Freeradius: the simple noob questions :-)
-
Hmmm, it appears the password can not contain any strange characters (I used PEAP now for testing). This will not have the HTC One SV Android 4.2 connect:
h\~p];6xh'?}.L#1:\O<(It was a hell to type that in on the small smartphone key board ;D ;D ;D).
However, this will:
test1234 -
In general the communication between the switch and the RADIUS sends a username and a password. Unfortunately some switches just send the MAC address because they cannot handle username/passwords but only MAC addresses.
Then RADIUS must know that the switch only sends a MAC address and not username/password.
Then you enable this option "Plain MAC" and store all MAC addresses in the "MACs" tab of freeradius.Unfortunately the freeradius2 package cannot be configured to disable PEAP but allow EAP-TLS. This must be dony within the freeradius.inc file and in the part where the function writes the server-default/default file. There you need to comment the lines you do not want.
So if you have a user in freeradius (user: test password: pass) and you do not disable PAP then it would be possible for someone to authenticate successfully with these credentials even if you intention is to only allow EAP-TLS.
So if you use EAP-TLS then you should not configure any users on freeradius.
If you configure users then use PEAP.To export certificates - you can try using the command shell.
And you can try the "Certificates" tab on freeradius2 - which should not be the goal but perhaps could be a solution.
But first try to make a windows 7 or windows XP machine to work with EAP-TLS befor going on with android or iOS to make sure your basic configuration works. -
In general the communication between the switch and the RADIUS sends a username and a password. Unfortunately some switches just send the MAC address because they cannot handle username/passwords but only MAC addresses.
Then RADIUS must know that the switch only sends a MAC address and not username/password.
Then you enable this option "Plain MAC" and store all MAC addresses in the "MACs" tab of freeradius.Unfortunately the freeradius2 package cannot be configured to disable PEAP but allow EAP-TLS. This must be dony within the freeradius.inc file and in the part where the function writes the server-default/default file. There you need to comment the lines you do not want.
So if you have a user in freeradius (user: test password: pass) and you do not disable PAP then it would be possible for someone to authenticate successfully with these credentials even if you intention is to only allow EAP-TLS.
So if you use EAP-TLS then you should not configure any users on freeradius.
If you configure users then use PEAP.To export certificates - you can try using the command shell.
And you can try the "Certificates" tab on freeradius2 - which should not be the goal but perhaps could be a solution.
But first try to make a windows 7 or windows XP machine to work with EAP-TLS befor going on with android or iOS to make sure your basic configuration works.Thanks again very much, Nachtfalke ;D
**And: I got it to work (yippie, took me almost eight hours of searching and trying :-[).[/b]
So, for future generations, here is what worked:
1. The problem indeed was the export of non-passworded *.p12 files for Android.
2. Windows 7 had no problem connecting (see the above linked posts from networklessons).
3. Jimp wrote somewhere that in Android you simply had to put in a single space in the password field, but this did not work.
4. But, what works is: import the *.p12 and the CA that pfSense created into the Firefox certificate manager (Tools/options/advanced/certificates; import them into Authorities and Your Certificates), and then export Your Certificate again given it a simple password.
5. Et voila, this certificate I could import into Android 4.2, and use for EAP-TLS. I checked that it actually uses it by deleting the user/password I used previously, and: yes it works :P ;D :-X(Me happy now ;D).
By the way, Nachtfalke, the fact that you say that you can use user/password on the one hand, and certificates on the other hand, at the same time, offers something useful for me; I can use EAP-TLS for myself, and can give guests PEAP, especially since freeRadius then can also send them to an isolated VLAN. The best of both worlds.
I love my pfSense :P
Thanks again for your help, Nachtfalke ;D**
-
Although I do have it working now (yes, still very extremely happy, I can sleep safely now ;D), on celebrating the victory I came up with two more questions:
-
Since I'm working with certificates now in EAP-TLS, this does mean that whomever gets his hands on my smartphone / laptop gets access to my LAN. Of course, suppose you'd know about that you may easily revoke the certificate, but suppose you don't know you lost your phone, you're wet (stupid Dutch expression ;D). To mitigate, you'd perhaps would want a combination of certificates and a password (I do recall my client probably uses something like this; when I am working at their site I get a small PIN-generator which generates a number I need to enter in my connection in order to get access to their network). Is this, certificates and password at the same time, also a possibility in freeRadius?
-
I noticed that if you use users/PEAP, you can send somebody to a separate VLAN. But if you use EAP-TLS, you can not assign a VLAN. But it makes sense to want it then also. For example: the logistics department is not allowed on the accounting VLAN, and for security you will want them to use certificates. How should one do something like this, then?
Or am I asking stupid questions now?
(Probably ;D).
