NEW Package: freeRADIUS 2.x

pszafer

so trully it is not so much to do:

1. Edit /usr/local/etc/raddb/sites-enabled/default

in authorize section (I'm not sure if it wasn't like this originally):

• comment unix line #
• uncomment line ntdomain
• uncomment ldap line
• uncomment or add pap line

in authenticate section:

• add or uncomment

Auth-Type PAP {
		pap
	}

in preacct section:

• uncomment ntdomain line

post-auth section:

• comment ldap section
  ===========================
  in radiusd.conf add in the end of file:
  $INCLUDE policy.conf
  $INCLUDE sites-enabled/
  ===========================
  modules/ldap looks like this:

ldap {
	#
	#  Note that this needs to match the name in the LDAP
	#  server certificate, if you're using ldaps.
	server = "server.p.t"
	identity = "cn=freeradiususer,cn=Users,dc=p,dc=t"
	password = ppp123PPP
	basedn = "cn=Users,dc=p,dc=t"
	filter = "(sAMAccountName=%{mschap:User-Name})"
	#base_filter = "(objectclass=radiusprofile)"

I think that's it.

Now I'm trying to understand what we need to get MSCHAP working!

Nachtfalke

@pszafer:

so trully it is not so much to do:

1. Edit /usr/local/etc/raddb/sites-enabled/default

in authorize section (I'm not sure if it wasn't like this originally):

• comment unix line #
• uncomment line ntdomain
• uncomment ldap line
• uncomment or add pap line

This is the default if you install freeradius2 package. I did all these changes. Unis line is commented by default. I configured ntdomain as you need it here. LDAP line will be commented or uncommented if we enable/disable it on LDAP GUI (authorization).

@pszafer:

in authenticate section:

• add or uncomment

Auth-Type PAP {
		pap
	}

This is default. If we do not need LDAP in authentication than we can enable/disable this from LDAP GUI. PAP is there by default.

@pszafer:

in preacct section:

• uncomment ntdomain line

I did that in the past and it is default after package installation.

@pszafer:

post-auth section:

• comment ldap section

Is by default commented. We do not have any option to change that from GUI.

@pszafer:

===========================
in radiusd.conf add in the end of file:
$INCLUDE policy.conf
$INCLUDE sites-enabled/

This is by default.

@pszafer:

modules/ldap looks like this:

ldap {
	#
	#  Note that this needs to match the name in the LDAP
	#  server certificate, if you're using ldaps.
	server = "server.p.t"
	identity = "cn=freeradiususer,cn=Users,dc=p,dc=t"
	password = ppp123PPP
	basedn = "cn=Users,dc=p,dc=t"
	filter = "(sAMAccountName=%{mschap:User-Name})"
	#base_filter = "(objectclass=radiusprofile)"

I added the commented lines to the GUI. So they are now UNcommented. Not sure if the default entries are ok or not.
But I think we can change this when we need to. When you telling me this :D

@pszafer:

I think that's it.

Now I'm trying to understand what we need to get MSCHAP working!

Great! :-)

firestrife23

What's the advantage of enabling SQL server? Because I don't see it on pfSense documentation.

zlyzwy

Hi Nachtfalke,

I just tested with Captive Portal + FreeRadius + MySQL for a Hotspot site.

Basically it's now working here, I can login through CP and see the login information in MySQL.

There are still two options that I can't work it around.

1. per-user bandwidth restriction
This option is available in CP. But it's a global setting which means it will effect all clients with same setting.
I think there should have the same settings according to account? Does FreeRadius support it yet?

2. RADIUS MAC authentication
I tested this function, it doesn't work. I always get the login page even I added the MAC in FreeRadius.
With the same setting, pass-through MACs in CP does work properly. Once I add the MAC, it works immediately.

Thanks for your patient.

Nachtfalke

@firestrife23:

What's the advantage of enabling SQL server? Because I don't see it on pfSense documentation.

