Freeradius: the simple noob questions :-)
-
Hi,
there are often threads and posts which are talking about freeradius clients/nas. That's why the package cqalls Client/NAS one option because some people call it client and some call it NAS. And some understand "client" as NAS and some understand it as a computer or als "wife" ;-)
So the RADIUS concept in general looks like this:
RADIUS (freeradius on pfsense) –- Clien/NAS (WAP, Switch,) ---- Users/MACs (Laptops, Smartphones, "wife", "me")
The process of authentication works like this:
A notebook connects to a switch (NAS/Client) via ethernet. The switch blocks the connection to the network and ask - depending on its configuration - for username/password or certificate or MAC address. The user of the notebook needs to enter this.Then the switch (NAS/Client) sends these credentials to its known RADIUS server. This communication is encrypted with the shared secret. The RADIUS server checks its database and sends and "Access-Accept" or "Access-Reject" back to the switch (NAS/Client).
Depending on the result the switch (NAS/Client) allows or rejects access to the notebook.
If the communication between NAS/Client and the notebook is secure depends on the mechanisms you are using.
Switches which do RADIUS authentication sometimes do have a setting to set one port to "Always authenticated" or "Force authentication" which means that you do not have to autheticate on this port. You should configure the switch ports this way and connect the WAPs to these ports. Then enable RADIUS authentication on the WAPs.
If this is not possible then only enable authentcation on the WAPs and not on the switch. If you enable it on the switch only and not WAP then it depends of the switch how many different authentications can be made on one single port. It is not always possible to allow some authentications on one port and disallow others on the same port.
Further I assume that unwanted computers will connect through WAP and probably not through wire within your house ;)
PS: I would suggest to use PEAP which is easiest to configure and is really secure and only minimal less secure than server + client certificate because you have to copy certificates to all clients and if you have guests it is much easier to just add a new user to RADIUS than creating and transferring a client certificate to users device.
I am sure you read this but just want to mention it here again:
https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package -
Thank you very much for responding, Nachtfalke ;D
Thanks to your explanation and some post I found I finally understand a little better what I am doing.
These are the two other posts, by the way for all future 'victims' that don't have a clue :-):
http://networklessons.com/wireless/peap-and-eap-tls-on-server-2008-and-cisco-wlc/
http://networklessons.com/wireless/eap-tls-certificates-for-wireless-on-android/My current status is: it worked, and then it didn't :-X
What worked
I started with a simple setup; I setup my Ubiquity WAP to check with freeRadius. Created a simple user (phone1) with a password. That worked. Of course, next I wanted to use certificates. I do understand your recommendation about using PEAP, but I'd like to do it fancy so I have something to brag about in our next monthly accounting meeting ( ;D).What didn't work
Certificates :-[There are two problems that probably are related. Something goes wrong when I am exporting certificates, because Android 4.2 (I have a HTC One SV smartphone) doesn't like the *.p12-stuff. So the CA import works, but the client certificate import doesn't; it keeps on asking for a password, although I didn't enter any password anywhere.
This has happened to others also, given this thread:
http://forum.pfsense.org/index.php?topic=52573.0
Unfortunately, the suggestion of jimp, to use the 'inline configuration export' in OpenVPN I don't quite understand. I don't have OpenVPN (couldn't get it to work), and when I look in the client export utility I don't see it having my certificates from the certificate manager neither, so I don't know how I would use this work around to get it to work.
There are, by the way, other threads dealing with this problem also, and they've gone way back:
https://code.google.com/p/android/issues/detail?id=7752
https://code.google.com/p/android/issues/detail?id=48602So, then I tried to use the first two buttons, 'export cert' and 'export key'. In Android, it happily pretends to import the *.cert, however, when I try to connect to my wifi, in the connection details I enter TLS and MSCHAPv2 (as it is in freeRadius), I can select the CA-cert, but it doesn't allow me to select the client-cert. Hence my 'it happily pretends to import', because obviously it didn't.
I also tried to 'go via Windows 7', e.g. import certificates into W7 first, and then export them. But that doesn't work, and given the second link in the networklessons.com post above, where the author describes setting up Android, I have another screen when exporting from Windows; when he exports he can select 'export private key also' (which is greyed out for me), and his 'export file format' is button 4 (which also is greyed out for me), whereas my 'export file format' can be one of the first three buttons (which are greyed out in his screen). So no luck here either, and I have no clue why.
I also regenerating the certificates, making sure they were 2048/SHA256, as I read somewhere 4096 could be a problem.
So I think I am stuck. freeRadius with user + password works, but something goes wrong when using certs. I have googled for hours again, but I haven't found a solution yet :'(
Would you happen to know of a solution?
Also, I am not quite sure what it is I did that made freeRadius change from using passwords to using certificates; how does freeRadius determine what it should use? For example also: EAP-TLS or PEAP-?
[b]EDIT (for the 15th time ;D): could I ask another question?
