NEW Package: freeRADIUS 2.x

zlyzwy

@Nachtfalke
@Nachtfalke:

Did you solve the probem in "clients.conf" ? There was an error because of an open brace "{". This shouldn't happen if you create the clients from the GUI.

I always create the client from the GUI. I am sure I can solve it by remove all the clients from GUI and add the clients again.
This is happening when I upgrade/re-install the package.

=========================================================================
By entering the debug mode, I also find the problem. Do the following step in console will be all right.
1.```
service radiusd stop

2\.```
Radiusd -X

The debug is really useful~~

=========================================================================
I must prepare the database first. The SQL script can be found at latest Freeradius release.
(freeradius-server-2.1.12\raddb\sql\mysql)

Nachtfalke

Updates pkg v1.5.2:

• Added: "Amount of Time" and "Amount of Traffic" per user connected through captive portal and freeradius2

• Updated: FreeRADIUS 2.x package on pfSense documentation

firestrife23

I tried to upgrade package to v1.5.2 and it get stuck at "Loading package instructions…"

Nachtfalke

@firestrife23:

I tried to upgrade package to v1.5.2 and it get stuck at "Loading package instructions…"

No problems here on amd64 and i386. Updating from pkg v1.5.1 to v1.5.2.

Removing freeradius2 components...
Tabs items... done.
Menu items... done.
Services... done.
Loading package instructions...
Deinstall commands... done.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Beginning package installation for freeradius2...
Downloading package configuration file... done.
Saving updated package information... done.
Downloading freeradius2 and its dependencies... 
Checking for package installation... Loading package configuration... done.
Configuring package components...
Additional files... done.
Loading package instructions...
Custom commands...
Executing custom_php_install_command()...done.
Executing custom_php_resync_config_command()...done.
Custom commands...
Executing custom_php_install_command()...done.
Executing custom_php_resync_config_command()...done.
Menu items... done.
Integrated Tab items... done.
Services... done.
Writing configuration... done.

Package reinstalled.

pszafer

ok, first I want show you that PAP working for me:

first question:

radtest -t pap addressbook ppp123PPP 10.8.0.1 1 ppp123PPP
Sending Access-Request of id 172 to 10.8.0.1 port 1812
	User-Name = "addressbook"
	User-Password = "ppp123PPP"
	NAS-IP-Address = 10.8.0.1
	NAS-Port = 1
	Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 10.8.0.1 port 1812, id=172, length=20

Now on radiusd -X side:

Ready to process requests.
rad_recv: Access-Request packet from host 10.8.0.1 port 63417, id=172, length=81
	User-Name = "addressbook"
	User-Password = "ppp123PPP"
	NAS-IP-Address = 10.8.0.1
	NAS-Port = 1
	Message-Authenticator = 0x84a2dbf3faa9c1eed0e6b541fe4773bb
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "addressbook", skipping NULL due to config.
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "addressbook", skipping NULL due to config.
++[ntdomain] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] performing user authorization for addressbook
[ldap] 	expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=addressbook)
[ldap] 	expand: cn=Users,dc=p,dc=t -> cn=Users,dc=p,dc=t
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to server.p.t:389, authentication 0
  [ldap] bind as cn=addressbook,cn=Users,dc=p,dc=t/ppp123PPP to server.p.t:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in cn=Users,dc=p,dc=t, with filter (sAMAccountName=addressbook)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] user addressbook authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] returns noop
rlm_checkval: Could not find item named Calling-Station-Id in request
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = LDAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by "addressbook" with password "ppp123PPP"
[ldap] user DN: CN=addressbook,CN=Users,DC=p,DC=t
  [ldap] (re)connect to server.p.t:389, authentication 1
  [ldap] bind as CN=addressbook,CN=Users,DC=p,DC=t/ppp123PPP to server.p.t:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
[ldap] user addressbook authenticated succesfully
++[ldap] returns ok
Login OK: [addressbook] (from client admin port 1)
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 172 to 10.8.0.1 port 63417
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 172 with timestamp +5
Ready to process requests.

Now I'm trying to get ktutil work, but not sure if really needed it.