The advantage of a SQL database is if you have many many users. If you add many users to the freeradius users file - I would say 500+ - than your response time can be slow because the freeradius server has to go through the list from top to down until finding the user or not. So you should check the documentation about "Status server updates". There you will get information about how your RADIUS server performs and if the server can handle the requests. If you use a database the requests can be processes faster if you have many users because of the structur. This are the performance advantages.

For accounting there are better possibilities to do SELECTs on the database but you have to configure the sqlcounter module that it works for you.

An other point could be that you create a web GUI for your SQL database so that people could add new users to the database but should not have access to pfsense or freeradius. This could be useful in a hotel - you setup the freeradius and the connection to the database and the rest will be done from a separate web GUI from the hotel people.

That's my opinion. Perhaps I will add this to the pfsense docs ;)

@zlyzwy
Can you write down the steps you did for creating the database, importing the tables (names of tables) and how you configured freeradius SQL ?

1.) I will add this in the next days so we have the possibility to set separate Download und upload bandwidth for users (overwriting the settings from CP which are for ALL users). I have coded this but it is on my HDD at home ;o)
Or do you meand volume of traffic like 500MB in max per week ? This is supported from freeradius and CP but with some disadvantages which I wrote down in the docs.

2.) I will try to test this at home with CP if I found some time. Sending the "Calling-Station-ID" (MAC) is working but I didn't test it with CP.

gigg

Hi Guys,

i have decided to see if I can replace another solution we using with a Pfsense Captive portal and a Psfense Radius solution. But, I follow the instructions on the Radius documentation, but the first hiccup I have is that i dont have the option to even install the package.

In pfsense 2.x go to System => Packages => Available Packages and click on the + behind freeradius2.
    After Installation go to Services => FreeRADIUS

Am I blind or is the package option just not on the 2.0.1 menu? :)

Regards,

Gigg

zlyzwy

@zlyzwy
Can you write down the steps you did for creating the database, importing the tables (names of tables) and how you configured freeradius SQL ?

Sure:)
In general, I used PhpMyAdmin to manage MySQL database, you can use any other tools as you like.
All the following .SQL files can be found in latest FreeRadius package.(http://freeradius.org/download.html)

MYSQL
1. Create the database named radius from PhpMyAdmin

CREATE DATABASE  `radius` ;

2. Import the table 'admin'. Please change  'localhost' to your Pfsense name or just changed it to '%' which means from any client can connect to MySQL. Of course you can also change the default password('radpass') here.

#
#  Create default administrator for RADIUS
#
CREATE USER 'radius'@'localhost';
SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('radpass');

# The server can read any table in SQL
GRANT SELECT ON radius.* TO 'radius'@'localhost';

# The server can write to the accounting and post-auth logging table.
#
#  i.e. 
GRANT ALL on radius.radacct TO 'radius'@'localhost';
GRANT ALL on radius.radpostauth TO 'radius'@'localhost';

3. Import the table 'schema'. I don't change anything and it works fine.

###########################################################################
# $Id$                 #
#                                                                         #
#  schema.sql                       rlm_sql - FreeRADIUS SQL Module       #
#                                                                         #
#     Database schema for MySQL rlm_sql module                            #
#                                                                         #
#     To load:                                                            #
#         mysql -uroot -prootpass radius < schema.sql                     #
#                                                                         #
#                                   Mike Machado <mike@innercite.com>#
###########################################################################
#
# Table structure for table 'radacct'
#