Enable Plain MAC Auth
If I read the wiki correctly, this is not a secondary security check, right? So it is not that freeRadius first checks the MAC of a user (and perhaps also the client) before continuing the other authentication checks, right? It is 'or/or' not 'and/and'?) Because some of the text in the wiki makes me believe it is, whereas other parts then make me believe it is not(?)
Thank you once again for your help; I am in your debt very much ;D
-
Hmmm, it appears the password can not contain any strange characters (I used PEAP now for testing). This will not have the HTC One SV Android 4.2 connect:
h\~p];6xh'?}.L#1:\O<
(It was a hell to type that in on the small smartphone key board ;D ;D ;D).
However, this will:
test1234
-
In general the communication between the switch and the RADIUS sends a username and a password. Unfortunately some switches just send the MAC address because they cannot handle username/passwords but only MAC addresses.
Then RADIUS must know that the switch only sends a MAC address and not username/password.
Then you enable this option "Plain MAC" and store all MAC addresses in the "MACs" tab of freeradius.Unfortunately the freeradius2 package cannot be configured to disable PEAP but allow EAP-TLS. This must be dony within the freeradius.inc file and in the part where the function writes the server-default/default file. There you need to comment the lines you do not want.
So if you have a user in freeradius (user: test password: pass) and you do not disable PAP then it would be possible for someone to authenticate successfully with these credentials even if you intention is to only allow EAP-TLS.
So if you use EAP-TLS then you should not configure any users on freeradius.
If you configure users then use PEAP.To export certificates - you can try using the command shell.
And you can try the "Certificates" tab on freeradius2 - which should not be the goal but perhaps could be a solution.
But first try to make a windows 7 or windows XP machine to work with EAP-TLS befor going on with android or iOS to make sure your basic configuration works. -
In general the communication between the switch and the RADIUS sends a username and a password. Unfortunately some switches just send the MAC address because they cannot handle username/passwords but only MAC addresses.
Then RADIUS must know that the switch only sends a MAC address and not username/password.
Then you enable this option "Plain MAC" and store all MAC addresses in the "MACs" tab of freeradius.Unfortunately the freeradius2 package cannot be configured to disable PEAP but allow EAP-TLS. This must be dony within the freeradius.inc file and in the part where the function writes the server-default/default file. There you need to comment the lines you do not want.
So if you have a user in freeradius (user: test password: pass) and you do not disable PAP then it would be possible for someone to authenticate successfully with these credentials even if you intention is to only allow EAP-TLS.
So if you use EAP-TLS then you should not configure any users on freeradius.
If you configure users then use PEAP.To export certificates - you can try using the command shell.
And you can try the "Certificates" tab on freeradius2 - which should not be the goal but perhaps could be a solution.
But first try to make a windows 7 or windows XP machine to work with EAP-TLS befor going on with android or iOS to make sure your basic configuration works.Thanks again very much, Nachtfalke ;D
**And: I got it to work (yippie, took me almost eight hours of searching and trying :-[).[/b]
So, for future generations, here is what worked:
1. The problem indeed was the export of non-passworded *.p12 files for Android.
2. Windows 7 had no problem connecting (see the above linked posts from networklessons).
3. Jimp wrote somewhere that in Android you simply had to put in a single space in the password field, but this did not work.
4. But, what works is: import the *.p12 and the CA that pfSense created into the Firefox certificate manager (Tools/options/advanced/certificates; import them into Authorities and Your Certificates), and then export Your Certificate again given it a simple password.
5. Et voila, this certificate I could import into Android 4.2, and use for EAP-TLS. I checked that it actually uses it by deleting the user/password I used previously, and: yes it works :P ;D :-X(Me happy now ;D).
By the way, Nachtfalke, the fact that you say that you can use user/password on the one hand, and certificates on the other hand, at the same time, offers something useful for me; I can use EAP-TLS for myself, and can give guests PEAP, especially since freeRadius then can also send them to an isolated VLAN. The best of both worlds.
I love my pfSense :P
Thanks again for your help, Nachtfalke ;D**
-
Although I do have it working now (yes, still very extremely happy, I can sleep safely now ;D), on celebrating the victory I came up with two more questions:
-
Since I'm working with certificates now in EAP-TLS, this does mean that whomever gets his hands on my smartphone / laptop gets access to my LAN. Of course, suppose you'd know about that you may easily revoke the certificate, but suppose you don't know you lost your phone, you're wet (stupid Dutch expression ;D). To mitigate, you'd perhaps would want a combination of certificates and a password (I do recall my client probably uses something like this; when I am working at their site I get a small PIN-generator which generates a number I need to enter in my connection in order to get access to their network). Is this, certificates and password at the same time, also a possibility in freeRadius?
-
I noticed that if you use users/PEAP, you can send somebody to a separate VLAN. But if you use EAP-TLS, you can not assign a VLAN. But it makes sense to want it then also. For example: the logistics department is not allowed on the accounting VLAN, and for security you will want them to use certificates. How should one do something like this, then?
Or am I asking stupid questions now?
(Probably ;D).
