NEW Package: freeRADIUS 2.x

marcelloc

@Nachtfalke:

what will heimdal improve/change instead of using kerberos ?  ???

Some pages ago, to get kerberos working, we need to force heimdal(A popular BSD-licensed implementation of Kerberos 5) package install.

zlyzwy

@Nachtfalke

The issue about VM is not woking with CP. I think I had found a solution here.

In the past, VM is running a Debian and I assigned the IP in manual.

allow-hotplug eth0
iface eth0 inet static
address 192.168.1.25
netmask 255.255.255.0
gateway 192.168.1.1

Today, I tired to let Debian get the IP from PF's DHCP and then add its MAC to pass list.

auto lo eth0
iface lo inet loopback
iface eth0 inet dhcp

Then it works. Both the host and VM can access the Internet without any trouble.

I will do some further testing later and post the result here.
;)

Nachtfalke

@zlyzwy

Thanky for feedback and nice to hear that :D
But we both thought that it probably would be a problem of VMware/interfaces and not directly CP and/or freeradius2.

Nachtfalke

Updates pkg v1.5.8:

• Added: option to disable weak EAP types for authentication

• Added: some checks if it is really neccessary to create new DH and random file

• Fixed: description in EAP

zlyzwy

@Nachtfalke

I double checked that the CP is now working with VM and host. :)

There is only one condition : use pass-through MAC in CP

If I tried the RADIUS MAC authentication (MAC as username;share secret as password), it will not work..

It's not a big trouble for me because I just wanna to add a few MACs to pass list, and I don't need to manage them with FreeRadius.

Furthermore I did some other basic testing, they all seems to be no problem.
I created the test user in FreeRadius, it's woking properly.
I created the Vouchers in CP and it will work, FreeRadius will also log it. Great.
(note: I found if I need to use Vouchers , I must disable 'Reauthenticate connected users every minute'. Otherwise the client will have to input the code every minute)

I will go online this hotspot soon and give a feed here.

Great thanks for your help and the package~

valshare

Hi,

can´t update to latest package:

Checking for package installation... 
 Downloading http://e-sac.siteseguro.ws/packages/8/All/freeradius-2.1.12.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/freeradius-2.1.12.tbz.
of freeradius-2.1.12 failed!

Regards, Valle

Nachtfalke

@valshare:

Hi,

can´t update to latest package:

Checking for package installation... 
 Downloading http://e-sac.siteseguro.ws/packages/8/All/freeradius-2.1.12.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/freeradius-2.1.12.tbz.
of freeradius-2.1.12 failed!

Regards, Valle

I'll contact my administrator marcelloc that he should fix his server problem  :P

blasterreal

@valshare:

Hi,

can´t update to latest package:

Checking for package installation... 
 Downloading http://e-sac.siteseguro.ws/packages/8/All/freeradius-2.1.12.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/freeradius-2.1.12.tbz.
of freeradius-2.1.12 failed!

Regards, Valle

The same problem goes for me…
I hope that improves as soon as possible

marcelloc

Sorry guys,

Just contacted my provider, they are fixing it right now.

valshare

working again. Thanx!

eri--

Why do you use your own site to host things marcelloc?

marcelloc

ermal,

Freeradius2 conflicts with current compiled version available on files.pfsense.org.

We are also testing many different package compilations until whe find a final solution to publish on files.pfsense.org.(asterisk, dansguardian, subversion,…)
Also there are some missing libs to get cyrus-sasl working to(You helped me diagnosing it on postfix thread).

But, if I can have a folder on files.pfsense.org I can publish these packages there ;D

pszafer

okay, I'm finally happier :)
I've got working freeradius + winbindd + ntlm_auth with Active Directory with MSCHAP v2

now I will remove from samba package as much as I can and then I would like to share my work with you.
I hope you will guide me if I should give you files or somehow make package etc.

foxale08

This may have already been answered but how would I change the cipher list to "HIGH" under TLS? I understand I can disable weaker ciphers but will this effectively set the cipher list to high?

Nachtfalke

@foxale08:

This may have already been answered but how would I change the cipher list to "HIGH" under TLS? I understand I can disable weaker ciphers but will this effectively set the cipher list to high?

Hi foxale08,

freeradius2 is a multitalent. It can handly nearly all authenticationtypes hosts sends. So if you do not disable weak encryption like MD5 and so on than the following will happen:

a client wants to authenticate using MD5 -> freeradius will do that
a client wants to authenticate using LEAP -> freeradius will do that
a client wants to authenticate with TLS or TTLS or PEAP or MSCHAPv2 or… -> freeradius will do that.

so freeradius will do what freeradius is able to do. thats why you don't have to change anything and freeradius will work.
but we know that MD5 encryption isn't really strong, LEAP has some weaknesses and that's why and administrator probably don't want that users can use these authentication types to connect to the network and someone who plays "Man in the middle" can get passwords easy.

So if you check "disable weak encryption" than this disables MD5, GTC and LEAP. This will happen:

a client wants to authenticate using MD5 -> freeradius will not do that because we disabled that
a client wants to authenticate using LEAP -> freeradius will not do that because we disabled that
a client wants to authenticate with TLS or TTLS or PEAP or MSCHAPv2 or… -> freeradius will do that.

In theory it would be possible to disable TTLS and PEAP and MSCHAPv2 and just only allow TLS but from my point of view this makes no sense.

Take a look at the documentation:
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#General_EAP_configuration

Nachtfalke

@zlyzwy:

@Nachtfalke

I double checked that the CP is now working with VM and host. :)

There is only one condition : use pass-through MAC in CP

If I tried the RADIUS MAC authentication (MAC as username;share secret as password), it will not work..