CREATE TABLE radacct (
  radacctid bigint(21) NOT NULL auto_increment,
  acctsessionid varchar(64) NOT NULL default '',
  acctuniqueid varchar(32) NOT NULL default '',
  username varchar(64) NOT NULL default '',
  groupname varchar(64) NOT NULL default '',
  realm varchar(64) default '',
  nasipaddress varchar(15) NOT NULL default '',
  nasportid varchar(15) default NULL,
  nasporttype varchar(32) default NULL,
  acctstarttime datetime NULL default NULL,
  acctstoptime datetime NULL default NULL,
  acctsessiontime int(12) default NULL,
  acctauthentic varchar(32) default NULL,
  connectinfo_start varchar(50) default NULL,
  connectinfo_stop varchar(50) default NULL,
  acctinputoctets bigint(20) default NULL,
  acctoutputoctets bigint(20) default NULL,
  calledstationid varchar(50) NOT NULL default '',
  callingstationid varchar(50) NOT NULL default '',
  acctterminatecause varchar(32) NOT NULL default '',
  servicetype varchar(32) default NULL,
  framedprotocol varchar(32) default NULL,
  framedipaddress varchar(15) NOT NULL default '',
  acctstartdelay int(12) default NULL,
  acctstopdelay int(12) default NULL,
  xascendsessionsvrkey varchar(10) default NULL,
  PRIMARY KEY  (radacctid),
  KEY username (username),
  KEY framedipaddress (framedipaddress),
  KEY acctsessionid (acctsessionid),
  KEY acctsessiontime (acctsessiontime),
  KEY acctuniqueid (acctuniqueid),
  KEY acctstarttime (acctstarttime),
  KEY acctstoptime (acctstoptime),
  KEY nasipaddress (nasipaddress)
) ;

#
# Table structure for table 'radcheck'
#

CREATE TABLE radcheck (
  id int(11) unsigned NOT NULL auto_increment,
  username varchar(64) NOT NULL default '',
  attribute varchar(64)  NOT NULL default '',
  op char(2) NOT NULL DEFAULT '==',
  value varchar(253) NOT NULL default '',
  PRIMARY KEY  (id),
  KEY username (username(32))
) ;

#
# Table structure for table 'radgroupcheck'
#

CREATE TABLE radgroupcheck (
  id int(11) unsigned NOT NULL auto_increment,
  groupname varchar(64) NOT NULL default '',
  attribute varchar(64)  NOT NULL default '',
  op char(2) NOT NULL DEFAULT '==',
  value varchar(253)  NOT NULL default '',
  PRIMARY KEY  (id),
  KEY groupname (groupname(32))
) ;

#
# Table structure for table 'radgroupreply'
#

CREATE TABLE radgroupreply (
  id int(11) unsigned NOT NULL auto_increment,
  groupname varchar(64) NOT NULL default '',
  attribute varchar(64)  NOT NULL default '',
  op char(2) NOT NULL DEFAULT '=',
  value varchar(253)  NOT NULL default '',
  PRIMARY KEY  (id),
  KEY groupname (groupname(32))
) ;

#
# Table structure for table 'radreply'
#

CREATE TABLE radreply (
  id int(11) unsigned NOT NULL auto_increment,
  username varchar(64) NOT NULL default '',
  attribute varchar(64) NOT NULL default '',
  op char(2) NOT NULL DEFAULT '=',
  value varchar(253) NOT NULL default '',
  PRIMARY KEY  (id),
  KEY username (username(32))
) ;

#
# Table structure for table 'radusergroup'
#

CREATE TABLE radusergroup (
  username varchar(64) NOT NULL default '',
  groupname varchar(64) NOT NULL default '',
  priority int(11) NOT NULL default '1',
  KEY username (username(32))
) ;

#
# Table structure for table 'radpostauth'
#

CREATE TABLE radpostauth (
  id int(11) NOT NULL auto_increment,
  username varchar(64) NOT NULL default '',
  pass varchar(64) NOT NULL default '',
  reply varchar(32) NOT NULL default '',
  authdate timestamp NOT NULL,
  PRIMARY KEY  (id)
) ;</mike@innercite.com> 

4. Import the rest of tables one by one.

#
# Table structure for table 'cui'
#
CREATE TABLE `cui` (
  `clientipaddress` varchar(15) NOT NULL default '',
  `callingstationid` varchar(50) NOT NULL default '',
  `username` varchar(64) NOT NULL default '',
  `cui` varchar(32) NOT NULL default '',
  `creationdate` timestamp NOT NULL default CURRENT_TIMESTAMP,
  `lastaccounting` timestamp NOT NULL default '0000-00-00 00:00:00',
  PRIMARY KEY  (`username`,`clientipaddress`,`callingstationid`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

