FreeRADIUS with Android and Unifi access point - problem to get going

pftdm007

So I now have several wifi devices and several peoples using my Wifi network so I thought giving FreeRADIUS a shot.

Installed the package on 2.3.2-RELEASE then proceeded to configure my stuff.

FreeRADIUS on pfsense

1.  Creating a user under "Users" tab (username, password, and encryption as cleartext) Everything else left as is.

2.  Created a client entry under "Clients" tab.  Entered the IP address of my Unifi AP, then selected IPv4 as Client IP version, then its shortname (same actually as under DHCP server) and entered a shared client key.  Protocol left as UDP, Client type set as "other" and everything else left as is.

3.  Created an interface under "Interfaces" tab.  Entered the IP of the same interface where the Unifi AP is connected (for me its OPT1, so I entered 192.168.1.1) then entered port 1812, interface type as "Auth".

4.  I restarted the service "radiusd" and proceeded to configure the Unifi AP.

AP Config

For the AP, I went to the settings page, then "Wireless networks" and changed the security from WPA personal to WPA enterprise, then entered the same IP address as in step 3 above, then entered the same shared client key as entered in step 2 above.

Android phone

Now finally on the android phone, I went to Wifi setings, clicked "Modify network" then configured as this:

EAP method: PEAP
Phase 2 auth: MSCHAPV2
CA cert: -unspecified-
Identity: entered same username as step 1 above
Password: entered same password as step 1 above

Everything else left as is.

When I try to connect, the phone says "Connecting…" for about 45 seconds, then says "Authentication problem".  On pfsense, FreeRADIUS is configured to output to the system logs but I dont see anything except:

Sep 18 18:38:30 	radiusd 	88172 	Ready to process requests.
Sep 18 18:38:30 	radiusd 	87773 	Loaded virtual server <default>Sep 18 18:38:30 	radiusd 	990 	Exiting normally.
Sep 18 18:38:30 	radiusd 	990 	Signalled to terminate
Sep 18 18:38:17 	radiusd 	990 	Ready to process requests.
Sep 18 18:38:17 	radiusd 	747 	Loaded virtual server <default></default></default> 

The seems to be no actual logs on the AP other than a useless "Events" tab which only mentions reboots of the AP and such, no actual logging per-se…

Anybody has got this working and would care to help?

Thanks!

Finger79

I know this post is a few weeks old, but thought I'd bite.

@lpallard:

FreeRADIUS on pfsense

1.  Creating a user under "Users" tab (username, password, and encryption as cleartext) Everything else left as is.

2.  Created a client entry under "Clients" tab.  Entered the IP address of my Unifi AP, then selected IPv4 as Client IP version, then its shortname (same actually as under DHCP server) and entered a shared client key.  Protocol left as UDP, Client type set as "other" and everything else left as is.

3.  Created an interface under "Interfaces" tab.  Entered the IP of the same interface where the Unifi AP is connected (for me its OPT1, so I entered 192.168.1.1) then entered port 1812, interface type as "Auth".

4.  I restarted the service "radiusd" and proceeded to configure the Unifi AP.

Did you configure the "EAP" tab in FreeRADIUS on PfSense?  It defaults to MD5 and should be set to PEAP in your case.  It also would help with hardening to check the first checkbox "Disable weak EAP types MD5, GTC and LEAP."

Also, on your Android Phone setup, you left the CA cert blank.  Maybe export the public CA certificate from pfSense's Certificate Manager and import it in your phone so that Android explicitly trusts your self-signed certificate.  If it's left blank, it's possible it's giving up because of a lack of trust.

LucaTo

Under "status"–>"services"  the FreeRADIUS Server status is running..?
If not.. it's a known problem due to fact that the freeradius service it's started/stopped many time during bootup (as you can see on the log) and sometimes it finally stops..
(see here: https://forum.pfsense.org/index.php?topic=119569.0)

pftdm007

Thanks guys for following up!

