Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NEW Package: freeRADIUS 2.x

    Scheduled Pinned Locked Moved pfSense Packages
    628 Posts 80 Posters 753.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      filip_pag
      last edited by

      I've done all you saied ant got this with radtest:

      $ radtest test test 172.16.0.1:1812 0 ldskfjldskdfjslkf4
      Sending Access-Request of id 16 to 172.16.0.1 port 1812
      User-Name = "test"
      User-Password = "test"
      NAS-IP-Address = 172.16.0.1
      NAS-Port = 0
      Message-Authenticator = 0x00000000000000000000000000000000
      rad_recv: Access-Accept packet from host 172.16.0.1 port 1812, id=16, length=44
      WISPr-Bandwidth-Max-Up = 81920
      WISPr-Bandwidth-Max-Down = 819200

      is that OK?

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by

        @filip_pag:

        I've done all you saied ant got this with radtest:

        $ radtest test test 172.16.0.1:1812 0 ldskfjldskdfjslkf4
        Sending Access-Request of id 16 to 172.16.0.1 port 1812
        User-Name = "test"
        User-Password = "test"
        NAS-IP-Address = 172.16.0.1
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
        rad_recv: Access-Accept packet from host 172.16.0.1 port 1812, id=16, length=44
        WISPr-Bandwidth-Max-Up = 81920
        WISPr-Bandwidth-Max-Down = 819200

        is that OK?

        Yes it is.

        1 Reply Last reply Reply Quote 0
        • N
          Nachtfalke
          last edited by

          Updates pkg v1.5.7:

          • Added: checks for CA, certs when using EAP-TLS

          • Added: ability to export certs in .p12 format which can be used on windows systems when using EAP-TLS

          • Fixed: a bug when NAS shortname contains whitespace(s)

          • I will update FreeRADIUS 2.x package documentation: How-to for EAP-TLS (LAN), EAP-PEAP (LAN), match common name, match issuer

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            Hi Nachtfalke,

            I've received a patch from freeradius maintainer to compile it with heimdal instead of krb5.

            I'll test compiling it but as usual I need help on testing.

            :)

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • N
              Nachtfalke
              last edited by

              @marcelloc:

              Hi Nachtfalke,

              I've received a patch from freeradius mainteinet to compile it with heimdal instead of krb5.

              I'll test compiling it but as usual I need help on testing.

              :)

              Of course I'll do that :)

              But help me - I forgot it - what will heimdal improve/change instead of using kerberos ?  ???

              1 Reply Last reply Reply Quote 0
              • marcellocM
                marcelloc
                last edited by

                @Nachtfalke:

                what will heimdal improve/change instead of using kerberos ?  ???

                Some pages ago, to get kerberos working, we need to force heimdal(A popular BSD-licensed implementation of Kerberos 5) package install.

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • Z
                  zlyzwy
                  last edited by

                  @Nachtfalke

                  The issue about VM is not woking with CP. I think I had found a solution here.

                  In the past, VM is running a Debian and I assigned the IP in manual.

                  allow-hotplug eth0
                  iface eth0 inet static
                  address 192.168.1.25
                  netmask 255.255.255.0
                  gateway 192.168.1.1
                  
                  

                  Today, I tired to let Debian get the IP from PF's DHCP and then add its MAC to pass list.

                  auto lo eth0
                  iface lo inet loopback
                  iface eth0 inet dhcp
                  

                  Then it works. Both the host and VM can access the Internet without any trouble.

                  I will do some further testing later and post the result here.
                  ;)

                  1 Reply Last reply Reply Quote 0
                  • N
                    Nachtfalke
                    last edited by

                    @zlyzwy

                    Thanky for feedback and nice to hear that :D
                    But we both thought that it probably would be a problem of VMware/interfaces and not directly CP and/or freeradius2.

                    1 Reply Last reply Reply Quote 0
                    • N
                      Nachtfalke
                      last edited by

                      Updates pkg v1.5.8:

                      • Added: option to disable weak EAP types for authentication

                      • Added: some checks if it is really neccessary to create new DH and random file

                      • Fixed: description in EAP

                      1 Reply Last reply Reply Quote 0
                      • Z
                        zlyzwy
                        last edited by

                        @Nachtfalke

                        I double checked that the CP is now working with VM and host. :)

                        There is only one condition : use pass-through MAC in CP

                        If I tried the RADIUS MAC authentication (MAC as username;share secret as password), it will not work..

                        It's not a big trouble for me because I just wanna to add a few MACs to pass list, and I don't need to manage them with FreeRadius.

                        Furthermore I did some other basic testing, they all seems to be no problem.
                        I created the test user in FreeRadius, it's woking properly.
                        I created the Vouchers in CP and it will work, FreeRadius will also log it. Great.
                        (note: I found if I need to use Vouchers , I must disable 'Reauthenticate connected users every minute'. Otherwise the client will have to input the code every minute)

                        I will go online this hotspot soon and give a feed here.