#
# Table structure for table 'radippool'
#
CREATE TABLE radippool ( 
  id                    int(11) unsigned NOT NULL auto_increment,
  pool_name             varchar(30) NOT NULL,
  framedipaddress       varchar(15) NOT NULL default '',
  nasipaddress          varchar(15) NOT NULL default '',
  calledstationid       VARCHAR(30) NOT NULL,
  callingstationid      VARCHAR(30) NOT NULL,
  expiry_time           DATETIME NULL default NULL,
  username              varchar(64) NOT NULL default '',
  pool_key              varchar(30) NOT NULL,
  PRIMARY KEY (id),
  KEY radippool_poolname_expire (pool_name, expiry_time),
  KEY framedipaddress (framedipaddress),
  KEY radippool_nasip_poolkey_ipaddress (nasipaddress, pool_key, framedipaddress)
) ENGINE=InnoDB;

#
# Table structure for table 'nas'
#
CREATE TABLE nas (
  id int(10) NOT NULL auto_increment,
  nasname varchar(128) NOT NULL,
  shortname varchar(32),
  type varchar(30) DEFAULT 'other',
  ports int(5),
  secret varchar(60) DEFAULT 'secret' NOT NULL,
  server varchar(64),
  community varchar(50),
  description varchar(200) DEFAULT 'RADIUS Client',
  PRIMARY KEY (id),
  KEY nasname (nasname)
);

#
# WiMAX Table structure for table 'wimax',
# which replaces the "radpostauth" table.
#

CREATE TABLE wimax (
  id int(11) NOT NULL auto_increment,
  username varchar(64) NOT NULL default '',
  authdate timestamp NOT NULL,
  spi varchar(16) NOT NULL default '',
  mipkey varchar(400) NOT NULL default '',
  lifetime int(12) default NULL,
  PRIMARY KEY  (id),
  KEY username (username),
  KEY spi (spi)
) ;

FreeRadius
After that, go back to your FreeRadius web interface, In SQL tab, enable the SQL support and change the following items.
Enable SQL Support  –> Check
Enable SQL Authorization  --> Enable
Enable SQL Accounting  --> Enable
Enable SQL Session  --> Enable
Enable SQL Post-Auth  --> Enable
Server IP Address --> A.B.C.D
Database Password  --> PASSWORD

TEST
To test Freeradius work or not, follow the step in Freeradius doc (http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package)
Once you receiving the following msg

rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=1, length=20

Check the 'radpostauth' table, if you find the record like this:

15	test	test	Access-Accept	2012-01-17 20:21:04

All right, your FreeRadius is now connecting to MySQL.
:)

Nachtfalke

@gigg:

Hi Guys,

i have decided to see if I can replace another solution we using with a Pfsense Captive portal and a Psfense Radius solution. But, I follow the instructions on the Radius documentation, but the first hiccup I have is that i dont have the option to even install the package.

In pfsense 2.x go to System => Packages => Available Packages and click on the + behind freeradius2.
    After Installation go to Services => FreeRADIUS

Am I blind or is the package option just not on the 2.0.1 menu? :)

Regards,

Gigg

Hi Gigg,

freeradius2 package is available for i386 and amd64, pfsense 2.0 and 2.0.1. I could just try on server with a HDD. I used the .iso images and installed pfsense.
Not sure if this package is available (by default) for nanobsd and other system.