Nachtfalke

@pszafer:

ok, first I want show you that PAP working for me:

first question:

radtest -t pap addressbook ppp123PPP 10.8.0.1 1 ppp123PPP
Sending Access-Request of id 172 to 10.8.0.1 port 1812
	User-Name = "addressbook"
	User-Password = "ppp123PPP"
	NAS-IP-Address = 10.8.0.1
	NAS-Port = 1
	Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 10.8.0.1 port 1812, id=172, length=20

Now on radiusd -X side:

Ready to process requests.
rad_recv: Access-Request packet from host 10.8.0.1 port 63417, id=172, length=81
	User-Name = "addressbook"
	User-Password = "ppp123PPP"
	NAS-IP-Address = 10.8.0.1
	NAS-Port = 1
	Message-Authenticator = 0x84a2dbf3faa9c1eed0e6b541fe4773bb
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "addressbook", skipping NULL due to config.
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "addressbook", skipping NULL due to config.
++[ntdomain] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] performing user authorization for addressbook
[ldap] 	expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=addressbook)
[ldap] 	expand: cn=Users,dc=p,dc=t -> cn=Users,dc=p,dc=t
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to server.p.t:389, authentication 0
  [ldap] bind as cn=addressbook,cn=Users,dc=p,dc=t/ppp123PPP to server.p.t:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in cn=Users,dc=p,dc=t, with filter (sAMAccountName=addressbook)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] user addressbook authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] returns noop
rlm_checkval: Could not find item named Calling-Station-Id in request
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = LDAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by "addressbook" with password "ppp123PPP"
[ldap] user DN: CN=addressbook,CN=Users,DC=p,DC=t
  [ldap] (re)connect to server.p.t:389, authentication 1
  [ldap] bind as CN=addressbook,CN=Users,DC=p,DC=t/ppp123PPP to server.p.t:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
[ldap] user addressbook authenticated succesfully
++[ldap] returns ok
Login OK: [addressbook] (from client admin port 1)
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 172 to 10.8.0.1 port 63417
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 172 with timestamp +5
Ready to process requests.

Now I'm trying to get ktutil work, but not sure if really needed it.

Looks good as far as I can see that.
It is ok that there are some warnings and some other auth-types which fail but this is the order of the auth-type modules.
And the output shows that the user gets authenticated with auth-type ldap. :)

Not sure for what we need ktutil !?!

Perhaps you can write a little how-to how you configured that, whats your domain name, what you entered on AD and so on. It would help me and others. Did you have to edit some other files by hand ? If yes then tell me what and I will try to implement that into GUI if needed!

So far thank you very much for taking time and testing this - testing my package and functionalities I could not test at the moment! I really appreciate your help! :)

pszafer

of course I will write about this soon, but this is not what we want to accomplish.
why?
PAP in Windows 7 is disabled by group policy and I agree with MS in that, because sending password in plain text via WiFi would be irresponsible

I need ktutil because that util is used in how to from link you gave ;)

pszafer

so trully it is not so much to do:

1. Edit /usr/local/etc/raddb/sites-enabled/default

in authorize section (I'm not sure if it wasn't like this originally):

• comment unix line #
• uncomment line ntdomain
• uncomment ldap line
• uncomment or add pap line

in authenticate section:

• add or uncomment

Auth-Type PAP {
		pap
	}

in preacct section:

• uncomment ntdomain line

post-auth section:

• comment ldap section
  ===========================
  in radiusd.conf add in the end of file:
  $INCLUDE policy.conf
  $INCLUDE sites-enabled/
  ===========================
  modules/ldap looks like this:

ldap {
	#
	#  Note that this needs to match the name in the LDAP
	#  server certificate, if you're using ldaps.
	server = "server.p.t"
	identity = "cn=freeradiususer,cn=Users,dc=p,dc=t"
	password = ppp123PPP
	basedn = "cn=Users,dc=p,dc=t"
	filter = "(sAMAccountName=%{mschap:User-Name})"
	#base_filter = "(objectclass=radiusprofile)"

I think that's it.

Now I'm trying to understand what we need to get MSCHAP working!

Nachtfalke

@pszafer:

so trully it is not so much to do:

1. Edit /usr/local/etc/raddb/sites-enabled/default

in authorize section (I'm not sure if it wasn't like this originally):

• comment unix line #
• uncomment line ntdomain
• uncomment ldap line
• uncomment or add pap line

This is the default if you install freeradius2 package. I did all these changes. Unis line is commented by default. I configured ntdomain as you need it here. LDAP line will be commented or uncommented if we enable/disable it on LDAP GUI (authorization).

