NEW Package: freeRADIUS 2.x
-
Hi,
yes i calc the epoch time like descript on the web interface:
(9digits (from left client time) - 9digit (from left server time)) *10 = -30date +%s = 10digits, so why the hell not taking (10digits (from left client time) - 10digits (from left server time)) = 30 ?? (or if 39 nearer 40 than 30 !!)
It's not a problem of the timezone it's a mobile provider problem; the android is 30 sec in the past.
(Is the offset 1 equal 1 hour, i hope not.)If i set the lifetime on server side higher than on the client (DroidOTP is fixed to 10 sec lifetime) than i had guess/try 6 keys maybe on is working not a good idea.
I know to solve the problem with manual set the client time but i want to find out how it work with time offset and maybe there is a bug or a wrong hint on the webinterface
regards max
–----edit----
The Gui save the Offset in the right way:/usr/pbi/freeradius-i386/etc/users
"otpuser" Auth-Type = motp
MOTP-Init-Secret = 912ae1361854139e,
MOTP-PIN = 1234,
MOTP-Offset = -30Use Freeradius teh otpverify.sh script ? If yes then there is the faulty part
OFFSET=
echo -n "$5" | sed 's/[^0-9]/0/g'
[[/sub]
-10 is then 010….
should beOFFSET=
echo -n "$5" | sed 's/[^0-9-]/0/g'
but is a little be dirty could also be 1-0 …..
Did you read what I wrote about the part on the freeradius.inc ?
-
Yes i did.
But if i do it like you said then the offset is always minus.
In freeradius.inc
there is the same 'sed' in line 4006:OFFSET=
echo -n "\$5" | sed 's/[^0-9]/0/g'
regards max
-
Yes i did.
But if i do it like you said then the offset is always minus.
In freeradius.inc
there is the same 'sed' in line 4006:OFFSET=
echo -n "\$5" | sed 's/[^0-9]/0/g'
regards max
Hi max,
can you please replace the following two files and try again if it works now?
You now have to enter + 30 oder - 30
It is described on the GUI. -
Hi,
sorry for the long delay. Your scripts are not working. I did some investigation on EPOCHTIME and extend the freeradius.inc with some logs.
I found out that the Offset 1 is equal to 10 sec (not like descripted on the webif) because the use of 9 digit and not 10.
I changed only
OFFSET=echo -n "\$5" | sed 's/[^0-9-]/0/g'
and add 2 logging lines
Jun 14 16:11:10 root: FreeRADIUS:Server - Client EPOCHTIME: 137121900
Jun 14 16:11:10 root: FreeRADIUS:Server EPOCHTIME: 137121905 ClientOffSet:-5 oder -5regards Max
-
Hi,
(…)
I found out that the Offset 1 is equal to 10 sec (not like descripted on the webif) because the use of 9 digit and not 10.
(...)I think you are wrong:
3. Subtract both values, multiply the result with 10 and enter the value in this field.
If your result is 2 then you need to multiply with 10 (2*10=20) and then you get the seconds.
But you are right, the script is not working. adding "+" or "-" in the freeradius users file causes problems.
At the moment I do not have an idea how to solve the problem with negatgive offset.
Perhaps starting with a negative offset of -11h as default value so that the user needs to add +11h to get the actual default offset of 0.The script is based on this:
http://motp.sourceforge.net/–-- edit ----
Ok, I changed the script to start per default with an offset of -12h. If someone is in a timezone which is -12h then the GUI value will be 0.
If someone is on timezone 0h then the GUI value must be 720.You can try with the two config files.
PS: You need to re-enable m-OTP on settings first after adding the new files so that otpverify.sh will be rubuild.
-
Hmpf - again new files. Please try these ;-)
-
Hi Nachtfalke,
i think you misunderstood me; it works with my 'patch'
i have to set offset to -5 because of 50 sec time diff (not -50 like suggest in on the webIF)see motp.sourceforge.net
Enter "date +%s" on the server to display the current time in epoch notation. Write down the first 9 digits of the output.
Subtract both values. The result is the offset in 10s of seconds, i.e. an hour would be 360, two hours 720, etc.
The offset has to be configured in the "users" file of the RADIUS server for the specific user (Offset-Attribute).sorry for my english, my german is better….