@zlyzwy
Great to hear and to read this :D
I would like to implement this how-to (copy and paste) to my pfsense documentation - makeing a copyright to your name and linking to this post. Is that ok ? It is a very detailed how-to and I think it is exactly what we need :)

Further I tested with Plain-MAC-Auth an CP. At first: It is working as it should and you have different possibilities:

1.) If you want to use Plain-MAC-Auth from pfSense GUI then you should do the following:

• Go to CP and enable "Enable RADIUS MAC authentication"
• Enter any shared secret you like in the field below. This is NOT the shared secret which is used for the communication between NAS(CP) and freeRADIUS.
• the "MAC address format" you do not need to change. The "correct" setting would be "11-22-33-44-55-66" but this is not important because freeradius converts all MAC addresses formats to this format.
• enter the mac address in freeradius "MACs" in this format: 11-22-33-aa-bb-33

Thats all. Browse the web and you will be connected. System Log and Portal Auth show this:
Systemlog:

radiusd[33247]: Login OK: [00-04-23-5c-9d-19/blaaa] (from client pfsense port 2 cli 00-04-23-5c-9d-19)

Portal Auth:

logportalauth[14855]: MACHINE LOGIN: 00-04-23-5c-9d-19, 00:04:23:5c:9d:19, 192.168.0.88

2.) If you do NOT want to use Plain-MAC-Auth from pfsense GUI you can disable that.

• Go to pfsense GUI "Users" and add a user with username "00-04-23-5c-9d-19" - that is the MAC-address and as password choose the password from the CP (schared secret). In my case it was "blaaa".
  CP is converting the MAC to the username field and adds the "shared secret" as the password field.

I will try to explain it a little bit more in detail and post it in my documentation - but now I will go out to dinner - it's my brothers birthday today :)

Nachtfalke

Updates pkg v1.5.3;

• Added: Limit Bandwidth (WISPr-Bandwidth-Max-Down/WISPr-Bandwidth-Max-Up)

• Modified: Rearranged options GUI for "users" a little bit

• Fixed: Simultenous-Use isn't a "requiered" field anymore. If set to 1 and in CP "reauthenticate every minute" was checked it leads to a "multiconnect"/discoonect. Further if CP gets restarted and user wasn't disconnected before there is as well a "multiconnect"

• Fixed: CP does not know ChilliSpot attribute so I choose "Acct-x-octets" in "reply-name"

• Added: There are now the same CHECK-ITEMS and REPLY-ITEMS available for Plain-MAC-Auth as for 802.1X auth (users/macs)

• Updated: pfsense documentation (Plain-MAC-Auth and Plain-MAC-Auth as 802.1X request with Captive Portal) and (Limit Bandwidth)

zlyzwy

@zlyzwy
Great to hear and to read this
I would like to implement this how-to (copy and paste) to my pfsense documentation - makeing a copyright to your name and linking to this post. Is that ok ? It is a very detailed how-to and I think it is exactly what we need

No problem at all. I am glad it's helpful..:)

1.) If you want to use Plain-MAC-Auth from pfSense GUI then you should do the following:

• Go to CP and enable "Enable RADIUS MAC authentication"
• Enter any shared secret you like in the field below. This is NOT the shared secret which is used for the communication between NAS(CP) and freeRADIUS.
• the "MAC address format" you do not need to change. The "correct" setting would be "11-22-33-44-55-66" but this is not important because freeradius converts all MAC addresses formats to this format.
• enter the mac address in freeradius "MACs" in this format: 11-22-33-aa-bb-33

Thanks for your explanation.
I've got a bit confused about 'shared secret', as your explained there should have two 'shared secret'. The first one is for communication with client and CP. But what's the purpose for second one? Can I fill the same value as the first one? In fact I was thinking they should be same.
The MAC format I used is '00:11:22:33:44:55', but you mentioned it's not important then it should not be the problem.

Anyway, I will give a try again with your procedures.

BTW: I can't see the v1.5.3 update pkg in 'installed packages'.

Update:
Now I can see the v1.5.3 pkg and it's great…

@Nachtfalke

I just tested with latest pkg,here comes some new questions>>
1. Plain-MAC-Auth
I followed your procedures, it doesn't work proerly. The error log is

Jan 18 19:59:40	radiusd[36524]: Login incorrect: [00-02-a5-4e-df-67] (from client CP port 210 cli 00-02-a5-4e-df-67)

I enable the PLAIN MAC AUTHORIZATION (FreeRadius–>Setting Tab), and it does solve the problem.

