NEW Package: freeRADIUS 2.x

Nachtfalke

Hello,

i have a entry on my debian server in the file sites-available/default:
       Auth-Type LDAP {
                ldap
                if (LDAP-Group == "hotspot") {
                        noop
                }
                else {
                        reject
                }
        }
But i have no idea, how to do the entry on pfsense and that the entry is "correct" on my machine.

Can you help?

What you are using there is freeradius "unlang" - a script language. This is probably not possible to implement from GUI because you can use this on so many places in config files that I do not know how to handly this from GUI.

what you can do for testing:
old freeradius.inc line 1200:

$varmodulesldapenableauthenticate = "Auth-Type LDAP {" . "\n\t\t\tldap" . "\n\t\t\t$varmodulesldap2enableauthenticate" . "\n\t}";

new freeradius.inc line 1200:

$varmodulesldapenableauthenticate = "Auth-Type LDAP {" . "\n\t\t\tldap" . "\n\t\t\tif (LDAP-Group == " . '"hotspot") {' . "\n\t\t\t\tnoop" . "\n\t\t\t}" . "\n\t\t\telse {" . "\n\t\t\t\treject" . "\n\t\t\t}" . "\n\t\t\t$varmodulesldap2enableauthenticate" . "\n\t}";

Please show your both ../raddb/modules/ldap files (uncomment passwords)
Please show your both ../raddb/users (uncomment passwords) or just post the lines which begin with "DEFAULT"

Please post the parts of ../raddb/sites-available/default
authorize
authenticate

valshare

Hi Nachtfalke,

inserted the new freeradius.inc line 1200. Restartet the freeradius but you tip didn´t work.

Here are the requested files:

Debian moduel/ldap


ldap {
        server = "192.168.1.11"
        identity = "cn=admin,dc=xxxxxx,dc=local"
        password = xxxxx
        basedn = "dc=xxxxxx,dc=local"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        base_filter = "(objectclass=posixAccount)" # nur posixAccount Nutzer (keine Windows-Machinen)
        ldap_connections_number = 5
        timeout = 4
        timelimit = 3
        net_timeout = 1
        dictionary_mapping = ${confdir}/ldap.attrmap
        edir_account_policy_check = no

         groupname_attribute = cn
         groupmembership_filter = (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
         groupmembership_attribute = Hotspot

}

pfsense moduel/ldap


ldap {
	server = "192.168.1.11"
	identity = "cn=admin,dc=xxxxxx,dc=local"
	password = xxxxxx
	basedn = "dc=xxxxxx,dc=local"
	filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
	base_filter = "(objectclass=posixAccount)"
	ldap_connections_number = 5
	timeout = 4
	timelimit = 3
	net_timeout = 1
	dictionary_mapping = ${confdir}/ldap.attrmap
	edir_account_policy_check = no

	groupname_attribute = cn
	groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))"
	groupmembership_attribute = HotSpot

	compare_check_items = yes
	do_xlat = yes
	access_attr_used_for_allow = yes
	chase_referrals = yes
	rebind = yes
	keepalive {
		idle = 60
		probes = 3
		interval = 3
	}
}

debian users


DEFAULT Group == "hotspot", Simultaneous-Use := 4
          Fall-Through = 1
DEFAULT Simultaneous-Use := 1
          Fall-Through = 1

DEFAULT Framed-Protocol == PPP
        Framed-Protocol = PPP,
        Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "CSLIP"
        Framed-Protocol = SLIP,
        Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
        Framed-Protocol = SLIP

pfsense users

no entry with "DEFAULT" on pfsense. Think, this is the problem?

./raddb/sites-available/defaults

Debian freeradius


authorize {
        preprocess
        chap
        mschap
        digest
        suffix
        eap {
                ok = return
        }
        ldap
        expiration
        logintime
        pap
}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        digest
        unix
        Auth-Type LDAP {
                ldap
                if (LDAP-Group == "hotspot") {
                        noop
                }
                else {

                        reject

                }
        }
        eap
}

pfsense freeradius


authorize {
	preprocess
	chap
	mschap
	digest
	suffix
	ntdomain
	eap {
		ok = return
	}
	files
	redundant {
		ldap
	}

	daily
	weekly
	monthly
	forever
	maxdailyupload
	maxdailydownload
	maxweeklyupload
	maxweeklydownload
	maxmonthlyupload
	maxmonthlydownload
	maxupload
	maxdownload
	checkval
	expiration
	logintime
	pap
	Autz-Type Status-Server {

	}
}

authenticate {
	Auth-Type PAP {
		pap
	}

	Auth-Type CHAP {
		chap
	}

	Auth-Type MS-CHAP {
		mschap
	}

	digest
	unix
	Auth-Type LDAP {
			ldap
	}

	eap
}

Nachtfalke

Hi,

you are right. The users file contain the "DEFAULT" entry which matches all users and sets Group LDAP.
Please copy your existing debian users file to pfsense ../raddb/users file. Then restart the server and try again.