Thank you & bye,
-
-
@Hollander:
- Since I'm working with certificates now in EAP-TLS, this does mean that whomever gets his hands on my smartphone / laptop gets access to my LAN. Of course, suppose you'd know about that you may easily revoke the certificate, but suppose you don't know you lost your phone, you're wet (stupid Dutch expression ;D). To mitigate, you'd perhaps would want a combination of certificates and a password (I do recall my client probably uses something like this; when I am working at their site I get a small PIN-generator which generates a number I need to enter in my connection in order to get access to their network). Is this, certificates and password at the same time, also a possibility in freeRadius?
Or am I asking stupid questions now?
(Probably ;D).
Thank you & bye,
Well, my fellow Hollander, yes. Sort of stupid question.
You might look at Mobile One Time Passwords. I even found a link for you: http://www.theninjageek.co.za/the-pfsense-walkthrough-part-8-freeradius-and-one-time-passwords/
( ;D)
-
@Hollander:
@Hollander:
- Since I'm working with certificates now in EAP-TLS, this does mean that whomever gets his hands on my smartphone / laptop gets access to my LAN. Of course, suppose you'd know about that you may easily revoke the certificate, but suppose you don't know you lost your phone, you're wet (stupid Dutch expression ;D). To mitigate, you'd perhaps would want a combination of certificates and a password (I do recall my client probably uses something like this; when I am working at their site I get a small PIN-generator which generates a number I need to enter in my connection in order to get access to their network). Is this, certificates and password at the same time, also a possibility in freeRadius?
Or am I asking stupid questions now?
(Probably ;D).
Thank you & bye,
Well, my fellow Hollander, yes. Sort of stupid question.
You might look at Mobile One Time Passwords. I even found a link for you: http://www.theninjageek.co.za/the-pfsense-walkthrough-part-8-freeradius-and-one-time-passwords/
( ;D)
That might be so, my dear fellow Dutch Hollander, but I will have to counter you: if they have your mobile, they also have access to the mobile app in that article you are linking to.
Ping? Pong.
( ;D)
-
But without the joking: Nachtfalke, could I ask, in that Ninjageek-thread I posted, you will see that:
-
In CLIENTS he is entering the IP of the Pfsense box itself (not of a switch or WAP);
-
Under System/User Manager/Servers he is setting up a User Server.
Why is he doing this? I didn't need to do that(?)
-
-
Hi,
for mobile one time password take a look here:
https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Enable_Mobile-One-Time-Password_.28OTP.29_supportIt's all implemented into the pfsense freeradius2 package.
Mobile TAN generator is on the mobile phone like the certificates, that is correct but you need a PIN for the OTP generator to generate the correct password for you. The PIN is hopefully not on the smartphone ;-)Further I don't know how to use EAP-TLS with VLAN assignment. Probably you need to add something server-default/server or somewhere else which adds a Reply-Item if the EAP-TLS check is successfully. Probably not possible using the GUI.
The pfsense doc says:
mOTP will probably not work with EAP, CHAP, MSCHAP. If it does - tell me how :-)Having a quick look at the tutorial you posted shows me that the author is adding pfsense itself als a NAS/client. This is important on sections like OpenVPN. OpenVPN itself cannot be a NAS/Client in pfsense environment directly so you use a BACKEND for OpenVPN which is pfsense itself and acts like NAS/client. This must be configured on System –> Users --> Servers. Then pfsense itself is a NAS/Client and can be selected on OpenVPN.
So every service/hardware which cannot directly connected to freeradius can be perhaps connected to the "BACKEND" created under System --> Users --> Server and this will send requests to RADIUS.
-
I totally overlooked that you had replied, Nachfalke, my sincere apologies: sorry :-[ :'(
And thank you for the explanation, I will digest it thoroughly ;D
Currently I am looking at another problem: [b]synchronizing certificates between two machines.
I have my main pfSense (NR1) and a backup/fall back pfSense, the Dell R200 (NR2). It is off line, so if NR1 goes down I will have to manually switch cables, power on the Dell, etc. This is currently more convenient for me than CARP.
On NR1 I have Radius with WPA-enterprise (the certificate thing). My laptops and smartphones have the certificates installed that NR1 generated. My problem is: I can't seem to find out how to import these certificates that are generated by NR1 into NR2.
Of course I would want that: if NR1 goes down I don't want my laptop to have to reinstall a different certificate, generated by NR2, in order to be able to connect. That is cumbersome. The goal of the fall back is simply switch cables, and we're up and running again.
I can't seem to find a setting in the GUI to import the CA from NR1 into NR2. Isn't this possible? Or should I copy them via SCP to a certain directory or something?
Thank you in advance for any help ;D
Bye,
-
Hi,
I think you can export and import certificates and the CA from SYSTEM –> Cert Manager.
Exporting Cert and Key and importing on the other pfsense machine.Or just make a backup of the running pfsense config and import this backup into the other pfsense. Perhaps you have the possibility to just import certificates and not all the other config.
Unfortunately I cannot help you any further since I do not have any access to a pfsense machine anymore. My new company does not use pfsense .... :(