Jan 18 20:46:45	radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67)

I don't know why but it's working anyway:)

2. Virtual machine in VMware MAC Auth
I have a small server running VMware workstation. The host computer is a windows 2003 server. It's running well until I enable the CP, I add the server's MAC to pass list and the server works as it should be,but not for the virtual server inside VM. I tired to put the VM's MAC to pass list. it's not working. I am receiving the following error from system log:

Jan 18 20:46:45	radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67)
Jan 18 20:46:45	radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67)
Jan 18 20:46:45	radiusd[63046]: rlm_radutmp: Login entry for NAS CP port 45 wrong order
Jan 18 20:46:45	radiusd[63046]: rlm_radutmp: Login entry for NAS CP port 45 wrong order

00-02-a5-4e-df-67 –> Host Computer
There is one strange thing, usually if my virtual server ask the outgoing traffic, there should have the log with MAC. So I can add that MAC to pass list. But I didn't see any log with that MAC.
I also tried to set "Number of simultaneous connections" to 10, no luck...

BTW: there are two virtual servers running in VMwork, one is Debian and another is PFsense itself. I am not sure if it's the reason for this issue. I think this picture will show you my network better than words.
(http://www.gliffy.com/pubdoc/2737259/L.png)

3. Maximum Download Bandwidth/Maximum Upload Bandwidth
I have a 20m/s ADSL at home. I tested with 800 bit/s and 800000bit/s. There should have a obvious difference. However they give the similar result here(around 20m/s).

I am afraid I may put too many requests here.
Many thanks for your help!

Nachtfalke

@zlyzwy

The shared secret you enter on CaptivePortal in section "Primary RADIUS server" is the password which is for communication between CP as NAS and the freeRADIUS server. This shared secret you have to enter and match the shared secret you enter in FreeRADIUS -> NAS/Clients

The shared secret you have to enter on chapter "RADIUS MAC authentication" is the user password. This is a little bit unclear on Captive Portal. This shared secret you have to enter in FreeRADIUS -> Users

pkg v.1.5.3 should be available now. When I am updating this post I pushed the changes on github but then we need to wait until some of the core teams is merging it. In general this takes not much time :-)

zlyzwy

@Nachtfalke:

The shared secret you have to enter on chapter "RADIUS MAC authentication" is the user password. This is a little bit unclear on Captive Portal. This shared secret you have to enter in FreeRADIUS -> Users

@Nachtfalke

I am sorry I can't understand this part. If it's really as you said, then all the users must use one password since there is only one shared secret in CP? Or we can only create one user?

Nachtfalke

@zlyzwy:

@Nachtfalke:

The shared secret you have to enter on chapter "RADIUS MAC authentication" is the user password. This is a little bit unclear on Captive Portal. This shared secret you have to enter in FreeRADIUS -> Users

@Nachtfalke

I am sorry I can't understand this part. If it's really as you said, then all the users must use one password since there is only one shared secret in CP? Or we can only create one user?

That's correct. All Users have the same password (shared secret).

But that's no problem. Think about that: The host should be authorized by its MAC address. Now we can only send the Calling-Station-ID to freeRADIUS server and then freeRADIUS must be able to handle ONLY Calling-Station-ID and authorize or block the user. But before I enabled Plain-MAC-Auth ability on freeRADIUS the RADIUS server only accepted 802.1X (username + password).
That's the reason why we are able to configure captive portal to send the MAC address as username and a password - that's our shared secret.

So username(mac address) is different but password(shared secret) is always the same.

If you have questions, just ask. Perhaps I am just not able to explain it in a way to make it clear :D

gigg

Hi Guyd,

Can you tell me what version of pfsense you using. Mine does not have a packages option under systems and I cant load the radius option.

Thx

marcelloc

@gigg:

Hi Guyd,

Can you tell me what version of pfsense you using. Mine does not have a packages option under systems and I cant load the radius option.