I have some idea to add more security to the radius otp: motp+yourpassword (without plus-:) would be great to have (like professional token have).
regards max
-
Hi max,
I talked to the developer of the motp script. He told me that almost nobody uses offset because most devices change their timezone automatically. Further he agreed with me that the script wasn't tested with negative offset values.
Like you told me in some older posts it looks like it is enough to change the "sed" command. I did this in this comment and it should now be available for everyone:
https://github.com/pfsense/pfsense-packages/commit/355ebce27aeb941f949f26f9c70d08150f37a7dbYour suggestion about "more" security:
The "youpassword" part is the PIN. A different PIN on the mobile device will generate a different OTP. So there is no difference between professional tokes and this. The only difference is that freeradius server does not offer a possibility for the user to change its PIN on his own.If you are using a mysql database as user store - instead of the users file - then you can code a php or HTML page which allows a user to change its PIN or his own.
But of course - if you have any suggestions and patches - please commit them. Every improvement is appreciated :)
-
Hi Nachtfalke,
thank you very much for add this in the package.
My suggestion was to extend the 'password' so it is not possible to know how long it is. I idea was to use the password field and if there is a password and otp configured use both.
If it is not possible don't worry
regards max
-
I know what you mean. I thought about that in the past but I didn't found a way to do so. The problem for me was that the variables/passwords are passing so many scripts and files and I didn't know how to realize that. This is probably more a problem of my poor coding skills than something else ;-)
Another "limitation" is that most mobile OTP generators just use the first 6 characters as password. FreeRADIUS allows to select you a higher range of used characters but then you must have a possibility on the client OTP generator to change this.
freeradius –> settings --> Token Password length
-
Hi nachtfalke,
i made some extension so i am able to handle the combination of mOtp+Userpassword. (without + :-)
It works with a cleartext + md5 password.If you want to give it a try…
Be careful you have to set the OTP length from 1-6 to only 6!!(Descript in Webif, Maybe the default setting have to adapt to 6 only)regards
-
file seems to be corrupted. 43kb is to small when including the complete freeradius.inc.
Please pay attention:
the "OTP length from 1-6" does not mean you can use 1 or 2 or 6 characters it means it uses the first until the 6th character.
if you type 10-12 it uses the 10th till 12th character of the hash which was build. -
Hi Nachtfalke,
there are 3 files in a zip container!Oh i see the zip is corrupt, sorry
I know that 1-6 means from 1 digit to 6 digits.
It make no sense that you can choose the start point, all mobile otp solution i know start with the first digit, only the lenght of the OTP password is changeable. It could be dangerious if you set the start point higher than the lenght of your hash.
But if it is a no go i change this behavor back.regards
max
freeradius.inc.txt
freeradius.xml.txt
freeradiussettings.xml.txt -
Hi Nachtfalke,
there are 3 files in a zip container!Oh i see the zip is corrupt, sorry
I know that 1-6 means from 1 digit to 6 digits.
It make no sense that you can choose the start point, all mobile otp solution i know start with the first digit, only the lenght of the OTP password is changeable. It could be dangerious if you set the start point higher than the lenght of your hash.
But if it is a no go i change this behavor back.regards
max
It is not a "no go" it just adds flexibility. If someone writes an own OTP generator which add the ability to chose different digits then the GUI is able to do so. And the default behaviour shows "1-6" so no need to change anything for the first time user.
I will try if I find some time on the weekend to check the files you added. :)
-
Hi Nachtfalke
I also think abought the "OTP Lifetime "
If you insert 18 (3min) than the server calculate every otp from currenttime - 180 sec to currenttime +180sec that are 36 OTP Passwords.This timeframe is fixed set in the original script (..do # 3 minutes before and after..) so it's much better in pfsense; able to set the range.
But going into the future is senseless, for both version.
Client has the same time as the server and users need time to insert the OTP so the otpverify.sh script is always in the future. (Ok for some weired situation like timedrift calc one otp in the future would be ok)
Also build in my version…but with no future :-)
regards max
-
Hi Nachtfalke,
did your try my mod ?
Are there any inputs/whishes from your side, or do you deny completly this mod.regards max
-
I did not try your modification but I do not completely agree with your modifications.
You say, that tokens build in the future are useless. I do not think so because the token generated depends on the time when the token is generated. So if the mOTP client on the client is running some seconds in the future then the server must accept this time difference. Of course the time on the server counts forward but there could be still some difference. Further it is not sure that the server and the client will always count the time equal. Some end could be faster than the other and it could came to a difference over some weeks or months. So I would not "delete" this option from the code. Further you can lower the timespan of a OTP so that the difference is 10s before and after. Thats not much and no security issue.
