NEW Package: freeRADIUS 2.x

Nachtfalke

@shell:

Here is the output:

http://paste.pcspinnt.de/pastebin.php?show=m72943fe0

May be it's a bug. I'm using the newest freeradius2 package (Beta 1.1.8 pkg v1.0.5 platform: 2.0)

You mixed up things. there are two different freeradius packages.
freeradius and freeradius2. They are both not compatible. Which version do you use and which version do you want to use ?

This is the thread for freeradius2 package.

shell

Sorry, wrong paste. Now the right one:

RC1
2.1.12_1 pkg v1.6.6_4
platform: 2.0

Nachtfalke

Ok, no problem.

In checked your radiusd -X output and could not found a problem.

I checked the installed packages on my system with

pkg_info

and I found

gdbm-1.9.1

Make sure that you have this on your pfsense - I am not absolutly sure but I think this comes with pfsense by default.

You can try to add it with:
amd64

pkg_add -r http://files.pfsense.org/packages/amd64/8/All/gdbm-1.9.1.tbz

i386:

pkg_add -r http://files.pfsense.org/packages/8/All/gdbm-1.9.1.tbz

shell

Ui, i've an older version:

gdbm-1.8.3_3        The GNU database manager

Will install the new one. May be this works.

EDIT:

pkg_delete gdbm-1.8.3_3

pkg_delete: file '/usr/local/man/man3/gdbm.3.gz' doesn't exist
pkg_delete: file '/usr/local/include/gdbm.h' doesn't exist
pkg_delete: file '/usr/local/lib/libgdbm.a' doesn't exist
pkg_delete: file '/usr/local/lib/libgdbm.la' doesn't exist
pkg_delete: file '/usr/local/lib/libgdbm.so' doesn't exist
pkg_delete: file '/usr/local/info/gdbm.info' doesn't exist
pkg_delete: couldn't entirely delete package (perhaps the packing list is
incorrectly specified?)

EDIT2:

@#$!  >:(

Same error:

gdbm fatal: read error

Nachtfalke

Don't know why.

Can you reinstall pfsense - backup the config before you do that.

shell

No, can't do that. It's big machine with several interfaces and many active VPN connections. No further idea?

EDIT:

Ok, i think i found a bug. Did a few test and commented out some lines. Now, i can start the radiusd.

Here is what i commented out.

@radiusd.conf:

…
instantiate {

exec
       expr
       #daily
       #weekly
       #monthly
       #forever
       expiration
       logintime
       ### Dis-/Enable sql instatiate
       #sql
}
…

@sites-available/default:

…
      #  The ldap module will set Auth-Type to LDAP if it has not
       #  already been set

### ldap ###

#
       #  Enforce daily limits on time spent logged in.
      #daily
       #weekly
       #monthly
       #forever

#
       # Use the checkval module
…
accounting {
       #  
       #  Create a 'detail'ed log of the packets.
       #  Note that accounting requests which are proxied
       #  are also logged in the detail file.
       detail
       #daily
       #weekly
       #monthly
       #forever
…

Further informations will follow.

EDIT2:

Ok, looks like a big bug. Copied my old configuration and commented out this lines. Now everything works. Can anybody explain me these settings?

shell

I've written to patches for these files:

--- /usr/local/etc/raddb/sites-available/default        2012-12-12 07:50:48.000000000 +0100
+++ default     2012-12-12 07:39:34.000000000 +0100
@@ -197,10 +197,10 @@

        #
        #  Enforce daily limits on time spent logged in.[color][/color]
-       daily
-       weekly
-       monthly
-       forever
+       #daily
+       #weekly
+       #monthly
+       #forever

        #
        # Use the checkval module
@@ -400,10 +400,10 @@
        #  Note that accounting requests which are proxied
        #  are also logged in the detail file.
        detail
-       daily
-       weekly
-       monthly
-       forever
+       #daily
+       #weekly
+       #monthly
+       #forever

        ### This makes it possible to run the datacounter_acct module only on accounting-stop and interim-updates
        if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) {

--- /usr/local/etc/raddb/radiusd.conf   2012-12-12 07:49:27.000000000 +0100
+++ radiusd.conf        2012-12-12 07:38:03.000000000 +0100
@@ -87,10 +87,10 @@

        exec
        expr
-       daily
-       weekly
-       monthly
-       forever
+       #daily
+       #weekly
+       #monthly
+       #forever
        expiration
        logintime
        ### Dis-/Enable sql instatiate

These two patches are applied via crontab every night. I know this is just a workaround.