Thx

pfsense 2.0.1 full install x64
pfsense 2.0.1 full install i386

Metu69salemi

Shared secret is used between radius server and device, which is using radius server. it's another layer of security. This has nothing todo with user passwords

Nachtfalke

Updates pkg v1.5.4:

• Added: Checks if a function or a part of it needs to be run (when disabled from GUI). This should speed up the starting process of freeradius after reboot.

• Fixed: Accidentally deleted certs in ../raddb/certs/ folder after reboot when using pfSense Cert-Manager - this break freeRADIUS start until clicking save in EAP again.

=== edit ===

• Fixed: call some functions after installation to initialize configuration files.

@Metu69salemi:

Shared secret is used between radius server and device, which is using radius server. it's another layer of security. This has nothing todo with user passwords

What you say is absolutly correct - in general.
Captive Portal is using the name "shared secret" on two places. In Primary RADIUS server it is used in the correct context.
In RADIUS MAC authentication it is not the correct context I would say. This is explained one line below:

If this option is enabled, the captive portal will try to authenticate users by sending their MAC address as the username and the password entered below to the RADIUS server.

Metu69salemi

@Nachtfalke:

Updates pkg v1.5.4:

• Added: Checks if a function or a part of it needs to be run (when disabled from GUI). This should speed up the starting process of freeradius after reboot.

• Fixed: Accidentally deleted certs in ../raddb/certs/ folder after reboot when using pfSense Cert-Manager - this break freeRADIUS start until clicking save in EAP again.

@Metu69salemi:

Shared secret is used between radius server and device, which is using radius server. it's another layer of security. This has nothing todo with user passwords

What you say is absolutly correct - in general.
Captive Portal is using the name "shared secret" on two places. In Primary RADIUS server it is used in the correct context.
In RADIUS MAC authentication it is not the correct context I would say. This is explained one line below:

If this option is enabled, the captive portal will try to authenticate users by sending their MAC address as the username and the password entered below to the RADIUS server.

Ok thank you for info

zlyzwy

Hi guys,

Thanks for all your patents and detail explanation…
To be honest, I am still not 100% understand this part, but I will need some test on it.

Can you take a look at the following questions?

@zlyzwy:

Update:
Now I can see the v1.5.3 pkg and it's great…

@Nachtfalke

I just tested with latest pkg,here comes some new questions>>
1. Plain-MAC-Auth
I followed your procedures, it doesn't work proerly. The error log is

Jan 18 19:59:40	radiusd[36524]: Login incorrect: [00-02-a5-4e-df-67] (from client CP port 210 cli 00-02-a5-4e-df-67)

I enable the PLAIN MAC AUTHORIZATION (FreeRadius–>Setting Tab), and it does solve the problem.

Jan 18 20:46:45	radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67)

I don't know why but it's working anyway:)

2. Virtual machine in VMware MAC Auth
I have a small server running VMware workstation. The host computer is a windows 2003 server. It's running well until I enable the CP, I add the server's MAC to pass list and the server works as it should be,but not for the virtual server inside VM. I tired to put the VM's MAC to pass list. it's not working. I am receiving the following error from system log:

Jan 18 20:46:45	radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67)
Jan 18 20:46:45	radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67)
Jan 18 20:46:45	radiusd[63046]: rlm_radutmp: Login entry for NAS CP port 45 wrong order
Jan 18 20:46:45	radiusd[63046]: rlm_radutmp: Login entry for NAS CP port 45 wrong order

00-02-a5-4e-df-67 –> Host Computer
There is one strange thing, usually if my virtual server ask the outgoing traffic, there should have the log with MAC. So I can add that MAC to pass list. But I didn't see any log with that MAC.
I also tried to set "Number of simultaneous connections" to 10, no luck...

BTW: there are two virtual servers running in VMwork, one is Debian and another is PFsense itself. I am not sure if it's the reason for this issue. I think this picture will show you my network better than words.
(http://www.gliffy.com/pubdoc/2737259/L.png)

3. Maximum Download Bandwidth/Maximum Upload Bandwidth
I have a 20m/s ADSL at home. I tested with 800 bit/s and 800000bit/s. There should have a obvious difference. However they give the similar result here(around 20m/s).