@pszafer:

in authenticate section:

• add or uncomment

Auth-Type PAP {
		pap
	}

This is default. If we do not need LDAP in authentication than we can enable/disable this from LDAP GUI. PAP is there by default.

@pszafer:

in preacct section:

• uncomment ntdomain line

I did that in the past and it is default after package installation.

@pszafer:

post-auth section:

• comment ldap section

Is by default commented. We do not have any option to change that from GUI.

@pszafer:

===========================
in radiusd.conf add in the end of file:
$INCLUDE policy.conf
$INCLUDE sites-enabled/

This is by default.

@pszafer:

modules/ldap looks like this:

ldap {
	#
	#  Note that this needs to match the name in the LDAP
	#  server certificate, if you're using ldaps.
	server = "server.p.t"
	identity = "cn=freeradiususer,cn=Users,dc=p,dc=t"
	password = ppp123PPP
	basedn = "cn=Users,dc=p,dc=t"
	filter = "(sAMAccountName=%{mschap:User-Name})"
	#base_filter = "(objectclass=radiusprofile)"

I added the commented lines to the GUI. So they are now UNcommented. Not sure if the default entries are ok or not.
But I think we can change this when we need to. When you telling me this :D

@pszafer:

I think that's it.

Now I'm trying to understand what we need to get MSCHAP working!

Great! :-)

firestrife23

What's the advantage of enabling SQL server? Because I don't see it on pfSense documentation.

zlyzwy

Hi Nachtfalke,

I just tested with Captive Portal + FreeRadius + MySQL for a Hotspot site.

Basically it's now working here, I can login through CP and see the login information in MySQL.

There are still two options that I can't work it around.

1. per-user bandwidth restriction
This option is available in CP. But it's a global setting which means it will effect all clients with same setting.
I think there should have the same settings according to account? Does FreeRadius support it yet?

2. RADIUS MAC authentication
I tested this function, it doesn't work. I always get the login page even I added the MAC in FreeRadius.
With the same setting, pass-through MACs in CP does work properly. Once I add the MAC, it works immediately.

Thanks for your patient.

Nachtfalke

@firestrife23:

What's the advantage of enabling SQL server? Because I don't see it on pfSense documentation.

The advantage of a SQL database is if you have many many users. If you add many users to the freeradius users file - I would say 500+ - than your response time can be slow because the freeradius server has to go through the list from top to down until finding the user or not. So you should check the documentation about "Status server updates". There you will get information about how your RADIUS server performs and if the server can handle the requests. If you use a database the requests can be processes faster if you have many users because of the structur. This are the performance advantages.

For accounting there are better possibilities to do SELECTs on the database but you have to configure the sqlcounter module that it works for you.

An other point could be that you create a web GUI for your SQL database so that people could add new users to the database but should not have access to pfsense or freeradius. This could be useful in a hotel - you setup the freeradius and the connection to the database and the rest will be done from a separate web GUI from the hotel people.

That's my opinion. Perhaps I will add this to the pfsense docs ;)

@zlyzwy
Can you write down the steps you did for creating the database, importing the tables (names of tables) and how you configured freeradius SQL ?

1.) I will add this in the next days so we have the possibility to set separate Download und upload bandwidth for users (overwriting the settings from CP which are for ALL users). I have coded this but it is on my HDD at home ;o)
Or do you meand volume of traffic like 500MB in max per week ? This is supported from freeradius and CP but with some disadvantages which I wrote down in the docs.

2.) I will try to test this at home with CP if I found some time. Sending the "Calling-Station-ID" (MAC) is working but I didn't test it with CP.

gigg

Hi Guys,

i have decided to see if I can replace another solution we using with a Pfsense Captive portal and a Psfense Radius solution. But, I follow the instructions on the Radius documentation, but the first hiccup I have is that i dont have the option to even install the package.

In pfsense 2.x go to System => Packages => Available Packages and click on the + behind freeradius2.
    After Installation go to Services => FreeRADIUS

Am I blind or is the package option just not on the 2.0.1 menu? :)

Regards,

Gigg

zlyzwy

@zlyzwy
Can you write down the steps you did for creating the database, importing the tables (names of tables) and how you configured freeradius SQL ?