We can enter this later from GUI but I need to make some changes when I am at home to allow that. That shouldn't be too hard.
Did you cut some enties in users file ? or are these entries the only ones ?

And I do not really understand what the "unlang" block in authentication means or what this should realize.
Did you code this block or did you just copy it from another tutorial ?

And perhaps you can explain a little bit more in detail what you want to realize with this group, if all users should be authenticated by RADIUS+LDAP or some from users file and so on.
I am still leaning the complexity of freeradius and perhaps we will find a solution together :) LEan something new every day :D

Nachtfalke

Hi again,

to create the USERS file like you posted above you can do the following - I suppose that there are no other entries in the users file:

FreeRADIUS => Users => Add a user (+)
Set any username and set any password (because this are requiered fields) and the scroll down to "Additional RADIUS Attributes on the TOP of this entry" and paste the following code. Take attention: If you miss whitespaces or something the syntax will be incorrect and radiusd will not start.

DEFAULT Group == "hotspot", Simultaneous-Use := 4| Fall-Through = 1|DEFAULT Simultaneous-Use := 1| Fall-Through = 1|DEFAULT Framed-Protocol == PPP| Framed-Protocol = PPP,| Framed-Compression = Van-Jacobson-TCP-IP|DEFAULT Hint == "CSLIP"| Framed-Protocol = SLIP,| Framed-Compression = Van-Jacobson-TCP-IP|DEFAULT Hint == "SLIP"| Framed-Protocol = SLIP

That's it for users file.

please take attention: in users file "hotspot" is all small letters, your old ldap config has a capital letter at first, your new has two capital letters. don't know if this is case sensitive or not.

The following is not present in your old config so you should probably set this in the GUI to "no". But test with both/mixed.

Compare Check Items
Do XLAT
Access Attribute Used For Allow

the last thing is:
please replace the line 1200 in freeradius.inc like I posted before - the click "save" on FreeRADIUS => LDAP again to write the changes to the ldap file.

Now we should have your config like it was on your old debian server - hopefully it will work. :-)

Then we only have to find a way around your "unlang" part and solve this with users file - if possible.

valshare

Hi Nachtfalke,

thanx for your support. Can check it tommorow. Now i am at home an can´t check it.

Gruß, Valle ;-)

Nachtfalke

Update pkg v1.5.9:

Added: The fields "username/password" or "mac address" are no requiered fields anymore. This allows us to make an entry in users/mac file with custom options like "DEFAULT Group == ldap" without username/password. Further this allows us to make en complete empty entry in GUI as a placeholer. Nothing will be put into users/mac file so we are able to put there something else later. Users/mac file has the disadvantage that it will be processed from top to down and a re-arrangement of the entries with drag&drop isn't able from GUI.

@valshare
You should update to latest version - this changes were made just for you ;-)
But now you must not change line 1200 but line 1212 in freeradius.inc :P

valshare

Hi Nachtfalke,

will test it firstly tomorrow and send back feedback as soon as possible.

Thanx!

Valle

Nachtfalke

@valshare:

Hi Nachtfalke,

will test it firstly tomorrow and send back feedback as soon as possible.

Thanx!

Valle

I know, I know. Don't stress :D :D

valshare

Hi Nachtfalke,

i have testet the new package but withouth success.

First i found out that the users settings are not needed.

But there is anything missing in the settings on pfsense but i don´t know whats missing.

Regards, Valle

valshare

now it works!!!

i have copied my site-avaible/default to the pfsense server and restartet freeradius.

the problem is, that the entry


        Auth-Type LDAP {
                ldap
                if (LDAP-Group == "hotspot") {
                        noop
                }
                else {

                        reject

                }
        }

is missing in the default file. If have made the change in freeradius.inc on line 1212 and pushed on "save" in the ldap settings and restartet the server.

Nachtfalke

@valshare:

(…)
is missing in the default file. If have made the change in freeradius.inc on line 1212 and pushed on "save" in the ldap settings and restartet the server.

So after you made the changes on line 1212 the above entry is there, correct ?

And without the changes on this line 1212 you cannot authenticate a user ?

Can you post the complete output of radiusd -X when authenticationg with and without the freeradius.inc changes ?
delete passwords. Perhaps we can find another way to work around this entry just from GUI.

valshare

@Nachtfalke:

@valshare:

(…)
is missing in the default file. If have made the change in freeradius.inc on line 1212 and pushed on "save" in the ldap settings and restartet the server.

So after you made the changes on line 1212 the above entry is there, correct ?

no, there are no changes in the default file.

Nachtfalke

Use the attached file (freeradius.inc), copy it to /usr/local/pkg and then got to
FreeRADIUS => LDAP => Save

Check before in FreeRADIUS => View config => virtual-server-default

PS: Did it work with the "DEFAULT" entries from webGUI in FreeRADIUS => Users ?