                        Great thanks for your help and the package~

                        1 Reply Last reply Reply Quote 0
                        • V
                          valshare
                          last edited by

                          Hi,

                          can´t update to latest package:

                          
                          Checking for package installation... 
                           Downloading http://e-sac.siteseguro.ws/packages/8/All/freeradius-2.1.12.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/freeradius-2.1.12.tbz.
                          of freeradius-2.1.12 failed!
                          
                          

                          Regards, Valle

                          1 Reply Last reply Reply Quote 0
                          • N
                            Nachtfalke
                            last edited by

                            @valshare:

                            Hi,

                            can´t update to latest package:

                            
                            Checking for package installation... 
                             Downloading http://e-sac.siteseguro.ws/packages/8/All/freeradius-2.1.12.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/freeradius-2.1.12.tbz.
                            of freeradius-2.1.12 failed!
                            
                            

                            Regards, Valle

                            I'll contact my administrator marcelloc that he should fix his server problem  :P

                            1 Reply Last reply Reply Quote 0
                            • B
                              blasterreal
                              last edited by

                              @valshare:

                              Hi,

                              can´t update to latest package:

                              
                              Checking for package installation... 
                               Downloading http://e-sac.siteseguro.ws/packages/8/All/freeradius-2.1.12.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/freeradius-2.1.12.tbz.
                              of freeradius-2.1.12 failed!
                              
                              

                              Regards, Valle

                              The same problem goes for me…
                              I hope that improves as soon as possible

                              1 Reply Last reply Reply Quote 0
                              • marcellocM
                                marcelloc
                                last edited by

                                Sorry guys,

                                Just contacted my provider, they are fixing it right now.

                                Treinamentos de Elite: http://sys-squad.com

                                Help a community developer! ;D

                                1 Reply Last reply Reply Quote 0
                                • V
                                  valshare
                                  last edited by

                                  working again. Thanx!

                                  1 Reply Last reply Reply Quote 0
                                  • E
                                    eri--
                                    last edited by

                                    Why do you use your own site to host things marcelloc?

                                    1 Reply Last reply Reply Quote 0
                                    • marcellocM
                                      marcelloc
                                      last edited by

                                      ermal,

                                      Freeradius2 conflicts with current compiled version available on files.pfsense.org.

                                      We are also testing many different package compilations until whe find a final solution to publish on files.pfsense.org.(asterisk, dansguardian, subversion,…)
                                      Also there are some missing libs to get cyrus-sasl working to(You helped me diagnosing it on postfix thread).

                                      But, if I can have a folder on files.pfsense.org I can publish these packages there ;D

                                      Treinamentos de Elite: http://sys-squad.com

                                      Help a community developer! ;D

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        pszafer
                                        last edited by

                                        okay, I'm finally happier :)
                                        I've got working freeradius + winbindd + ntlm_auth with Active Directory with MSCHAP v2

                                        now I will remove from samba package as much as I can and then I would like to share my work with you.
                                        I hope you will guide me if I should give you files or somehow make package etc.

                                        1 Reply Last reply Reply Quote 0
                                        • F
                                          foxale08
                                          last edited by

                                          This may have already been answered but how would I change the cipher list to "HIGH" under TLS? I understand I can disable weaker ciphers but will this effectively set the cipher list to high?

                                          1 Reply Last reply Reply Quote 0
                                          • N
                                            Nachtfalke
                                            last edited by

                                            @foxale08:

                                            This may have already been answered but how would I change the cipher list to "HIGH" under TLS? I understand I can disable weaker ciphers but will this effectively set the cipher list to high?

                                            Hi foxale08,

                                            freeradius2 is a multitalent. It can handly nearly all authenticationtypes hosts sends. So if you do not disable weak encryption like MD5 and so on than the following will happen:

                                            a client wants to authenticate using MD5 -> freeradius will do that
                                            a client wants to authenticate using LEAP -> freeradius will do that
                                            a client wants to authenticate with TLS or TTLS or PEAP or MSCHAPv2 or… -> freeradius will do that.

                                            so freeradius will do what freeradius is able to do. thats why you don't have to change anything and freeradius will work.
                                            but we know that MD5 encryption isn't really strong, LEAP has some weaknesses and that's why and administrator probably don't want that users can use these authentication types to connect to the network and someone who plays "Man in the middle" can get passwords easy.

                                            So if you check "disable weak encryption" than this disables MD5, GTC and LEAP. This will happen:

                                            a client wants to authenticate using MD5 -> freeradius will not do that because we disabled that
                                            a client wants to authenticate using LEAP -> freeradius will not do that because we disabled that
                                            a client wants to authenticate with TLS or TTLS or PEAP or MSCHAPv2 or… -> freeradius will do that.

                                            In theory it would be possible to disable TTLS and PEAP and MSCHAPv2 and just only allow TLS but from my point of view this makes no sense.

                                            Take a look at the documentation:
                                            http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#General_EAP_configuration

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.