Thank you & bye,
-
-
@Hollander:
- Since I'm working with certificates now in EAP-TLS, this does mean that whomever gets his hands on my smartphone / laptop gets access to my LAN. Of course, suppose you'd know about that you may easily revoke the certificate, but suppose you don't know you lost your phone, you're wet (stupid Dutch expression ;D). To mitigate, you'd perhaps would want a combination of certificates and a password (I do recall my client probably uses something like this; when I am working at their site I get a small PIN-generator which generates a number I need to enter in my connection in order to get access to their network). Is this, certificates and password at the same time, also a possibility in freeRadius?
Or am I asking stupid questions now?
(Probably ;D).
Thank you & bye,
Well, my fellow Hollander, yes. Sort of stupid question.
You might look at Mobile One Time Passwords. I even found a link for you: http://www.theninjageek.co.za/the-pfsense-walkthrough-part-8-freeradius-and-one-time-passwords/
( ;D)
-
@Hollander:
@Hollander:
- Since I'm working with certificates now in EAP-TLS, this does mean that whomever gets his hands on my smartphone / laptop gets access to my LAN. Of course, suppose you'd know about that you may easily revoke the certificate, but suppose you don't know you lost your phone, you're wet (stupid Dutch expression ;D). To mitigate, you'd perhaps would want a combination of certificates and a password (I do recall my client probably uses something like this; when I am working at their site I get a small PIN-generator which generates a number I need to enter in my connection in order to get access to their network). Is this, certificates and password at the same time, also a possibility in freeRadius?
Or am I asking stupid questions now?
(Probably ;D).
Thank you & bye,
Well, my fellow Hollander, yes. Sort of stupid question.
You might look at Mobile One Time Passwords. I even found a link for you: http://www.theninjageek.co.za/the-pfsense-walkthrough-part-8-freeradius-and-one-time-passwords/
( ;D)
That might be so, my dear fellow Dutch Hollander, but I will have to counter you: if they have your mobile, they also have access to the mobile app in that article you are linking to.
Ping? Pong.
( ;D)
-
But without the joking: Nachtfalke, could I ask, in that Ninjageek-thread I posted, you will see that:
-
In CLIENTS he is entering the IP of the Pfsense box itself (not of a switch or WAP);
-
Under System/User Manager/Servers he is setting up a User Server.
Why is he doing this? I didn't need to do that(?)
-
-
Hi,
for mobile one time password take a look here:
https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Enable_Mobile-One-Time-Password_.28OTP.29_supportIt's all implemented into the pfsense freeradius2 package.
Mobile TAN generator is on the mobile phone like the certificates, that is correct but you need a PIN for the OTP generator to generate the correct password for you. The PIN is hopefully not on the smartphone ;-)Further I don't know how to use EAP-TLS with VLAN assignment. Probably you need to add something server-default/server or somewhere else which adds a Reply-Item if the EAP-TLS check is successfully. Probably not possible using the GUI.
The pfsense doc says:
mOTP will probably not work with EAP, CHAP, MSCHAP. If it does - tell me how :-)
Having a quick look at the tutorial you posted shows me that the author is adding pfsense itself als a NAS/client. This is important on sections like OpenVPN. OpenVPN itself cannot be a NAS/Client in pfsense environment directly so you use a BACKEND for OpenVPN which is pfsense itself and acts like NAS/client. This must be configured on System –> Users --> Servers. Then pfsense itself is a NAS/Client and can be selected on OpenVPN.
So every service/hardware which cannot directly connected to freeradius can be perhaps connected to the "BACKEND" created under System --> Users --> Server and this will send requests to RADIUS.
-
I totally overlooked that you had replied, Nachfalke, my sincere apologies: sorry :-[ :'(
And thank you for the explanation, I will digest it thoroughly ;D
Currently I am looking at another problem: [b]synchronizing certificates between two machines.
I have my main pfSense (NR1) and a backup/fall back pfSense, the Dell R200 (NR2). It is off line, so if NR1 goes down I will have to manually switch cables, power on the Dell, etc. This is currently more convenient for me than CARP.
On NR1 I have Radius with WPA-enterprise (the certificate thing). My laptops and smartphones have the certificates installed that NR1 generated. My problem is: I can't seem to find out how to import these certificates that are generated by NR1 into NR2.
Of course I would want that: if NR1 goes down I don't want my laptop to have to reinstall a different certificate, generated by NR2, in order to be able to connect. That is cumbersome. The goal of the fall back is simply switch cables, and we're up and running again.
I can't seem to find a setting in the GUI to import the CA from NR1 into NR2. Isn't this possible? Or should I copy them via SCP to a certain directory or something?
Thank you in advance for any help ;D
Bye,
-
Hi,
I think you can export and import certificates and the CA from SYSTEM –> Cert Manager.
Exporting Cert and Key and importing on the other pfsense machine.Or just make a backup of the running pfsense config and import this backup into the other pfsense. Perhaps you have the possibility to just import certificates and not all the other config.
Unfortunately I cannot help you any further since I do not have any access to a pfsense machine anymore. My new company does not use pfsense .... :(