Changing the range where and when the digits start and how much digits needed is no good choice in my opinion. Of course all mOTP clients on the http://motp.sourceforge.net/ website only use the first 6 digits but the pfsense GUI is able to make it more flexible and dynamically for other mOTP solutions. So why delete an option which nobody hurts but offers more possibilities.
I did not dig deep into your code - because I am not good at coding - but this should be something which needs to be implemented into your code when using a fixed part of password and the OTP or a hint in the description that it only works when using digits 1-6.So what I would like to have in the code is the "fixed" and the "OTP" part in a password. Even if it makes not so much sense, because the "fixed" part is still there - with the 4 digi PIN - which needs to be entered on the mOTP client to start generating OTPs. I know that when using the RSA securID tokes you often use a fixed part in the password but this is because you cannot enter a PIN on the token itself to start generating OTP - it always generates passwords.
And on the coding page - For me the new variable name you added in the code for the fixed part of the password is not "optimal" - I think. But this is absolutly cosmetic and probably absolutly unimportant for the mOTP solution in general.
So even if I am the developer and maintainer of the freeradius2 package I am happy that other people add their ideas. So you modification is absolutly welcome but I think that there are some things which should be added and other which should not be lost to make the package as compatible and flexible as possible.
So I think if we could find an arrangement for your code you could add it here:
https://github.com/pfsenseand then someone or I could merge it.
Thank you for your feedback and your contribution! I really appreciate it! :)
-
Hello everyone,
I got pfsense setup with Captive portal, Freeradius 2, and mysql since a couple of months. This is based on Khan tutorial How to Captive portal with self registration. I tried today to implement a time limit rule, to limit the connection time to 1 hour per day. I added in the radcheck table the line3 jean@bon.fr Max-Daily-Session := 3600
which goes with the previously implemented password check
2 jean@bon.fr Password == tototo
.
For those who are not familier with the self registration, the user is asked to create an account, with a username/email adress and a password. This is recorder in the reg_user database. This database is linked to freeradius2. Therefore I also added the following tablescui
nas
radacct
radcheck
radgroupcheck
radgroupreply
radippool
radpostauth
radreply
radusergroup
reg_users
wimaxThe pfsense captive portal is set to work with freeradius 2, and with start/stop accounting.
However, accounting does not work. The radacct table stays empty. I tried to add a manual entry with the user name I'm working on, but values stay NULL.
I lauched freeradius manually with the radiusd -X command. When I tried to access to the Internet, then I am redirected and asked to useh my login and password with the captive portal login page. I can log in and it works perfectly, but there is no sign of accounting.
My user is jean@bon.fr and password is tototo, from 192.168.1.52.rad_recv: Access-Request packet from host 127.0.0.1 port 5172, id=132, length=134
NAS-IP-Address = 192.168.1.1
NAS-Identifier = "pfsense.localdomain"
User-Name = "jean@bon.fr"
User-Password = "tototo"
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 4
Framed-IP-Address = 192.168.1.52
Called-Station-Id = "192.168.1.1"
Calling-Station-Id = "08:00:27:b4:23:6f"Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {…}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "bon.fr" for User-Name = "jean@bon.fr"
[suffix] No such realm "bon.fr"
++[suffix] returns noop
[ntdomain] No '' in User-Name = "jean@bon.fr", skipping NULL due to config.
++[ntdomain] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++- entering policy redundant {…}
[sql] expand: %{User-Name} -> jean@bon.fr
[sql] sql_set_user escaped user –> 'jean@bon.fr'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'jean@bon.fr' ORDER BY id
WARNING: Found User-Password == "…".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'jean@bon.fr' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'jean@bon.fr' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Free' ORDER BY id
[sql] User found in group Free
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Free' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
+++[sql] returns ok
++- policy redundant returns ok
rlm_counter: Entering module authorize code
rlm_counter: Searching the database for key 'jean@bon.fr'
rlm_counter: Could not find the requested key in the database.
