NEW Package: freeRADIUS 2.x
-
This may have already been answered but how would I change the cipher list to "HIGH" under TLS? I understand I can disable weaker ciphers but will this effectively set the cipher list to high?
-
This may have already been answered but how would I change the cipher list to "HIGH" under TLS? I understand I can disable weaker ciphers but will this effectively set the cipher list to high?
Hi foxale08,
freeradius2 is a multitalent. It can handly nearly all authenticationtypes hosts sends. So if you do not disable weak encryption like MD5 and so on than the following will happen:
a client wants to authenticate using MD5 -> freeradius will do that
a client wants to authenticate using LEAP -> freeradius will do that
a client wants to authenticate with TLS or TTLS or PEAP or MSCHAPv2 or… -> freeradius will do that.so freeradius will do what freeradius is able to do. thats why you don't have to change anything and freeradius will work.
but we know that MD5 encryption isn't really strong, LEAP has some weaknesses and that's why and administrator probably don't want that users can use these authentication types to connect to the network and someone who plays "Man in the middle" can get passwords easy.So if you check "disable weak encryption" than this disables MD5, GTC and LEAP. This will happen:
a client wants to authenticate using MD5 -> freeradius will not do that because we disabled that
a client wants to authenticate using LEAP -> freeradius will not do that because we disabled that
a client wants to authenticate with TLS or TTLS or PEAP or MSCHAPv2 or… -> freeradius will do that.In theory it would be possible to disable TTLS and PEAP and MSCHAPv2 and just only allow TLS but from my point of view this makes no sense.
Take a look at the documentation:
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#General_EAP_configuration -
I double checked that the CP is now working with VM and host. :)
There is only one condition : use pass-through MAC in CP
If I tried the RADIUS MAC authentication (MAC as username;share secret as password), it will not work..
It's not a big trouble for me because I just wanna to add a few MACs to pass list, and I don't need to manage them with FreeRadius.
Furthermore I did some other basic testing, they all seems to be no problem.
I created the test user in FreeRadius, it's woking properly.
I created the Vouchers in CP and it will work, FreeRadius will also log it. Great.
(note: I found if I need to use Vouchers , I must disable 'Reauthenticate connected users every minute'. Otherwise the client will have to input the code every minute)I will go online this hotspot soon and give a feed here.
Great thanks for your help and the package~
Hi,
I tested this at home and you are right.
When you enable RADIUS and vouchers then CP works correct when entering the voucher the first time. Then CP does NOT send the voucher to RADIUS because this would make no sense and lead to a disconnect because the "user" - which is the voucher code - is not present. But CP sends the voucher code when "reauthenticate users every minute" - and this will lead that freeradius sends a disconnection of this "user/voucher" to CP and CP disconnects the voucher.I will open a request on redmine. We will see if the developers find time to fix that. But as a workaround we can just disable "reauthenticate users every minute" when vouchers will be used.
Thanks for your feedback :-)
-
Hi,
i have had a single freeradius server to authentificat to an ldap server on debian linux. All worked fine on the debian machine. Now i switched the single debian freeradius server to pfsense with voucher and radius support. Now i have the problem, that group support are didn´t work anymore. If i drop the Group Membership Option in LDAP settings, all works fine.
Can anyone send me a tip, how to get group membership support working?
My settings are as follow:
On Freeradius Server:
Ldap Module:
ldap { server = "192.168.1.11" identity = "cn=admin,dc=xxxx,dc=local" password = xxxx basedn = "dc=xxxx,dc=local" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=posixAccount)" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) groupmembership_attribute = Hotspot }log from ldap:
Jan 31 09:08:01 PDC slapd[17566]: conn=1184315 fd=33 ACCEPT from IP=192.168.1.80:65339 (IP=0.0.0.0:389) Jan 31 09:08:01 PDC slapd[17566]: conn=1184315 op=0 BIND dn="" method=128 Jan 31 09:08:01 PDC slapd[17566]: conn=1184315 op=0 RESULT tag=97 err=0 text= Jan 31 09:08:01 PDC slapd[17566]: conn=1184315 op=1 SRCH base="" scope=1 deref=0 filter="(uid=admin)" Jan 31 09:08:01 PDC slapd[17566]: conn=1184315 op=1 SRCH attr=hotspot Jan 31 09:08:01 PDC slapd[17566]: conn=1184315 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= Jan 31 09:08:01 PDC slapd[17566]: conn=1184315 op=2 UNBIND Jan 31 09:08:01 PDC slapd[17566]: conn=1184315 fd=33 closedOn my ldap server the group is DN: cn=HotSpot,ou=Groups,dc=xxxx,dc=local
Thanx, Valle
-
I am not familar with LDAP and/or AD.
