NEW Package: freeRADIUS 2.x

shell

No, can't do that. It's big machine with several interfaces and many active VPN connections. No further idea?

EDIT:

Ok, i think i found a bug. Did a few test and commented out some lines. Now, i can start the radiusd.

Here is what i commented out.

@radiusd.conf:

…
instantiate {

exec
       expr
       #daily
       #weekly
       #monthly
       #forever
       expiration
       logintime
       ### Dis-/Enable sql instatiate
       #sql
}
…

@sites-available/default:

…
      #  The ldap module will set Auth-Type to LDAP if it has not
       #  already been set

### ldap ###

#
       #  Enforce daily limits on time spent logged in.
      #daily
       #weekly
       #monthly
       #forever

#
       # Use the checkval module
…
accounting {
       #  
       #  Create a 'detail'ed log of the packets.
       #  Note that accounting requests which are proxied
       #  are also logged in the detail file.
       detail
       #daily
       #weekly
       #monthly
       #forever
…

Further informations will follow.

EDIT2:

Ok, looks like a big bug. Copied my old configuration and commented out this lines. Now everything works. Can anybody explain me these settings?

shell

I've written to patches for these files:

--- /usr/local/etc/raddb/sites-available/default        2012-12-12 07:50:48.000000000 +0100
+++ default     2012-12-12 07:39:34.000000000 +0100
@@ -197,10 +197,10 @@

        #
        #  Enforce daily limits on time spent logged in.[color][/color]
-       daily
-       weekly
-       monthly
-       forever
+       #daily
+       #weekly
+       #monthly
+       #forever

        #
        # Use the checkval module
@@ -400,10 +400,10 @@
        #  Note that accounting requests which are proxied
        #  are also logged in the detail file.
        detail
-       daily
-       weekly
-       monthly
-       forever
+       #daily
+       #weekly
+       #monthly
+       #forever

        ### This makes it possible to run the datacounter_acct module only on accounting-stop and interim-updates
        if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) {

--- /usr/local/etc/raddb/radiusd.conf   2012-12-12 07:49:27.000000000 +0100
+++ radiusd.conf        2012-12-12 07:38:03.000000000 +0100
@@ -87,10 +87,10 @@

        exec
        expr
-       daily
-       weekly
-       monthly
-       forever
+       #daily
+       #weekly
+       #monthly
+       #forever
        expiration
        logintime
        ### Dis-/Enable sql instatiate

These two patches are applied via crontab every night. I know this is just a workaround.

Nachtfalke

It's not a bug. You have a missing config file on your system.
You should have a file called "counter" here:

usr/local/etc/raddb/modules/

This is for granting time based access.
The function on freeradius.inc is called:

freeradius_modulescounter_resync()

You will find it on line 2611.

And the initial configuration on line 112 and the following.

shell

Ah ok, i remember this file. But it's there:

-rw-r-----  1 root  wheel   3.6K Dec  7 13:27 /usr/local/etc/raddb/modules/counter

Here it is: http://paste.pcspinnt.de/pastebin.php?show=m64f35679

Nachtfalke

@shell:

Ah ok, i remember this file. But it's there:

-rw-r-----  1 root  wheel   3.6K Dec  7 13:27 /usr/local/etc/raddb/modules/counter

Here it is: http://paste.pcspinnt.de/pastebin.php?show=m64f35679

Ok, then the problem isn't freeradius but some missing files on your pfsense. missing packages like gdbm or something else.
That's why I said - backup the pfsense config, reinstall pfsense and restore config. this will reinstall all packages and restore all config.

If this isn't the way you want to go - then you can modify the freeradius.inc file and uncomment the lines you posted.
Uncomment them on line 349 and 1596. Then you do not need any cron script.

bdani

Hi there!

Has anyone ever tried to set MikroTik RADIUS authentication?
I want to auth my AP-s from PF freeradius2.

With freeradius is working, but I cannot set bandwith limits…  :(
With freeradius2 isn't communicating...  :(

any ideas?  :)

Thanks in advance...  :(

Nachtfalke

@bdani:

Hi there!

