now I will try to find out how to use a wireless-AP with WPA/WPA2-Enterprise and PEAP and EAP-MSCHAPv2 on a Windows XP client and why it isn't working as expected by gettons.

Nachtfalke · Jan 4, 2012, 1:52 PM

Updates pkg v1.4.3

changed: service name and description (Services)
fixed: EAP-PEAP - there were problems when starting "soh" server. (eap)
Added: ability to change if MS Statement of Health should be enabled in EAP-PEAP or not. (eap)

@gettons
I tried with an Windows XP Client and an D-Link DIR-300 with DD-WRT firmware. Enabled WPA2 Enterprise on AP, added the AP-IP as NAS/Client on freeRADIUS server with same "shared secret".
Added a user "test" with password "test".

I had to import the "ca.der" from freeradius on the Windows XP Client and import it there and choose it in the network connections. This is how it is described here (german how-to) with many pictures:
http://www.administrator.de/index.php?content=142241

For my Windows XP Client the authentication is working with PEAP and MSCHAPv2.
The first time I connect I have to enter my user credentials (a windows window pops up where I enter username and password) - then I got connected. I got output in syslog if it works or not.

When I connect the second time then I do NOT need to enter username and password again.

Hope this will solve your problem. Feedback appreciated :-)

Nachtfalke · Jan 4, 2012, 2:15 PM

@gettons

I did some more tests and there are two possibilities.
If you disable "Check Server certificates" (see attachment) than you can connect just with the username. Then you do not need to import anything fromm freeradius server on the client.

The other possibility is that you ENABLE "Check Server Certificates" (see other attachment) and then you will be promted to accept the CA or not. If you accept then this cert will be added to your cert store. In Windows XP you can check this from here:

Start -> run -> certmgr.msc
There you find - I think it is the second from top (in german: "Stammzertifizierungsstelle"). There you should find the CA you accepted.

![PEAP check cert.JPG](/public/imported_attachments/1/PEAP check cert.JPG)
![PEAP check cert.JPG_thumb](/public/imported_attachments/1/PEAP check cert.JPG_thumb)