Thanks

freeradius.inc.txt

valshare

Hi,

i have copied your file in the right place and set the rights to 755.
Go to Services => LDAP => pushed the save button

View the config => virtual-server-default

but it changed nothing :(

checked it with the console:


[2.0.1-RELEASE][root@pfsense.xxx.local]/usr/local/pkg(220): cat freeradius.inc | grep hot
        $varmodulesldapenableauthenticate = "Auth-Type LDAP {" . "\n\t\t\tldap" . "\n\t\t\tif (LDAP-Group == " . '"hotspot") {' . "\n\t\t\t\tnoop" . "\n\t\t\t}" . "\n\t\t\telse {" . "\n\t\t\t\treject" . "\n\t\t\t}" . "\n\t\t\t$varmodulesldap2enableauthenticate" . "\n\t}";
[2.0.1-RELEASE][root@pfsense.xxx.local]/usr/local/pkg(221): cat /usr/local/etc/raddb/sites-available/default | grep hot
[2.0.1-RELEASE][root@pfsense.xxx.local]/usr/local/pkg(222):

sorry, but what can i do wrong?

Nachtfalke

@valshare:

Hi,

i have copied your file in the right place and set the rights to 755.
Go to Services => LDAP => pushed the save button

View the config => virtual-server-default

but it changed nothing :(

checked it with the console:
[2.0.1-RELEASE][root@pfsense.xxx.local]/usr/local/pkg(220): cat freeradius.inc | grep hot
        $varmodulesldapenableauthenticate = "Auth-Type LDAP {" . "\n\t\t\tldap" . "\n\t\t\tif (LDAP-Group == " . '"hotspot") {' . "\n\t\t\t\tnoop" . "\n\t\t\t}" . "\n\t\t\telse {" . "\n\t\t\t\treject" . "\n\t\t\t}" . "\n\t\t\t$varmodulesldap2enableauthenticate" . "\n\t}";
[2.0.1-RELEASE][root@pfsense.xxx.local]/usr/local/pkg(221): cat /usr/local/etc/raddb/sites-available/default | grep hot
[2.0.1-RELEASE][root@pfsense.xxx.local]/usr/local/pkg(222):
sorry, but what can i do wrong?

did you rename it from freeradius.inc.txt to freeradius.inc ?
For me it is working.

Auth-Type LDAP {
			ldap
			if (LDAP-Group == "hotspot") {
				noop
			}
			else {
				reject
			}
			#ldap2
	}

valshare

yes, i have rename the freeradius.inc.txt file to freeradius.inc as you can see in the code.
grep found the change you have made. I will try it again later.

strange ??? But big thnx for your support.

etudiant_22

Bonjour,

je fais pars de mon problème dans ce forum en espérant que quelqu'un puisse m'aider.

J'ai donc installé et configuré pfsense et plus précisément le portail captif pour que lorsque que des clients wifi de mon réseau veulent se conecter, il leur faut insérer leur login et mot de passe.

Avec les compte sur la base local tout marche bien.

Maintenant je voudrai mettre en place freeradius (le package de pfsense), et c'est la que je bloque.

Je créer un utilisateur dans la base local de radius pour tester.
J'active l'authentification radius dans le service portail captif et la quand j
Je lance mon navigateur web
je rentre le login et mot de passe et la j'ai ce message :

No valid RADIUS responses received

Merci d'avance

marcelloc

etudiant_22,

I know you love your mother language but please translate your question to english or post it on french forum.

Cordialement,

Marcello Coutinho

Nachtfalke

@etudiant_22:

Bonjour,

je fais pars de mon problème dans ce forum en espérant que quelqu'un puisse m'aider.

J'ai donc installé et configuré pfsense et plus précisément le portail captif pour que lorsque que des clients wifi de mon réseau veulent se conecter, il leur faut insérer leur login et mot de passe.

Avec les compte sur la base local tout marche bien.

Maintenant je voudrai mettre en place freeradius (le package de pfsense), et c'est la que je bloque.

Je créer un utilisateur dans la base local de radius pour tester.

J'active l'authentification radius dans le service portail captif et la quand j

Je lance mon navigateur web

je rentre le login et mot de passe et la j'ai ce message :

No valid RADIUS responses received

Merci d'avance

That's google translated - cool ;o)

"salut
jetez un oeil à la documentation du paquet
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package"

Nachtfalke

Updates pkg v1.6.0:

Added: Ability to set individual redirection URL after login per user/mac

Known bugs:

When using "stop/start accounting on CP then "Amount of Time" isn't working correctly.
http://redmine.pfsense.org/issues/2164
When using CP + RADIUS + Vouchers and "reauthenticate every minute" is enabled then CP sends the voucher as username to RADIUS. This causes RADIUS to disconnect the "user/voucher" because of an unknown/wrong "username".
http://redmine.pfsense.org/issues/2155
When stop/start accounting on CP is enabled than the syslog shows many "wrong order" or "Login found bot no logout detected". This seems to not affect the usage of RADIUS but it is not 100% correct.
http://redmine.pfsense.org/issues/2143