It's not a big trouble for me because I just wanna to add a few MACs to pass list, and I don't need to manage them with FreeRadius.

Furthermore I did some other basic testing, they all seems to be no problem.
I created the test user in FreeRadius, it's woking properly.
I created the Vouchers in CP and it will work, FreeRadius will also log it. Great.
(note: I found if I need to use Vouchers , I must disable 'Reauthenticate connected users every minute'. Otherwise the client will have to input the code every minute)

I will go online this hotspot soon and give a feed here.

Great thanks for your help and the package~

Hi,

I tested this at home and you are right.
When you enable RADIUS and vouchers then CP works correct when entering the voucher the first time. Then CP does NOT send the voucher to RADIUS because this would make no sense and lead to a disconnect because the "user" - which is the voucher code - is not present. But CP sends the voucher code when "reauthenticate users every minute" - and this will lead that freeradius sends a disconnection of this "user/voucher" to CP and CP disconnects the voucher.

I will open a request on redmine. We will see if the developers find time to fix that. But as a workaround we can just disable "reauthenticate users every minute" when vouchers will be used.

Thanks for your feedback :-)

valshare

Hi,

i have had a single freeradius server to authentificat to an ldap server on debian linux. All worked fine on the debian machine. Now i switched the single debian freeradius server to pfsense with voucher and radius support. Now i have the problem, that group support are didn´t work anymore. If i drop the Group Membership Option in LDAP settings, all works fine.

Can anyone send me a tip, how to get group membership support working?

My settings are as follow:

On Freeradius Server:

Ldap Module:

ldap {
        server = "192.168.1.11"
        identity = "cn=admin,dc=xxxx,dc=local"
        password = xxxx
        basedn = "dc=xxxx,dc=local"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        base_filter = "(objectclass=posixAccount)"
        ldap_connections_number = 5
        timeout = 4
        timelimit = 3
        net_timeout = 1
        tls {
                start_tls = no
        }
        dictionary_mapping = ${confdir}/ldap.attrmap
        edir_account_policy_check = no

         groupname_attribute = cn
         groupmembership_filter = (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
         groupmembership_attribute = Hotspot
}

log from ldap:

Jan 31 09:08:01 PDC slapd[17566]: conn=1184315 fd=33 ACCEPT from IP=192.168.1.80:65339 (IP=0.0.0.0:389)
Jan 31 09:08:01 PDC slapd[17566]: conn=1184315 op=0 BIND dn="" method=128
Jan 31 09:08:01 PDC slapd[17566]: conn=1184315 op=0 RESULT tag=97 err=0 text=
Jan 31 09:08:01 PDC slapd[17566]: conn=1184315 op=1 SRCH base="" scope=1 deref=0 filter="(uid=admin)"
Jan 31 09:08:01 PDC slapd[17566]: conn=1184315 op=1 SRCH attr=hotspot
Jan 31 09:08:01 PDC slapd[17566]: conn=1184315 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
Jan 31 09:08:01 PDC slapd[17566]: conn=1184315 op=2 UNBIND
Jan 31 09:08:01 PDC slapd[17566]: conn=1184315 fd=33 closed

On my ldap server the group is DN: cn=HotSpot,ou=Groups,dc=xxxx,dc=local

Thanx, Valle

Nachtfalke

@valshare:

I am not familar with LDAP and/or AD.

So if you ha a working freeradius configuration with ldap on your debian server then compare the ldap config file on debian with the ldap config file on pfsense
The files are located in ../raddb/modules/ldap

Freeradius2 package offers the possibility to show you the file from GUI. Go to FreeRADIUS -> View config -> ldap

Further check if you had enabled ldap only in authorize or in authorize and authenticate.
you will find this in your ../raddb/sites-available/default

Freeradius2 package offers the possibility to show you the file from GUI. Go to FreeRADIUS -> View config -> virtual-server-default

valshare

Hello,

i have a entry on my debian server in the file sites-available/default:

       Auth-Type LDAP {
                ldap
                if (LDAP-Group == "hotspot") {
                        noop
                }
                else {
                        reject
                }
        }

But i have no idea, how to do the entry on pfsense and that the entry is "correct" on my machine.

Can you help?

Nachtfalke

@valshare:

Hello,

i have a entry on my debian server in the file sites-available/default:

       Auth-Type LDAP {
                ldap
                if (LDAP-Group == "hotspot") {
                        noop
                }
                else {
                        reject
                }
        }

But i have no idea, how to do the entry on pfsense and that the entry is "correct" on my machine.

Can you help?

What you are using there is freeradius "unlang" - a script language. This is probably not possible to implement from GUI because you can use this on so many places in config files that I do not know how to handly this from GUI.

what you can do for testing:
old freeradius.inc line 1200:

$varmodulesldapenableauthenticate = "Auth-Type LDAP {" . "\n\t\t\tldap" . "\n\t\t\t$varmodulesldap2enableauthenticate" . "\n\t}";

new freeradius.inc line 1200:

$varmodulesldapenableauthenticate = "Auth-Type LDAP {" . "\n\t\t\tldap" . "\n\t\t\tif (LDAP-Group == " . '"hotspot") {' . "\n\t\t\t\tnoop" . "\n\t\t\t}" . "\n\t\t\telse {" . "\n\t\t\t\treject" . "\n\t\t\t}" . "\n\t\t\t$varmodulesldap2enableauthenticate" . "\n\t}";

Please show your both ../raddb/modules/ldap files (uncomment passwords)
Please show your both ../raddb/users (uncomment passwords) or just post the lines which begin with "DEFAULT"

Please post the parts of ../raddb/sites-available/default
authorize
authenticate