Nachtfalke

It's not a bug. You have a missing config file on your system.
You should have a file called "counter" here:

usr/local/etc/raddb/modules/

This is for granting time based access.
The function on freeradius.inc is called:

freeradius_modulescounter_resync()

You will find it on line 2611.

And the initial configuration on line 112 and the following.

shell

Ah ok, i remember this file. But it's there:

-rw-r-----  1 root  wheel   3.6K Dec  7 13:27 /usr/local/etc/raddb/modules/counter

Here it is: http://paste.pcspinnt.de/pastebin.php?show=m64f35679

Nachtfalke

@shell:

Ah ok, i remember this file. But it's there:

-rw-r-----  1 root  wheel   3.6K Dec  7 13:27 /usr/local/etc/raddb/modules/counter

Here it is: http://paste.pcspinnt.de/pastebin.php?show=m64f35679

Ok, then the problem isn't freeradius but some missing files on your pfsense. missing packages like gdbm or something else.
That's why I said - backup the pfsense config, reinstall pfsense and restore config. this will reinstall all packages and restore all config.

If this isn't the way you want to go - then you can modify the freeradius.inc file and uncomment the lines you posted.
Uncomment them on line 349 and 1596. Then you do not need any cron script.

bdani

Hi there!

Has anyone ever tried to set MikroTik RADIUS authentication?
I want to auth my AP-s from PF freeradius2.

With freeradius is working, but I cannot set bandwith limits…  :(
With freeradius2 isn't communicating...  :(

any ideas?  :)

Thanks in advance...  :(

Nachtfalke

@bdani:

Hi there!

Has anyone ever tried to set MikroTik RADIUS authentication?
I want to auth my AP-s from PF freeradius2.

With freeradius is working, but I cannot set bandwith limits…  :(
With freeradius2 isn't communicating...  :(

any ideas?  :)

Thanks in advance...  :(

Select an interface for authentication or set "*" for any interface.
on "client/NAS" set the IP address of the mikrotik AP and the correct password.
On Mikrotik set as RADIUS IP the IP of the listening interface and the correct/same password as on "Clients/NAS".

Enable logging on freeradius2 to see what is happening on syslog.

bdani

@Nachtfalke:

@bdani:

Hi there!

Has anyone ever tried to set MikroTik RADIUS authentication?
I want to auth my AP-s from PF freeradius2.

With freeradius is working, but I cannot set bandwith limits…  :(
With freeradius2 isn't communicating...  :(

any ideas?  :)

Thanks in advance...  :(

Select an interface for authentication or set "*" for any interface.
on "client/NAS" set the IP address of the mikrotik AP and the correct password.
On Mikrotik set as RADIUS IP the IP of the listening interface and the correct/same password as on "Clients/NAS".

Enable logging on freeradius2 to see what is happening on syslog.

hmmm…

Status: Services
radiusd FreeRADIUS Server Stopped

But I do not know why....  ???

I've checkd the log (all of /var/log) but nothing find why...

MikroTik log say:
timeot...

Now I know why :-)

Where can I see why can't start service?

Nachtfalke

@bdani:

(…)
Where can I see why can't start service?

Go to pfsense console and run freeradius in debug mode. You can do this with that command:

radiusd -X

The output will tell you what is missing/going wrong. If you have questions then please post the complete output you got.

WinstonSmith

@myke:

@Nachtfalke:

In general you should create your CA ander server cert on pfsene Cert Manager.
then select these two certificates on freeradius -> EAP and save.