Has anyone ever tried to set MikroTik RADIUS authentication?
I want to auth my AP-s from PF freeradius2.

With freeradius is working, but I cannot set bandwith limits…  :(
With freeradius2 isn't communicating...  :(

any ideas?  :)

Thanks in advance...  :(

Select an interface for authentication or set "*" for any interface.
on "client/NAS" set the IP address of the mikrotik AP and the correct password.
On Mikrotik set as RADIUS IP the IP of the listening interface and the correct/same password as on "Clients/NAS".

Enable logging on freeradius2 to see what is happening on syslog.

bdani

@Nachtfalke:

@bdani:

Hi there!

Has anyone ever tried to set MikroTik RADIUS authentication?
I want to auth my AP-s from PF freeradius2.

With freeradius is working, but I cannot set bandwith limits…  :(
With freeradius2 isn't communicating...  :(

any ideas?  :)

Thanks in advance...  :(

Select an interface for authentication or set "*" for any interface.
on "client/NAS" set the IP address of the mikrotik AP and the correct password.
On Mikrotik set as RADIUS IP the IP of the listening interface and the correct/same password as on "Clients/NAS".

Enable logging on freeradius2 to see what is happening on syslog.

hmmm…

Status: Services
radiusd FreeRADIUS Server Stopped

But I do not know why....  ???

I've checkd the log (all of /var/log) but nothing find why...

MikroTik log say:
timeot...

Now I know why :-)

Where can I see why can't start service?

Nachtfalke

@bdani:

(…)
Where can I see why can't start service?

Go to pfsense console and run freeradius in debug mode. You can do this with that command:

radiusd -X

The output will tell you what is missing/going wrong. If you have questions then please post the complete output you got.

WinstonSmith

@myke:

@Nachtfalke:

In general you should create your CA ander server cert on pfsene Cert Manager.
then select these two certificates on freeradius -> EAP and save.

Client certificates can be build on pfsense Cert Manager and export the .p12 file. This should work and the .p12 file should be without any password. can you try with an empty password ? But this is more a "pfsense" problem than a freeradius problem.

I am not sure but if I remember correct there was another thread here in the forum which is about the .p12 file and a password. Perhaps the search function can help you.

Thanks for the answer.

My Certificate Authority and certificate was created in pfsense Cert manager. I just created .pfx with openssl.
In first time i try with an empty password and second time with a password "pfsense" but exactly the same result.

I use pfsense 2.0.1 AMD release.

Myke.

Did anyone get this working? I came across this relatively fresh posting because I ran into the same problem (didn't I? Maybe someone spots a difference below)

_I created a root-CA and a CA in pfSense cert-manager and created a server-cert and client-cert for EAP-TLS only. In Services->FreeRadius->EAP->CERTIFICATES FOR TLS I choose the CA, server-cert and client-cert. I checked "Create client.p12 for export" and saved.

When I download the .p12 file from /usr/local/etc/raddb/certs/client_cert.p12 or using the cert-manager I get asked for a password when trying to install them on OSX or iOS …_

Thanks a lot!!
Sascha

Nachtfalke

By default the certificates created by freeradius are protected with an "input/ouput" password from reading the certificate. The certificates created by the firewall's built-in Cert Manager are not protected so you must leave this field empty. (Default: whatever)

In general you should leave this password field on freeradius –> EAP empty. If it is the default one it is whatever

If the password field was empty then the password on this .p12 file is not freeradius related but pfsense cert manager related.

http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#EAP-TLS

WinstonSmith

This is exactly what I thought. That is why I am so surprised that it does not seem to work…
I left the password in EAP empty, but the .p12 ist protected.

I also tried "whatever" but it didn't work. I tried all other passwords I used in this context, but also not the correct ones.

Is it possible to create the client .p12 on the Shell (not meaning the FreeRADIUS script)? Isn't it "simply" a cert created from my CA - in a special format? I am not that deep into this topic :-/

BTW: Initially I thought every User would identify himself using a personal cert. Is this a wrong assumption or just not implemented in the FreeRADIUS packages GUI? ... Or did I only miss it there?