To answer a few questions, yes, Freeradius is running (checked via webUI and CLI).  Also the EAP tab in Freeradius was already configured as follows:

Checkbox "Disable weak EAP types" was already checked.
Default PEAP type was set to PEAP
Expiration of EAP-Response / EAP-Request List : 60
Ignore Unknown EAP Types : No
Choose Cert Manager : Checkbox is checked for "Use pfSense Certificate Management"
Private Key Password : empty
SSL CA Certificate : pfSense internal CA
SSL revocationlist : none
SSL Server Certificate:  webConfigurator default (ending with a86)  <= This actually corresponds to one of the two (2) certs available in pfsense cert manager.  The other one seems to be assigned to the WebUI (In use: webconfigurator)

All other fields are left from defaults

Then I went to pfSense's cert manager > Certs, and exported the same cert that was in use in Freradius (ending with a86).  I imported the cert on my android phone, and assigned Wifi to the cert as its intended use (Android asks if it is for Apps or for Wifi, I selected Wifi).

Then finally on the phone I selected "Modify network" and selected my newly imported cert in the CA certificate dropdown list.

In the end, I tried connecting to the wifi network, same thing:  Android says "Connecting…" then after about 2 minutes, says "Authentication problem".

What bugs me is that no matter what I do, "/var/log/radius.log" doesnt show anything happening except service restarts, kinda like if the attempts from the android phone were not getting passed the Ubiquiti AP.....

Thu Oct 13 15:25:34 2016 : Info: Signalled to terminate
Thu Oct 13 15:25:34 2016 : Info: Exiting normally.
Thu Oct 13 15:25:43 2016 : Info: Loaded virtual server <default>Thu Oct 13 15:25:43 2016 : Info: Ready to process requests.
Thu Oct 13 15:27:21 2016 : Info: Signalled to terminate
Thu Oct 13 15:27:21 2016 : Info: Exiting normally.
Thu Oct 13 15:27:21 2016 : Info: Loaded virtual server <default>Thu Oct 13 15:27:21 2016 : Info: Ready to process requests.
Thu Oct 13 15:27:22 2016 : Info: Signalled to terminate
Thu Oct 13 15:27:22 2016 : Info: Exiting normally.
Thu Oct 13 15:27:22 2016 : Info: Loaded virtual server <default>Thu Oct 13 15:27:22 2016 : Info: Ready to process requests.</default></default></default>

Finger79

It's possible the firewall's blocking RADIUS traffic from your Access Point.  My AP is connected to the LAN interface, so I made a new rule:

Protocol:  IPv4 UDP
Source:  [IP Address of Access Point]
Source Port:  *
Destination:  LAN Address
Destination Port:  RADIUS (1812)
Description:  Allow WLAN RADIUS

At first, I turned on logging so I can verify that it was working.  Then I turned off logging.

Edited to Add:  I recommend making a new certificate for RADIUS use only instead of using the webConfigurator default.  I named mine "pfSense RADIUS."  The actual cert I imported to my Android phone was the root CA certificate (not the RADIUS cert).  I personally max out the settings (4096-bit RSA, SHA-512) and haven't had any issues.

In other words:

EAP tab > SSL Server Certificate:  pfSense RADIUS

What goes on the phone (and laptops, etc.):  pfSense CA root certificate

pftdm007

OK Here's what's happening:

I created a FW rule to allow traffic from wifi AP to LAN on port 1812.  That definitely was missing!  Good catch ;)  At least now I see something in the system logs…

After that I followed your instructions, that is, created a new cert under "System > Cert. manager > Certificates" (named pfsense-RADIUS) then exported the root CA (under System > Cert. manager > CAs) to my Android phone.

Then I modified the wifi connection on the phone and assigned the newly imported root CA to it.  Then I modified RADIUS's config and selected the certificate "pfSense-RADIUS"  (under EAP tab > SSL Server Certificate).