Client certificates can be build on pfsense Cert Manager and export the .p12 file. This should work and the .p12 file should be without any password. can you try with an empty password ? But this is more a "pfsense" problem than a freeradius problem.

I am not sure but if I remember correct there was another thread here in the forum which is about the .p12 file and a password. Perhaps the search function can help you.

Thanks for the answer.

My Certificate Authority and certificate was created in pfsense Cert manager. I just created .pfx with openssl.
In first time i try with an empty password and second time with a password "pfsense" but exactly the same result.

I use pfsense 2.0.1 AMD release.

Myke.

Did anyone get this working? I came across this relatively fresh posting because I ran into the same problem (didn't I? Maybe someone spots a difference below)

_I created a root-CA and a CA in pfSense cert-manager and created a server-cert and client-cert for EAP-TLS only. In Services->FreeRadius->EAP->CERTIFICATES FOR TLS I choose the CA, server-cert and client-cert. I checked "Create client.p12 for export" and saved.

When I download the .p12 file from /usr/local/etc/raddb/certs/client_cert.p12 or using the cert-manager I get asked for a password when trying to install them on OSX or iOS …_

Thanks a lot!!
Sascha

Nachtfalke

By default the certificates created by freeradius are protected with an "input/ouput" password from reading the certificate. The certificates created by the firewall's built-in Cert Manager are not protected so you must leave this field empty. (Default: whatever)

In general you should leave this password field on freeradius –> EAP empty. If it is the default one it is whatever

If the password field was empty then the password on this .p12 file is not freeradius related but pfsense cert manager related.

http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#EAP-TLS

WinstonSmith

This is exactly what I thought. That is why I am so surprised that it does not seem to work…
I left the password in EAP empty, but the .p12 ist protected.

I also tried "whatever" but it didn't work. I tried all other passwords I used in this context, but also not the correct ones.

Is it possible to create the client .p12 on the Shell (not meaning the FreeRADIUS script)? Isn't it "simply" a cert created from my CA - in a special format? I am not that deep into this topic :-/

BTW: Initially I thought every User would identify himself using a personal cert. Is this a wrong assumption or just not implemented in the FreeRADIUS packages GUI? ... Or did I only miss it there?

Kind regards,
Sascha

WinstonSmith

Okay.
I've tried several hours and could not get a usable .p12 from the GUI. By usable I mean, a .p12 with a password that I know. I tried "whatever" and every other password I used (just 5 in total).

Then I tried a different approach, which is not what I initially wanted, but I can live with it. I downloaded the CA.crt (not the key!) and the .crt, .key of the client-certificate from pfSense's cert-manager (the one I tried to export as .p12 before). In bash I converted them into the .p12 format:

$ openssl pkcs12 -export -out client_cert_user1.p12 -inkey client_cert_user1.key -in client_cert_user1.crt -certfile myCA.crt

It asked for a password and created the .p12-cert. I could import it in OSX and iOS and authentication using the .p12-cert worked.

Now I found out, that I can login (at least from my iPhone) if I enter the username that the client-cert has as CN (I checked "Check Client Certificate CN" in the EAP settings). But the user does not have to exist …. I have an empty user-table in FreeRADIUS (file is really empty, too) and login works, as long as I enter the same username that the certificate's CN is... strange thing. The GUI says about "Check Client Certificate CN":

If this is enabled then the common name of the client certificate must match the username you set in FreeRADIUS => Users. (Default: unchecked)

I thought that the client-cert would be useless, if the user is not existing in FreeRADIUS. Am I missing something? Or misunderstanding? Or is the username irrelevant if I have the client-cert installed?

Maybe I'll find out soon, maybe not :-) I'll keep trying!

Kind regards,
Sascha

Nachtfalke

@WinstonSmith:

Okay.
I've tried several hours and could not get a usable .p12 from the GUI. By usable I mean, a .p12 with a password that I know. I tried "whatever" and every other password I used (just 5 in total).