Sure:)
In general, I used PhpMyAdmin to manage MySQL database, you can use any other tools as you like.
All the following .SQL files can be found in latest FreeRadius package.(http://freeradius.org/download.html)

MYSQL
1. Create the database named radius from PhpMyAdmin

CREATE DATABASE  `radius` ;

2. Import the table 'admin'. Please change  'localhost' to your Pfsense name or just changed it to '%' which means from any client can connect to MySQL. Of course you can also change the default password('radpass') here.

#
#  Create default administrator for RADIUS
#
CREATE USER 'radius'@'localhost';
SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('radpass');

# The server can read any table in SQL
GRANT SELECT ON radius.* TO 'radius'@'localhost';

# The server can write to the accounting and post-auth logging table.
#
#  i.e. 
GRANT ALL on radius.radacct TO 'radius'@'localhost';
GRANT ALL on radius.radpostauth TO 'radius'@'localhost';

3. Import the table 'schema'. I don't change anything and it works fine.

###########################################################################
# $Id$                 #
#                                                                         #
#  schema.sql                       rlm_sql - FreeRADIUS SQL Module       #
#                                                                         #
#     Database schema for MySQL rlm_sql module                            #
#                                                                         #
#     To load:                                                            #
#         mysql -uroot -prootpass radius < schema.sql                     #
#                                                                         #
#                                   Mike Machado <mike@innercite.com>#
###########################################################################
#
# Table structure for table 'radacct'
#

CREATE TABLE radacct (
  radacctid bigint(21) NOT NULL auto_increment,
  acctsessionid varchar(64) NOT NULL default '',
  acctuniqueid varchar(32) NOT NULL default '',
  username varchar(64) NOT NULL default '',
  groupname varchar(64) NOT NULL default '',
  realm varchar(64) default '',
  nasipaddress varchar(15) NOT NULL default '',
  nasportid varchar(15) default NULL,
  nasporttype varchar(32) default NULL,
  acctstarttime datetime NULL default NULL,
  acctstoptime datetime NULL default NULL,
  acctsessiontime int(12) default NULL,
  acctauthentic varchar(32) default NULL,
  connectinfo_start varchar(50) default NULL,
  connectinfo_stop varchar(50) default NULL,
  acctinputoctets bigint(20) default NULL,
  acctoutputoctets bigint(20) default NULL,
  calledstationid varchar(50) NOT NULL default '',
  callingstationid varchar(50) NOT NULL default '',
  acctterminatecause varchar(32) NOT NULL default '',
  servicetype varchar(32) default NULL,
  framedprotocol varchar(32) default NULL,
  framedipaddress varchar(15) NOT NULL default '',
  acctstartdelay int(12) default NULL,
  acctstopdelay int(12) default NULL,
  xascendsessionsvrkey varchar(10) default NULL,
  PRIMARY KEY  (radacctid),
  KEY username (username),
  KEY framedipaddress (framedipaddress),
  KEY acctsessionid (acctsessionid),
  KEY acctsessiontime (acctsessiontime),
  KEY acctuniqueid (acctuniqueid),
  KEY acctstarttime (acctstarttime),
  KEY acctstoptime (acctstoptime),
  KEY nasipaddress (nasipaddress)
) ;

#
# Table structure for table 'radcheck'
#

CREATE TABLE radcheck (
  id int(11) unsigned NOT NULL auto_increment,
  username varchar(64) NOT NULL default '',
  attribute varchar(64)  NOT NULL default '',
  op char(2) NOT NULL DEFAULT '==',
  value varchar(253) NOT NULL default '',
  PRIMARY KEY  (id),
  KEY username (username(32))
) ;

#
# Table structure for table 'radgroupcheck'
#

CREATE TABLE radgroupcheck (
  id int(11) unsigned NOT NULL auto_increment,
  groupname varchar(64) NOT NULL default '',
  attribute varchar(64)  NOT NULL default '',
  op char(2) NOT NULL DEFAULT '==',
  value varchar(253)  NOT NULL default '',
  PRIMARY KEY  (id),
  KEY groupname (groupname(32))
) ;

#
# Table structure for table 'radgroupreply'
#

CREATE TABLE radgroupreply (
  id int(11) unsigned NOT NULL auto_increment,
  groupname varchar(64) NOT NULL default '',
  attribute varchar(64)  NOT NULL default '',
  op char(2) NOT NULL DEFAULT '=',
  value varchar(253)  NOT NULL default '',
  PRIMARY KEY  (id),
  KEY groupname (groupname(32))
) ;