rlm_counter: Check item = 3600, Count = 0
rlm_counter: res is greater than zero
rlm_counter: (Check item - counter) is greater than zero
rlm_counter: Authorized user jean@bon.fr, check_item=3600, counter=0
rlm_counter: Sent Reply-Item for user jean@bon.fr, Type=Session-Timeout, value=3600
++[daily] returns ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] returns noop
rlm_checkval: Item Name: Calling-Station-Id, Value: 08:00:27:b4:23:6f
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {…}
[pap] login attempt with password "tototo"
[pap] Using clear text password "tototo"
[pap] User authenticated successfully
++[pap] returns ok
expand: ->
Login OK: [jean@bon.fr/tototo] (from client local port 4 cli 08:00:27:b4:23:6f)Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {…}
++- entering policy redundant {...}
[sql] expand: %{User-Name} -> jean@bon.fr
[sql] sql_set_user escaped user –> 'jean@bon.fr'
[sql] expand: %{User-Password} -> tototo
[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'jean@bon.fr', 'tototo', 'Access-Accept', '2013-08-17 20:42:34')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'jean@bon.fr', 'tototo', 'Access-Accept', '2013-08-17 20:42:34')
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
+++[sql] returns ok
++- policy redundant returns ok
++[exec] returns noop
Sending Access-Accept of id 132 to 127.0.0.1 port 5172
Session-Timeout = 3600
Finished request 13.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 13 ID 132 with timestamp +3849
Ready to process requests.Here is what is displayed when I lauch radiusd (see e.txt).
Could you please tell me what seems abnormal in the logs. I can't see why the user is not found, nor created, in the radacct, even when I add the line manually.
Regards, -
Did you enable accounting on MySQL tab to get accounting information into mysql database?
If not it will probably be put into:
/var/log/radacct/
Further it would be more helpfull to take a look on the accounting packets and not on the authentication packets when running radiusd -X
And did you configure an accounting listening port on freeradius?
PS: radiusd -X tells you to use "Cleartext-Password"
-
And did you configure an accounting listening port on freeradius?
I forgot that point… Now the radacct table is populated. When I radtest with the user I also get
Session-Timeout = 3513
Which seems to be a good point.
Thanks !PS: radiusd -X tells you to use "Cleartext-Password"
;) I will work on that
-
Nachtfalke and other forum friends….I apologize if you have already covered it as I have not read through this entire thread and do not have search capabilities on this forum.
The scenario on what I want to do is simple, I would like to add an extra parameter to a FreeRADIUS User Check-Item to reject them if the SSID passed in the Access-Request is not in the Check-Item regex. The info is passed in Called-Station-Id parameter (in my case MySSID):
rad_recv: Access-Request packet from host 192.168.50.3 port 4757, id=215, length=303 User-Name = "myusername" NAS-Port = 0 Called-Station-Id = "0A-XX-XX-F3-XX-3B:MySSID" Calling-Station-Id = "38-XX-3C-XX-76-XX" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x023500901900170301002002efe6be8da848c0c84b7ee5c3638829081db2d23b4b6bc871f86521d046d4fe170301006094ff4a2cb4096b122fc68b0761a6ef5838ff979394afe05f94b15e3c5004573db259b80a1b647a6410997b6a88fdb03267472454a63fa6acaa784d56baac483d355f99c82b9ca5b4e756b00d623d9e3c7624c20ee50559dd68b7cc914d1b522d State = 0x95b4f59e1ac1503b59281ecd56cb7c13 Message-Authenticator = 0x265371b9a316aeed1dd3a7e317f108e4
Please advise how this can be done. The reason I need to do it this way is that my Ubiquity UniFi AP drops the VLAN on the floor that FreeRADIUS passes back and therefore allows the user to successfully authenticate on any SSID (therefore on any VLAN). At least if FreeRADIUS can send a Reject then the user can only come in the SSID I set them up for and therefore they fall into the correct VLAN this SSID is setup to use in the AP.
Thank you in advance for your help.
-
Well, if it helps I'm trying to do something similar (NOT USING WINDOWS however) using either just the User file or the MySQL tables –> https://kb.meraki.com/knowledge_base/radius-scoping-authentication-with-called-station-id-and-windows-groups
-
Not sure if this works with the GUI only. You should check the operators if they would help you:
http://wiki.freeradius.org/config/OperatorsIf this does not work with the check-item calling-station-id then you probably need to use "unlang" commands on the ../raddb/sites-available/default
-
Thank you for the information. I will give it a further try as I went down there before to some extent and still reached a road block.