Finally I tried connecting to the Wifi network, but the phone still says "Authentication problem" and pfsense logs show:

Oct 16 18:54:11 	radiusd 	22391 	Login incorrect (TLS Alert read:fatal:unsupported certificate): [wifiuser] (from client unifi-ap-ac-lite port 0 cli XX-XX-XX-XX-XX-XX)
Oct 16 18:54:11 	radiusd 	22391 	SSL: SSL_read failed inside of TLS (-1), TLS session fails.
Oct 16 18:54:11 	radiusd 	22391 	rlm_eap: SSL error error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate
Oct 16 18:54:11 	radiusd 	22391 	TLS_accept: failed in SSLv3 read client certificate A
Oct 16 18:54:11 	radiusd 	22391 	TLS Alert read:fatal:unsupported certificate
Oct 16 18:53:31 	radiusd 	22391 	Login incorrect (TLS Alert read:fatal:unsupported certificate): [wifiuser] (from client unifi-ap-ac-lite port 0 cli XX-XX-XX-XX-XX-XX)
Oct 16 18:53:31 	radiusd 	22391 	SSL: SSL_read failed inside of TLS (-1), TLS session fails.
Oct 16 18:53:31 	radiusd 	22391 	rlm_eap: SSL error error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate
Oct 16 18:53:31 	radiusd 	22391 	TLS_accept: failed in SSLv3 read client certificate A
Oct 16 18:53:31 	radiusd 	22391 	TLS Alert read:fatal:unsupported certificate
Oct 16 18:53:09 	radiusd 	22391 	Login incorrect (TLS Alert read:fatal:unsupported certificate): [wifiuser] (from client unifi-ap-ac-lite port 0 cli XX-XX-XX-XX-XX-XX)
Oct 16 18:53:09 	radiusd 	22391 	SSL: SSL_read failed inside of TLS (-1), TLS session fails.
Oct 16 18:53:09 	radiusd 	22391 	rlm_eap: SSL error error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate
Oct 16 18:53:09 	radiusd 	22391 	TLS_accept: failed in SSLv3 read client certificate A
Oct 16 18:53:09 	radiusd 	22391 	TLS Alert read:fatal:unsupported certificate
Oct 16 18:51:34 	radiusd 	22391 	Login incorrect (TLS Alert read:fatal:unsupported certificate): [wifiuser] (from client unifi-ap-ac-lite port 0 cli XX-XX-XX-XX-XX-XX)
Oct 16 18:51:34 	radiusd 	22391 	SSL: SSL_read failed inside of TLS (-1), TLS session fails.
Oct 16 18:51:34 	radiusd 	22391 	rlm_eap: SSL error error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate
Oct 16 18:51:34 	radiusd 	22391 	TLS_accept: failed in SSLv3 read client certificate A
Oct 16 18:51:34 	radiusd 	22391 	TLS Alert read:fatal:unsupported certificate
Oct 16 18:50:52 	radiusd 	22391 	Login incorrect (TLS Alert read:fatal:unsupported certificate): [wifiuser] (from client unifi-ap-ac-lite port 0 cli XX-XX-XX-XX-XX-XX)
Oct 16 18:50:52 	radiusd 	22391 	SSL: SSL_read failed inside of TLS (-1), TLS session fails.
Oct 16 18:50:52 	radiusd 	22391 	rlm_eap: SSL error error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate
Oct 16 18:50:52 	radiusd 	22391 	TLS_accept: failed in SSLv3 read client certificate A
Oct 16 18:50:52 	radiusd 	22391 	TLS Alert read:fatal:unsupported certificate
Oct 16 18:50:29 	radiusd 	22391 	Login incorrect (TLS Alert read:fatal:unsupported certificate): [wifiuser] (from client unifi-ap-ac-lite port 0 cli XX-XX-XX-XX-XX-XX)
Oct 16 18:50:29 	radiusd 	22391 	SSL: SSL_read failed inside of TLS (-1), TLS session fails.
Oct 16 18:50:29 	radiusd 	22391 	rlm_eap: SSL error error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate
Oct 16 18:50:29 	radiusd 	22391 	TLS_accept: failed in SSLv3 read client certificate A
Oct 16 18:50:29 	radiusd 	22391 	TLS Alert read:fatal:unsupported certificate
Oct 16 18:50:16 	radiusd 	22391 	Ready to process requests.
Oct 16 18:50:16 	radiusd 	22010 	Loaded virtual server <default></default> 

Thats weird no?