#
# Table structure for table 'radreply'
#

CREATE TABLE radreply (
  id int(11) unsigned NOT NULL auto_increment,
  username varchar(64) NOT NULL default '',
  attribute varchar(64) NOT NULL default '',
  op char(2) NOT NULL DEFAULT '=',
  value varchar(253) NOT NULL default '',
  PRIMARY KEY  (id),
  KEY username (username(32))
) ;

#
# Table structure for table 'radusergroup'
#

CREATE TABLE radusergroup (
  username varchar(64) NOT NULL default '',
  groupname varchar(64) NOT NULL default '',
  priority int(11) NOT NULL default '1',
  KEY username (username(32))
) ;

#
# Table structure for table 'radpostauth'
#

CREATE TABLE radpostauth (
  id int(11) NOT NULL auto_increment,
  username varchar(64) NOT NULL default '',
  pass varchar(64) NOT NULL default '',
  reply varchar(32) NOT NULL default '',
  authdate timestamp NOT NULL,
  PRIMARY KEY  (id)
) ;</mike@innercite.com> 

4. Import the rest of tables one by one.

#
# Table structure for table 'cui'
#
CREATE TABLE `cui` (
  `clientipaddress` varchar(15) NOT NULL default '',
  `callingstationid` varchar(50) NOT NULL default '',
  `username` varchar(64) NOT NULL default '',
  `cui` varchar(32) NOT NULL default '',
  `creationdate` timestamp NOT NULL default CURRENT_TIMESTAMP,
  `lastaccounting` timestamp NOT NULL default '0000-00-00 00:00:00',
  PRIMARY KEY  (`username`,`clientipaddress`,`callingstationid`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

#
# Table structure for table 'radippool'
#
CREATE TABLE radippool ( 
  id                    int(11) unsigned NOT NULL auto_increment,
  pool_name             varchar(30) NOT NULL,
  framedipaddress       varchar(15) NOT NULL default '',
  nasipaddress          varchar(15) NOT NULL default '',
  calledstationid       VARCHAR(30) NOT NULL,
  callingstationid      VARCHAR(30) NOT NULL,
  expiry_time           DATETIME NULL default NULL,
  username              varchar(64) NOT NULL default '',
  pool_key              varchar(30) NOT NULL,
  PRIMARY KEY (id),
  KEY radippool_poolname_expire (pool_name, expiry_time),
  KEY framedipaddress (framedipaddress),
  KEY radippool_nasip_poolkey_ipaddress (nasipaddress, pool_key, framedipaddress)
) ENGINE=InnoDB;

#
# Table structure for table 'nas'
#
CREATE TABLE nas (
  id int(10) NOT NULL auto_increment,
  nasname varchar(128) NOT NULL,
  shortname varchar(32),
  type varchar(30) DEFAULT 'other',
  ports int(5),
  secret varchar(60) DEFAULT 'secret' NOT NULL,
  server varchar(64),
  community varchar(50),
  description varchar(200) DEFAULT 'RADIUS Client',
  PRIMARY KEY (id),
  KEY nasname (nasname)
);

#
# WiMAX Table structure for table 'wimax',
# which replaces the "radpostauth" table.
#

CREATE TABLE wimax (
  id int(11) NOT NULL auto_increment,
  username varchar(64) NOT NULL default '',
  authdate timestamp NOT NULL,
  spi varchar(16) NOT NULL default '',
  mipkey varchar(400) NOT NULL default '',
  lifetime int(12) default NULL,
  PRIMARY KEY  (id),
  KEY username (username),
  KEY spi (spi)
) ;

FreeRadius
After that, go back to your FreeRadius web interface, In SQL tab, enable the SQL support and change the following items.
Enable SQL Support  –> Check
Enable SQL Authorization  --> Enable
Enable SQL Accounting  --> Enable
Enable SQL Session  --> Enable
Enable SQL Post-Auth  --> Enable
Server IP Address --> A.B.C.D
Database Password  --> PASSWORD

TEST
To test Freeradius work or not, follow the step in Freeradius doc (http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package)
Once you receiving the following msg

rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=1, length=20

Check the 'radpostauth' table, if you find the record like this:

15	test	test	Access-Accept	2012-01-17 20:21:04

All right, your FreeRadius is now connecting to MySQL.
:)

Nachtfalke

@gigg:

Hi Guys,

i have decided to see if I can replace another solution we using with a Pfsense Captive portal and a Psfense Radius solution. But, I follow the instructions on the Radius documentation, but the first hiccup I have is that i dont have the option to even install the package.