One of the issues that I got was when making changes to ../raddb/sites-available/default, it gets wiped out if a then use the GUI. Is there a way to prevent this?
-
Thank you for the information. I will give it a further try as I went down there before to some extent and still reached a road block.
One of the issues that I got was when making changes to ../raddb/sites-available/default, it gets wiped out if a then use the GUI. Is there a way to prevent this?
Hi,
yes this is a known behaviour. The GUI is limited in some way. To make sure that your changes in this file will not beoverwritten after a reboot or some GUI changes you need to make your changes on:
/usr/local/pkg/freeradius.inc
The part you need to modify is between line 1295 and 2140. Probably start at line 1460.
Unfortunately this will be also overwritten if updating the package. On some other forum post I read an idea where someone is creating a .diff between the original freeradius.inc and th new one you created. Then importing the .diff with the help of the "System patches" package. This would make changes easier imported.
-
OK, I added this code after preprocess in the authorize section of /usr/local/pkg/freeradius.inc (line 1548) but it does not seem to notice it is there. I would assume the syntax may not be correct and get an error at least.
preprocess rewrite.called_station_id if ($varusersvlanid != '%{Called-Station-SSID}') { update control { Auth-Type := Reject } }
BTW - The following were added to the respective files below to get the Called-Station-SSID to capture the SSID passed from the AP in Access-Request - Called-Station-Id = "0E-XX-XX-XX-24-3B:MySSID" and appears to expand correctly and capture the SSID.
raddb/dictionary
# The SSID the supplicant/user device connected to ATTRIBUTE Called-Station-SSID 3010 string
raddb/policy.conf
# Add "rewrite.called_station_id" in the "authorize" and "preacct" # sections. rewrite.called_station_id { if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) { update request { Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } # SSID component? if ("%{8}") { update request { Called-Station-Id := "%{Called-Station-Id}:%{8}" Called-Station-SSID :="%{8}" <<------ added this } } updated } else { noop } }
-
Well, I decided with the number of hoops I was jumping through and still not get it to work, I went with a SaaS provider Radius instead. Anyway, just wanted to leave what I have partially working. I got rid of the users flat file and enable a MySQL DB instead. I then included this after preprocess:
if("%{sql:SELECT count(*) FROM `radusergroup` WHERE username = '%{User-Name}' AND groupname = '%{Called-Station-SSID}'}" < 1){ update control { Auth-Type := Reject } }
This works with radtest as I am able to change the ssid and the accept/reject works as expected. However, on an actual Android device I only get rejects with nothing really informative as to why.
Thanks for the help.
-
you need to run freeradius in debug mode to get all output of errors and warnings.
Did you try tu run freeradius with this command:radiusd -X
Please make sure you killed the running radiusd process before starting again in debug mode.
-
yes, did radiusd -X and radiusd -XX
-
Hi,
I have installed this package with MySQL on the same server and is working ok. I need to run a php script to reconnect users if the server restarts, if I execute it manually it work, but I want to run it on sratup after Radius and Mysql have start, where in /usr/local/pkg/freeradius.inc would a call to the function go?Thanks for your help
-
Unfortunately there are many places and situation when freeradius needs to restart the service so that changes will take effect. So in general freeradius restarts everywhere where this line can be found:
restart_service('radiusd')
On line 1292 the ySQL configuration of freeradius will be loaded and freeradius restarted.
Perhaps doing a cron job which runs periodically and executes your script can do the job? Not sure what you script does and if it hurts if it runs every minute or so.
-
Thanks for the info Nachtfalke. Basically what I need to do is not to stop the accounting of users connected via the captive portal so that when a reboot occurs users do not have to reauthenticate. I have disabled the accounting stop and when rebooted freeradius just continues to count for some seconds, but the problem is that the firewall rules were not created and therefore the user goes back to blocked by the oprtal. I don't know if my best bet is no rewrite the captiveportal db from mysql and then restart accounting for those users or some other way.
Now if I call my function on line 1292 I get error:
radiusd[20265]: rlm_sql_mysql: Couldn't connect socket to MySQL server rednet@localhost:radius radiusd[20265]: rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)'
Thanks for your help.
-
Hi all,
I read the entire topic, because i wanna use Freeradius to authenticate against AD.
In the topic there are suggestions to make it possible via the gui.My question is. Is it now possible to authencate against AD without the tweaking?