I am afraid I may put too many requests here.
Many thanks for your help!

Thanks in advance!

Nachtfalke

@zlyzwy:

(…)
@Nachtfalke

I just tested with latest pkg,here comes some new questions>>
1. Plain-MAC-Auth
I followed your procedures, it doesn't work proerly. The error log is

Jan 18 19:59:40	radiusd[36524]: Login incorrect: [00-02-a5-4e-df-67] (from client CP port 210 cli 00-02-a5-4e-df-67)

I enable the PLAIN MAC AUTHORIZATION (FreeRadius–>Setting Tab), and it does solve the problem.

Jan 18 20:46:45	radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67)

I don't know why but it's working anyway:)

First I am sorry. I didn't see that you updated your post ;-)
First it is good that Plain-MAC-Auth is working :)
Second:
Disable Plain-MAC-Auth and put this in "FreeRADIUS -> Users tab"
Username:  00-02-a5-4e-df-67
Password:    (The shared secret from Captive Portal below the point "Enable MAC authorization)
Delete the entry in "FreeRADIUS -> MACs" with this MAC address: 00-02-a5-4e-df-67

Then it should work.

@zlyzwy:

2. Virtual machine in VMware MAC Auth
I have a small server running VMware workstation. The host computer is a windows 2003 server. It's running well until I enable the CP, I add the server's MAC to pass list and the server works as it should be,but not for the virtual server inside VM. I tired to put the VM's MAC to pass list. it's not working. I am receiving the following error from system log:

Jan 18 20:46:45	radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67)
Jan 18 20:46:45	radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67)
Jan 18 20:46:45	radiusd[63046]: rlm_radutmp: Login entry for NAS CP port 45 wrong order
Jan 18 20:46:45	radiusd[63046]: rlm_radutmp: Login entry for NAS CP port 45 wrong order

00-02-a5-4e-df-67 –> Host Computer
There is one strange thing, usually if my virtual server ask the outgoing traffic, there should have the log with MAC. So I can add that MAC to pass list. But I didn't see any log with that MAC.
I also tried to set "Number of simultaneous connections" to 10, no luck...

BTW: there are two virtual servers running in VMwork, one is Debian and another is PFsense itself. I am not sure if it's the reason for this issue. I think this picture will show you my network better than words.
(http://www.gliffy.com/pubdoc/2737259/L.png)

Uuuhh..hmm..I am out of ideas why this is happening. But to make it clear "rlm_radutmp" is containing all clients which are authorized. This is the file which checks for "Simultaneous-Use". You increased the "Simultaneous-Use" - that is what I had told you, too. Check again that there is not a double entry in "MACs" and "Users" with this MAC address: 00-02-a5-4e-df-67.

@zlyzwy:

3. Maximum Download Bandwidth/Maximum Upload Bandwidth
I have a 20m/s ADSL at home. I tested with 800 bit/s and 800000bit/s. There should have a obvious difference. However they give the similar result here(around 20m/s).

I read about this behaviour on some forum posts. It has something to do with that CP is only changing bandwidth for users which authenticate new. It doesn't change this for existing connections.
When I tested this at home I found out that you have to enable "Bandwidth Limits" on CP first. You can enter a value but if you set a setting on FreeRADIUS then the value of the CP will be overwritten (that's what we want). And then I am not sure if there is the same bug in this function as with "amount of traffic". The traffic which goes through CP is for example 1MB but accounting will tell RADIUS that there are 6MB. Not sure if this affects Bandwidth Limits in any way, too.
So I am sorry but I could not tell you where the problem for Bandwidth Limits is. Need to test this more and find out which checkboxes on CP I need to enable and which services needs to be restartet.

@zlyzwy:

I am afraid I may put too many requests here.
Many thanks for your help!

Thats no problem - for me :-)