In pfsense 2.x go to System => Packages => Available Packages and click on the + behind freeradius2.
    After Installation go to Services => FreeRADIUS

Am I blind or is the package option just not on the 2.0.1 menu? :)

Regards,

Gigg

Hi Gigg,

freeradius2 package is available for i386 and amd64, pfsense 2.0 and 2.0.1. I could just try on server with a HDD. I used the .iso images and installed pfsense.
Not sure if this package is available (by default) for nanobsd and other system.

@zlyzwy
Great to hear and to read this :D
I would like to implement this how-to (copy and paste) to my pfsense documentation - makeing a copyright to your name and linking to this post. Is that ok ? It is a very detailed how-to and I think it is exactly what we need :)

Further I tested with Plain-MAC-Auth an CP. At first: It is working as it should and you have different possibilities:

1.) If you want to use Plain-MAC-Auth from pfSense GUI then you should do the following:

• Go to CP and enable "Enable RADIUS MAC authentication"
• Enter any shared secret you like in the field below. This is NOT the shared secret which is used for the communication between NAS(CP) and freeRADIUS.
• the "MAC address format" you do not need to change. The "correct" setting would be "11-22-33-44-55-66" but this is not important because freeradius converts all MAC addresses formats to this format.
• enter the mac address in freeradius "MACs" in this format: 11-22-33-aa-bb-33

Thats all. Browse the web and you will be connected. System Log and Portal Auth show this:
Systemlog:

radiusd[33247]: Login OK: [00-04-23-5c-9d-19/blaaa] (from client pfsense port 2 cli 00-04-23-5c-9d-19)

Portal Auth:

logportalauth[14855]: MACHINE LOGIN: 00-04-23-5c-9d-19, 00:04:23:5c:9d:19, 192.168.0.88

2.) If you do NOT want to use Plain-MAC-Auth from pfsense GUI you can disable that.

• Go to pfsense GUI "Users" and add a user with username "00-04-23-5c-9d-19" - that is the MAC-address and as password choose the password from the CP (schared secret). In my case it was "blaaa".
  CP is converting the MAC to the username field and adds the "shared secret" as the password field.

I will try to explain it a little bit more in detail and post it in my documentation - but now I will go out to dinner - it's my brothers birthday today :)

Nachtfalke

Updates pkg v1.5.3;

• Added: Limit Bandwidth (WISPr-Bandwidth-Max-Down/WISPr-Bandwidth-Max-Up)

• Modified: Rearranged options GUI for "users" a little bit

• Fixed: Simultenous-Use isn't a "requiered" field anymore. If set to 1 and in CP "reauthenticate every minute" was checked it leads to a "multiconnect"/discoonect. Further if CP gets restarted and user wasn't disconnected before there is as well a "multiconnect"

• Fixed: CP does not know ChilliSpot attribute so I choose "Acct-x-octets" in "reply-name"

• Added: There are now the same CHECK-ITEMS and REPLY-ITEMS available for Plain-MAC-Auth as for 802.1X auth (users/macs)

• Updated: pfsense documentation (Plain-MAC-Auth and Plain-MAC-Auth as 802.1X request with Captive Portal) and (Limit Bandwidth)

zlyzwy

@zlyzwy
Great to hear and to read this
I would like to implement this how-to (copy and paste) to my pfsense documentation - makeing a copyright to your name and linking to this post. Is that ok ? It is a very detailed how-to and I think it is exactly what we need

No problem at all. I am glad it's helpful..:)

1.) If you want to use Plain-MAC-Auth from pfSense GUI then you should do the following:

• Go to CP and enable "Enable RADIUS MAC authentication"
• Enter any shared secret you like in the field below. This is NOT the shared secret which is used for the communication between NAS(CP) and freeRADIUS.
• the "MAC address format" you do not need to change. The "correct" setting would be "11-22-33-44-55-66" but this is not important because freeradius converts all MAC addresses formats to this format.
• enter the mac address in freeradius "MACs" in this format: 11-22-33-aa-bb-33

Thanks for your explanation.
I've got a bit confused about 'shared secret', as your explained there should have two 'shared secret'. The first one is for communication with client and CP. But what's the purpose for second one? Can I fill the same value as the first one? In fact I was thinking they should be same.
The MAC format I used is '00:11:22:33:44:55', but you mentioned it's not important then it should not be the problem.