Or do i have to use the tutorial from MatSim (Nachtfalke, marcelloc)Thanx in advance.
-
Hi all,
I read the entire topic, because i wanna use Freeradius to authenticate against AD.
In the topic there are suggestions to make it possible via the gui.My question is. Is it now possible to authencate against AD without the tweaking?
Or do i have to use the tutorial from MatSim (Nachtfalke, marcelloc)Thanx in advance.
Unfortunately my last info is that it does not work without any tweaks and only with GUI.
I do not know which topic/tutorial you mean but probably it is the correct one ;-) -
Unfortunately my last info is that it does not work without any tweaks and only with GUI.
I do not know which topic/tutorial you mean but probably it is the correct one ;-)NachtFalke,
Thanx for your reply. I meant the post of MatSim in this topic.
I hope still that in the near feature someone can make the solution.
I can be probely help with testing:)
At this moment I will try MatSim his tutorial.@MatSim:
I have shortened and rewritten what I took out of the FreeRADIUS beginners guide and put that in a Google doc to check if I am on the wrong way. This is a very much WiP and also a temporary place:
https://docs.google.com/document/d/1i536CfITm478tAddzoxSLrjl9KcEqGGA-F_LG9Iwy6A/edit
With ntlm_auth it's possible to add a AD group requirement haven't tried that yet.I'd also agree with marcelloc that it's not the best idea to pull in Samba automatically by freeradius since it's only needed when ntlm_auth comes into the game.
P.S: Nifty idea I came across - any plans to support virtual servers on pfSense with freeradius instead of default sites-enabled/default?
-
Hi Nachtfalke,
would it be possible for you to compile a radius version with eDIr Support? Just add the WITH_eDIR Option when compiling.
Thanks
Rainer
-
Hi Nachtfalke,
would it be possible for you to compile a radius version with eDIr Support? Just add the WITH_eDIR Option when compiling.
Thanks
Rainer
Hallo Rainer,
unfortunately I was never familar with these compile option syntax on pfsense github. There were always other people who added these parameters (for me) :P. So if you are more familar with that then just add your option to these two files on github:
https://github.com/pfsense/pfsense-packages/blob/master/pkg_config.8.xml
https://github.com/pfsense/pfsense-packages/blob/master/pkg_config.8.xml.amd64Then contact a moderator - as far as I know jimp could be the right person - to compile a new freeradius package.
PS: I cannot do any tests on this package anymore nor can I add further features because I left my old company and the new one is not really open for open source products so probably no pfsense for me anymore the next time :-\
So if anybody else likes to maintain this package please feel free to do so!
Good luck!
-
freeradius 3 is available.
hopefully someone will continue this package. -
Dear Package Developers & Experts,
please consider, if the settings unter "EAP" and then "CERTIFICATES FOR TLS" do work as intended in the freeradius2, 2.1.12_1/2.2.4 pkg v. 1.6.7_3 package. My aim is to use EAP-TLS.
The settings suggest that one can choose between the FreeRADIUS Cert-Manager (not recommended) and Firewall Cert-Manager (recommended). To use the recommended variant, one has to check the box in "Choose Cert-Manager". As indicated, the Firewall Cert-Manager generates certificates with no private key passwords. Correspondingly, the instructions on "Private Key Password" are "… The certificates created by the firewall's built-in Cert Manager are not protected so you must leave this field empty.". However, the eap.conf file - as far as I can tell - always contains either the password that one does actively enter into the field or the default password (private_key_password = whatever). I think that a configuration with an empty password cannot be generated. With a private_key_password set to anything or "whatever" or at least not nothing at all, the configuration does not seem to work with keyless certificates of the Firewall Cert-Manager. What happens if it does not work is described in more detail under https://forum.pfsense.org/index.php?topic=78684.msg429199#msg429199.
Regards,
Michael Schefczyk
-
Hi,
try to modify the line 899 from this:
$vareapconfprivatekeypassword = ($eapconf['vareapconfprivatekeypassword']?$eapconf['vareapconfprivatekeypassword']:'whatever');
to this:
$vareapconfprivatekeypassword = ($eapconf['vareapconfprivatekeypassword']?$eapconf['vareapconfprivatekeypassword']:'');
Then try again with an empty field on the freeradius EAP GUI.
If it works - consider making a change on github.