-
I'm running a WPA2-Enterprise protected wifi network at home, supported by freeradius under pfSense. I've been using EAP-TLS with certificates for my own devices, but use PEAP-MSCHAPv2 with usernames/passwords for guests. The problem I run into is how to validate the radius server certificate on guest devices without asking people to install a trusted root.
It turns out, Let's Encrypt certificates can be used to with freeradius. You just need to set the SSL CA Certificate field to the Let's Encrypt CA, and then set the SSL Server Certificate to the Let's Encrypt-signed certificate. That seems to work great for the PEAP-MSCHAPv2 clients.
But, the problem is, that seems to break my EAP-TLS clients, who are using certificates issued off an internal CA. Those worked fine when freeradius was also using a certificate off that internal CA, but not when I switched the SSL CA Certificate field.
I did some searching, and apparently this is a limitation in freeradius2. freeradius3 allows you to configure different CAs and certificates for PEAP and EAP-TLS, according to this blog post.
Is there anything I can do to workaround this limitation? The freeradius package seems stuck on version 2.2.9, which is now EOLed. Are there any plans to move to freeradius3? Or is radius support instead likely to get dropped entirely?
radiusd logs:
Mar 9 22:51:17 radiusd 83204 Login incorrect (unable to get local issuer certificate): [USERNAME] (from client guestrouter port 61 cli XXXXXXXXX) Mar 9 22:51:17 radiusd 83204 SSL: SSL_read failed in a system call (-1), TLS session fails. Mar 9 22:51:17 radiusd 83204 rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Mar 9 22:51:17 radiusd 83204 TLS_accept: error in error Mar 9 22:51:17 radiusd 83204 TLS Alert write:fatal:unknown CA -
I haven't looked into this but I would assume you'd be able to specify different CA-options if you were to run multiple (or virtual) freeradius instances. I'm doing this to provide different user lists to different VLAN-tagged SSIDs.
It's rather easy to setup but has to be done manually. I did a quick and dirty write up a couple of days ago:
https://forum.pfsense.org/index.php?topic=126862.0 -
I haven't looked into this but I would assume you'd be able to specify different CA-options if you were to run multiple (or virtual) freeradius instances. I'm doing this to provide different user lists to different VLAN-tagged SSIDs.
It's rather easy to setup but has to be done manually. I did a quick and dirty write up a couple of days ago:
https://forum.pfsense.org/index.php?topic=126862.0Have you tried restarting pfSense yet? I don't think hand-edits to the config files stick after a reboot. Do they?
-
No, this certainly won't stick.
-
The changes I have made to my setup actually does stick after reboot. Tested and confirmed twice. Probably because I haven't edited the "radiusd.conf"? Can't say much about the CA-stuff you're trying to achieve though.
-
It it possible to install freeradius3 manually? Even if StarkJohan's method works, I'd still need to set up different wifi networks to take advantage of it. freeradius3 allows you to use different CA certificates on a single instance.
-
The changes I have made to my setup actually does stick after reboot. Tested and confirmed twice.
This will "stick" exactly until you've clicked "Save" somewhere in the FreeRADIUS package GUI.
-
doktornotor is of course correct, saving in the GUI overwrites the configs which is important to remember if doing manual edits.
The question in this case was if it "sticks" after reboot, which it actually does. In my case the GUI settings of the freeradius package has been "set it and forget it" so I'm still happy.
doktornotor, would you think that there would be any realistic way to include the option of adding virtual servers using the GUI in the freeradius package in the future?
-
doktornotor, would you think that there would be any realistic way to include the option of adding virtual servers using the GUI in the freeradius package in the future?
Hmmm, the PHP code alone is ~4400 lines – not counting 800+ lines of input validation (not yet merged)… ::)
-
So maybe not this week? ;D
-
Yeah, bingo. Frankly, before anything gets potentially added, crap like the built-in certificate manager needs to be flushed down the drain.
-
What are the prospects for a freeradius3 package? freeradius2 is already not getting fixes- only critical security patches- so at some point folks will need to decide whether to create a new package or drop it entirely.