Then I tried a different approach, which is not what I initially wanted, but I can live with it. I downloaded the CA.crt (not the key!) and the .crt, .key of the client-certificate from pfSense's cert-manager (the one I tried to export as .p12 before). In bash I converted them into the .p12 format:

$ openssl pkcs12 -export -out client_cert_user1.p12 -inkey client_cert_user1.key -in client_cert_user1.crt -certfile myCA.crt

It asked for a password and created the .p12-cert. I could import it in OSX and iOS and authentication using the .p12-cert worked.

I found the conde which generates the .p12 file:
https://github.com/bsdperimeter/pfsense/blob/master/usr/local/www/system_certmanager.php

if ($act == "p12") {
if (!$a_cert[$id]) {
pfSenseHeader("system_certmanager.php");
exit;
}

$exp_name = urlencode("{$a_cert[$id]['descr']}.p12");

$res_crt = openssl_x509_read(base64_decode($a_cert[$id]['crt']));
$res_key = openssl_pkey_get_private(array(0 => base64_decode($a_cert[$id]['prv']) , 1 => ""));

$exp_data = "";
openssl_pkcs12_export($res_crt, $exp_data, $res_key, null);
$exp_size = strlen($exp_data);

header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename={$exp_name}");
header("Content-Length: $exp_size");
echo $exp_data;
exit;
}

And this php command should create the file:

openssl_pkcs12_export($res_crt, $exp_data, $res_key, null);

A look at the manual shpws this:
http://php.net/manual/de/function.openssl-pkcs12-export.php

I do not see anything what could be wrong. Perhaps replace "null" with something else or try this as password.

@WinstonSmith:

Now I found out, that I can login (at least from my iPhone) if I enter the username that the client-cert has as CN (I checked "Check Client Certificate CN" in the EAP settings). But the user does not have to exist …. I have an empty user-table in FreeRADIUS (file is really empty, too) and login works, as long as I enter the same username that the certificate's CN is... strange thing. The GUI says about "Check Client Certificate CN":

If this is enabled then the common name of the client certificate must match the username you set in FreeRADIUS => Users. (Default: unchecked)

I thought that the client-cert would be useless, if the user is not existing in FreeRADIUS. Am I missing something? Or misunderstanding? Or is the username irrelevant if I have the client-cert installed?

Maybe I'll find out soon, maybe not :-) I'll keep trying!

Kind regards,
Sascha

I found this on the net:

No, the only thing that check_cert_cn does is make sure that the CN in
the certificate matches the User-Name attribute in the RADIUS request.
It's basically just a sanity/security check on the request itself.  It
does not go looking on other autz sources for you.  It is up to you to
decide elsewhere (users file, SQL DB, LDAP) whether or not to allow that
user to authenticate.  If you do nothing, the user will be allowed to
authenticate by default.  If, for some reason, you decide you don't want
a user to be allowed to authenticate, you must specifically reject him.

And here is the original eap.conf:
http://wiki.freeradius.org/Eap.conf/eaedb27b545ae8177cac6744ab09437c72594c1c

Further try with Disable weak EAP types and Default EAP Type = TLS

skoenman

Guys i Hope you guys can help me .. im having a very funny thing happening. I have pfsense with freeradius 2 running. my mysql server is on same network and i can connect through the pfsense shell to the mysql server.
TThing is when i create a user it doesnt create it in the database (mysqlserver ) but just on the local one. I have tried looking on the logs and all i can see that doesnt look right is this .

radiusd[62149]: rlm_sql (sql): Connected new DB handle, #0
Jan 14 20:40:22 radiusd[62149]: rlm_sql_mysql: Starting connect to MySQL server for #0
Jan 14 20:40:22 radiusd[62149]: rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
Jan 14 20:40:22 radiusd[62149]: rlm_sql (sql): Attempting to connect to radius@172.22.2.12:3306/radius
Jan 14 20:40:22 radiusd[62149]: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Jan 14 20:40:22 radiusd[62149]: Core dumps are enabled.
Jan 14 20:40:20 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'

does anybody have a idea please. Im running version 2.0.2 of software.