Anyway, I will give a try again with your procedures.

BTW: I can't see the v1.5.3 update pkg in 'installed packages'.

Update:
Now I can see the v1.5.3 pkg and it's great…

@Nachtfalke

I just tested with latest pkg,here comes some new questions>>
1. Plain-MAC-Auth
I followed your procedures, it doesn't work proerly. The error log is

Jan 18 19:59:40	radiusd[36524]: Login incorrect: [00-02-a5-4e-df-67] (from client CP port 210 cli 00-02-a5-4e-df-67)

I enable the PLAIN MAC AUTHORIZATION (FreeRadius–>Setting Tab), and it does solve the problem.

Jan 18 20:46:45	radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67)

I don't know why but it's working anyway:)

2. Virtual machine in VMware MAC Auth
I have a small server running VMware workstation. The host computer is a windows 2003 server. It's running well until I enable the CP, I add the server's MAC to pass list and the server works as it should be,but not for the virtual server inside VM. I tired to put the VM's MAC to pass list. it's not working. I am receiving the following error from system log:

Jan 18 20:46:45	radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67)
Jan 18 20:46:45	radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67)
Jan 18 20:46:45	radiusd[63046]: rlm_radutmp: Login entry for NAS CP port 45 wrong order
Jan 18 20:46:45	radiusd[63046]: rlm_radutmp: Login entry for NAS CP port 45 wrong order

00-02-a5-4e-df-67 –> Host Computer
There is one strange thing, usually if my virtual server ask the outgoing traffic, there should have the log with MAC. So I can add that MAC to pass list. But I didn't see any log with that MAC.
I also tried to set "Number of simultaneous connections" to 10, no luck...

BTW: there are two virtual servers running in VMwork, one is Debian and another is PFsense itself. I am not sure if it's the reason for this issue. I think this picture will show you my network better than words.
(http://www.gliffy.com/pubdoc/2737259/L.png)

3. Maximum Download Bandwidth/Maximum Upload Bandwidth
I have a 20m/s ADSL at home. I tested with 800 bit/s and 800000bit/s. There should have a obvious difference. However they give the similar result here(around 20m/s).

I am afraid I may put too many requests here.
Many thanks for your help!

Nachtfalke

@zlyzwy

The shared secret you enter on CaptivePortal in section "Primary RADIUS server" is the password which is for communication between CP as NAS and the freeRADIUS server. This shared secret you have to enter and match the shared secret you enter in FreeRADIUS -> NAS/Clients

The shared secret you have to enter on chapter "RADIUS MAC authentication" is the user password. This is a little bit unclear on Captive Portal. This shared secret you have to enter in FreeRADIUS -> Users

pkg v.1.5.3 should be available now. When I am updating this post I pushed the changes on github but then we need to wait until some of the core teams is merging it. In general this takes not much time :-)

zlyzwy

@Nachtfalke:

The shared secret you have to enter on chapter "RADIUS MAC authentication" is the user password. This is a little bit unclear on Captive Portal. This shared secret you have to enter in FreeRADIUS -> Users

@Nachtfalke

I am sorry I can't understand this part. If it's really as you said, then all the users must use one password since there is only one shared secret in CP? Or we can only create one user?

Nachtfalke

@zlyzwy:

@Nachtfalke:

The shared secret you have to enter on chapter "RADIUS MAC authentication" is the user password. This is a little bit unclear on Captive Portal. This shared secret you have to enter in FreeRADIUS -> Users

@Nachtfalke

I am sorry I can't understand this part. If it's really as you said, then all the users must use one password since there is only one shared secret in CP? Or we can only create one user?

That's correct. All Users have the same password (shared secret).

But that's no problem. Think about that: The host should be authorized by its MAC address. Now we can only send the Calling-Station-ID to freeRADIUS server and then freeRADIUS must be able to handle ONLY Calling-Station-ID and authorize or block the user. But before I enabled Plain-MAC-Auth ability on freeRADIUS the RADIUS server only accepted 802.1X (username + password).
That's the reason why we are able to configure captive portal to send the MAC address as username and a password - that's our shared secret.

So username(mac address) is different but password(shared secret) is always the same.

If you have questions, just ask. Perhaps I am just not able to explain it in a way to make it clear :D