Kind regards,
Sascha

WinstonSmith

Okay.
I've tried several hours and could not get a usable .p12 from the GUI. By usable I mean, a .p12 with a password that I know. I tried "whatever" and every other password I used (just 5 in total).

Then I tried a different approach, which is not what I initially wanted, but I can live with it. I downloaded the CA.crt (not the key!) and the .crt, .key of the client-certificate from pfSense's cert-manager (the one I tried to export as .p12 before). In bash I converted them into the .p12 format:

$ openssl pkcs12 -export -out client_cert_user1.p12 -inkey client_cert_user1.key -in client_cert_user1.crt -certfile myCA.crt

It asked for a password and created the .p12-cert. I could import it in OSX and iOS and authentication using the .p12-cert worked.

Now I found out, that I can login (at least from my iPhone) if I enter the username that the client-cert has as CN (I checked "Check Client Certificate CN" in the EAP settings). But the user does not have to exist …. I have an empty user-table in FreeRADIUS (file is really empty, too) and login works, as long as I enter the same username that the certificate's CN is... strange thing. The GUI says about "Check Client Certificate CN":

If this is enabled then the common name of the client certificate must match the username you set in FreeRADIUS => Users. (Default: unchecked)

I thought that the client-cert would be useless, if the user is not existing in FreeRADIUS. Am I missing something? Or misunderstanding? Or is the username irrelevant if I have the client-cert installed?

Maybe I'll find out soon, maybe not :-) I'll keep trying!

Kind regards,
Sascha

Nachtfalke

@WinstonSmith:

Okay.
I've tried several hours and could not get a usable .p12 from the GUI. By usable I mean, a .p12 with a password that I know. I tried "whatever" and every other password I used (just 5 in total).

Then I tried a different approach, which is not what I initially wanted, but I can live with it. I downloaded the CA.crt (not the key!) and the .crt, .key of the client-certificate from pfSense's cert-manager (the one I tried to export as .p12 before). In bash I converted them into the .p12 format:

$ openssl pkcs12 -export -out client_cert_user1.p12 -inkey client_cert_user1.key -in client_cert_user1.crt -certfile myCA.crt

It asked for a password and created the .p12-cert. I could import it in OSX and iOS and authentication using the .p12-cert worked.

I found the conde which generates the .p12 file:
https://github.com/bsdperimeter/pfsense/blob/master/usr/local/www/system_certmanager.php

if ($act == "p12") {
if (!$a_cert[$id]) {
pfSenseHeader("system_certmanager.php");
exit;
}

$exp_name = urlencode("{$a_cert[$id]['descr']}.p12");

$res_crt = openssl_x509_read(base64_decode($a_cert[$id]['crt']));
$res_key = openssl_pkey_get_private(array(0 => base64_decode($a_cert[$id]['prv']) , 1 => ""));

$exp_data = "";
openssl_pkcs12_export($res_crt, $exp_data, $res_key, null);
$exp_size = strlen($exp_data);

header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename={$exp_name}");
header("Content-Length: $exp_size");
echo $exp_data;
exit;
}

And this php command should create the file:

openssl_pkcs12_export($res_crt, $exp_data, $res_key, null);

A look at the manual shpws this:
http://php.net/manual/de/function.openssl-pkcs12-export.php

I do not see anything what could be wrong. Perhaps replace "null" with something else or try this as password.

@WinstonSmith:

Now I found out, that I can login (at least from my iPhone) if I enter the username that the client-cert has as CN (I checked "Check Client Certificate CN" in the EAP settings). But the user does not have to exist …. I have an empty user-table in FreeRADIUS (file is really empty, too) and login works, as long as I enter the same username that the certificate's CN is... strange thing. The GUI says about "Check Client Certificate CN":

If this is enabled then the common name of the client certificate must match the username you set in FreeRADIUS => Users. (Default: unchecked)

I thought that the client-cert would be useless, if the user is not existing in FreeRADIUS. Am I missing something? Or misunderstanding? Or is the username irrelevant if I have the client-cert installed?