So if you ha a working freeradius configuration with ldap on your debian server then compare the ldap config file on debian with the ldap config file on pfsense
The files are located in ../raddb/modules/ldapFreeradius2 package offers the possibility to show you the file from GUI. Go to FreeRADIUS -> View config -> ldap
Further check if you had enabled ldap only in authorize or in authorize and authenticate.
you will find this in your ../raddb/sites-available/defaultFreeradius2 package offers the possibility to show you the file from GUI. Go to FreeRADIUS -> View config -> virtual-server-default
-
Hello,
i have a entry on my debian server in the file sites-available/default:
Auth-Type LDAP { ldap if (LDAP-Group == "hotspot") { noop } else { reject } }But i have no idea, how to do the entry on pfsense and that the entry is "correct" on my machine.
Can you help?
-
Hello,
i have a entry on my debian server in the file sites-available/default:
Auth-Type LDAP { ldap if (LDAP-Group == "hotspot") { noop } else { reject } }But i have no idea, how to do the entry on pfsense and that the entry is "correct" on my machine.
Can you help?
What you are using there is freeradius "unlang" - a script language. This is probably not possible to implement from GUI because you can use this on so many places in config files that I do not know how to handly this from GUI.
what you can do for testing:
old freeradius.inc line 1200:$varmodulesldapenableauthenticate = "Auth-Type LDAP {" . "\n\t\t\tldap" . "\n\t\t\t$varmodulesldap2enableauthenticate" . "\n\t}";new freeradius.inc line 1200:
$varmodulesldapenableauthenticate = "Auth-Type LDAP {" . "\n\t\t\tldap" . "\n\t\t\tif (LDAP-Group == " . '"hotspot") {' . "\n\t\t\t\tnoop" . "\n\t\t\t}" . "\n\t\t\telse {" . "\n\t\t\t\treject" . "\n\t\t\t}" . "\n\t\t\t$varmodulesldap2enableauthenticate" . "\n\t}";Please show your both ../raddb/modules/ldap files (uncomment passwords)
Please show your both ../raddb/users (uncomment passwords) or just post the lines which begin with "DEFAULT"Please post the parts of ../raddb/sites-available/default
authorize
authenticate -
Hi Nachtfalke,
inserted the new freeradius.inc line 1200. Restartet the freeradius but you tip didn´t work.
Here are the requested files:
Debian moduel/ldap
ldap { server = "192.168.1.11" identity = "cn=admin,dc=xxxxxx,dc=local" password = xxxxx basedn = "dc=xxxxxx,dc=local" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=posixAccount)" # nur posixAccount Nutzer (keine Windows-Machinen) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) groupmembership_attribute = Hotspot }pfsense moduel/ldap
ldap { server = "192.168.1.11" identity = "cn=admin,dc=xxxxxx,dc=local" password = xxxxxx basedn = "dc=xxxxxx,dc=local" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=posixAccount)" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))" groupmembership_attribute = HotSpot compare_check_items = yes do_xlat = yes access_attr_used_for_allow = yes chase_referrals = yes rebind = yes keepalive { idle = 60 probes = 3 interval = 3 } }debian users
DEFAULT Group == "hotspot", Simultaneous-Use := 4 Fall-Through = 1 DEFAULT Simultaneous-Use := 1 Fall-Through = 1 DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIPpfsense users
no entry with "DEFAULT" on pfsense. Think, this is the problem?
./raddb/sites-available/defaults
Debian freeradius
authorize { preprocess chap mschap digest suffix eap { ok = return } ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix Auth-Type LDAP { ldap if (LDAP-Group == "hotspot") { noop } else { reject } } eap }pfsense freeradius
authorize { preprocess chap mschap digest suffix ntdomain eap { ok = return } files redundant { ldap } daily weekly monthly forever maxdailyupload maxdailydownload maxweeklyupload maxweeklydownload maxmonthlyupload maxmonthlydownload maxupload maxdownload checkval expiration logintime pap Autz-Type Status-Server { } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix Auth-Type LDAP { ldap } eap } -
Hi,
you are right. The users file contain the "DEFAULT" entry which matches all users and sets Group LDAP.
Please copy your existing debian users file to pfsense ../raddb/users file. Then restart the server and try again.We can enter this later from GUI but I need to make some changes when I am at home to allow that. That shouldn't be too hard.
Did you cut some enties in users file ? or are these entries the only ones ?And I do not really understand what the "unlang" block in authentication means or what this should realize.
Did you code this block or did you just copy it from another tutorial ?And perhaps you can explain a little bit more in detail what you want to realize with this group, if all users should be authenticated by RADIUS+LDAP or some from users file and so on.
I am still leaning the complexity of freeradius and perhaps we will find a solution together :) LEan something new every day :D -
Hi again,
to create the USERS file like you posted above you can do the following - I suppose that there are no other entries in the users file:
-
FreeRADIUS => Users => Add a user (+)
-
Set any username and set any password (because this are requiered fields) and the scroll down to "Additional RADIUS Attributes on the TOP of this entry" and paste the following code. Take attention: If you miss whitespaces or something the syntax will be incorrect and radiusd will not start.