Maybe I'll find out soon, maybe not :-) I'll keep trying!

Kind regards,
Sascha

I found this on the net:

No, the only thing that check_cert_cn does is make sure that the CN in
the certificate matches the User-Name attribute in the RADIUS request.
It's basically just a sanity/security check on the request itself.  It
does not go looking on other autz sources for you.  It is up to you to
decide elsewhere (users file, SQL DB, LDAP) whether or not to allow that
user to authenticate.  If you do nothing, the user will be allowed to
authenticate by default.  If, for some reason, you decide you don't want
a user to be allowed to authenticate, you must specifically reject him.

And here is the original eap.conf:
http://wiki.freeradius.org/Eap.conf/eaedb27b545ae8177cac6744ab09437c72594c1c

Further try with Disable weak EAP types and Default EAP Type = TLS

skoenman

Guys i Hope you guys can help me .. im having a very funny thing happening. I have pfsense with freeradius 2 running. my mysql server is on same network and i can connect through the pfsense shell to the mysql server.
TThing is when i create a user it doesnt create it in the database (mysqlserver ) but just on the local one. I have tried looking on the logs and all i can see that doesnt look right is this .

radiusd[62149]: rlm_sql (sql): Connected new DB handle, #0
Jan 14 20:40:22 radiusd[62149]: rlm_sql_mysql: Starting connect to MySQL server for #0
Jan 14 20:40:22 radiusd[62149]: rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
Jan 14 20:40:22 radiusd[62149]: rlm_sql (sql): Attempting to connect to radius@172.22.2.12:3306/radius
Jan 14 20:40:22 radiusd[62149]: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Jan 14 20:40:22 radiusd[62149]: Core dumps are enabled.
Jan 14 20:40:20 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'

does anybody have a idea please. Im running version 2.0.2 of software.

Nachtfalke

If you add a user on freeradius –> USERS tab this will add a user on local "users" file. Not less and not more.
If you want to use a mysqld server - then you must add users on your mysql database. This cannot be done from freeradius GUI.
The only thing you can do on freeradius is to configure the connection to an external mysql database.

So the log is telling you what is happening:

Attempting to connect to radius@172.22.2.12:3306/radius

freeradius tries to connect to your mysql server on IP172.22.2.12 on port 3306 - bot probably something went wrong.
Wrong database user and password and/or wrong database.

This could help you:
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#MySQL

skoenman

So what you trying to tell me is that the users are local??? what would happen if i have a user called koos trying to connect ….lets say he is in the mysql database but not in the local one????
will the user still be able to auth???

Nachtfalke

Example:
You add a user in freeradius –> "Users" tab with username "testuser" and password "testpw".
Then your CaptivePortal authenticates against RADIUS then you are able to authenticate on CP with username "testuser" and "testpw"
This account info is stored on pfsense in /usr/local/etc/raddb/users

If you want to store your users on a mysql database then you must add "testuser" and "testpw" on the mysql database in the correct table.
If CP now sends RADIUS an authentication request, then freeradius must know where there account information is stored.
So you have to tell freeradius to talk to a mysql server. To read data on a mysql database you need privileges - a username/password on mysql who is allowed to read/write on mysql.
This username/password is idependent from the credentials you enter on CP. The username/password for mysql must be entered on freeradius --> SQL.

Did this answer your question ?

skoenman

I thought the username and password info was saved on the mysql server and not on the local db…does anybody know of a way to sync local db with mysql db??? Thing is i need to be able to add koos with rate limit of 2000 and cap of 1000 to sql database ..and i need pfsense to manage it...if that makes any sense??

so if i have it correct at the moment if the user isnt in the local db then it goes and has a look on sql database???

Fesoj

As the night owl said, you need to add the user data to the mysql database. If you want to use a GUI for that you have to supply your own one. The entries in the user list are written to the mysql database, which could be done, but you would loose some freedom on how you define the tables. My setups usually have a few extra columns.