DEFAULT Group == "hotspot", Simultaneous-Use := 4| Fall-Through = 1|DEFAULT Simultaneous-Use := 1| Fall-Through = 1|DEFAULT Framed-Protocol == PPP| Framed-Protocol = PPP,| Framed-Compression = Van-Jacobson-TCP-IP|DEFAULT Hint == "CSLIP"| Framed-Protocol = SLIP,| Framed-Compression = Van-Jacobson-TCP-IP|DEFAULT Hint == "SLIP"| Framed-Protocol = SLIPThat's it for users file.
please take attention: in users file "hotspot" is all small letters, your old ldap config has a capital letter at first, your new has two capital letters. don't know if this is case sensitive or not.
The following is not present in your old config so you should probably set this in the GUI to "no". But test with both/mixed.
-
Compare Check Items
-
Do XLAT
-
Access Attribute Used For Allow
the last thing is:
please replace the line 1200 in freeradius.inc like I posted before - the click "save" on FreeRADIUS => LDAP again to write the changes to the ldap file.Now we should have your config like it was on your old debian server - hopefully it will work. :-)
Then we only have to find a way around your "unlang" part and solve this with users file - if possible.
-
-
Hi Nachtfalke,
thanx for your support. Can check it tommorow. Now i am at home an can´t check it.
Gruß, Valle ;-)
-
Update pkg v1.5.9:
- Added: The fields "username/password" or "mac address" are no requiered fields anymore. This allows us to make an entry in users/mac file with custom options like "DEFAULT Group == ldap" without username/password. Further this allows us to make en complete empty entry in GUI as a placeholer. Nothing will be put into users/mac file so we are able to put there something else later. Users/mac file has the disadvantage that it will be processed from top to down and a re-arrangement of the entries with drag&drop isn't able from GUI.
@valshare
You should update to latest version - this changes were made just for you ;-)
But now you must not change line 1200 but line 1212 in freeradius.inc :P -
Hi Nachtfalke,
will test it firstly tomorrow and send back feedback as soon as possible.
Thanx!
Valle
-
Hi Nachtfalke,
will test it firstly tomorrow and send back feedback as soon as possible.
Thanx!
Valle
I know, I know. Don't stress :D :D
-
Hi Nachtfalke,
i have testet the new package but withouth success.
First i found out that the users settings are not needed.
But there is anything missing in the settings on pfsense but i don´t know whats missing.
Regards, Valle
-
now it works!!!
i have copied my site-avaible/default to the pfsense server and restartet freeradius.
the problem is, that the entry
Auth-Type LDAP { ldap if (LDAP-Group == "hotspot") { noop } else { reject } }is missing in the default file. If have made the change in freeradius.inc on line 1212 and pushed on "save" in the ldap settings and restartet the server.
-
(…)
is missing in the default file. If have made the change in freeradius.inc on line 1212 and pushed on "save" in the ldap settings and restartet the server.So after you made the changes on line 1212 the above entry is there, correct ?
And without the changes on this line 1212 you cannot authenticate a user ?
Can you post the complete output of radiusd -X when authenticationg with and without the freeradius.inc changes ?
delete passwords. Perhaps we can find another way to work around this entry just from GUI. -
(…)
is missing in the default file. If have made the change in freeradius.inc on line 1212 and pushed on "save" in the ldap settings and restartet the server.So after you made the changes on line 1212 the above entry is there, correct ?
no, there are no changes in the default file.
-
Use the attached file (freeradius.inc), copy it to /usr/local/pkg and then got to
FreeRADIUS => LDAP => SaveCheck before in FreeRADIUS => View config => virtual-server-default
PS: Did it work with the "DEFAULT" entries from webGUI in FreeRADIUS => Users ?
Thanks
-
Hi,
i have copied your file in the right place and set the rights to 755.
Go to Services => LDAP => pushed the save buttonView the config => virtual-server-default
but it changed nothing :(
checked it with the console:
[2.0.1-RELEASE][root@pfsense.xxx.local]/usr/local/pkg(220): cat freeradius.inc | grep hot $varmodulesldapenableauthenticate = "Auth-Type LDAP {" . "\n\t\t\tldap" . "\n\t\t\tif (LDAP-Group == " . '"hotspot") {' . "\n\t\t\t\tnoop" . "\n\t\t\t}" . "\n\t\t\telse {" . "\n\t\t\t\treject" . "\n\t\t\t}" . "\n\t\t\t$varmodulesldap2enableauthenticate" . "\n\t}"; [2.0.1-RELEASE][root@pfsense.xxx.local]/usr/local/pkg(221): cat /usr/local/etc/raddb/sites-available/default | grep hot [2.0.1-RELEASE][root@pfsense.xxx.local]/usr/local/pkg(222):sorry, but what can i do wrong?