FreeRADIUS 3.x package is here! Feedback, please


  • Rebel Alliance Developer Netgate

    I have a FreeBSD 3.x GUI package converted and running.

    It was a giant pain to reformat everything in a way that made FreeRADIUS 3.x happy and I am almost certain there are parts I overlooked or didn't see, and potentially directives that changed that I didn't convert 100% the way they should be. Numerous names changed or were relocated, the modules subsystem changed radically, a few things were removed/deprecated, etc. I also made some code style fixes while I was at it. Based on initial feedback I have fixed a number of issues and it now passes all of the common authentication test scenarios I had noted.

    The package is available now for 2.4, and will be on 2.3.x snapshots in the next few hours or overnight.

    The configuration in the GUI is identical to FreeRADIUS 2.x, they install files to the same place so do not attempt to install both packages. If you remove FreeRADIUS 2.x and install FreeRADIUS 3.x the configuration will carry over.

    Git repo files for FreeRADIUS are here to follow along with the development:
    https://github.com/pfsense/FreeBSD-ports/tree/devel/net/pfSense-pkg-freeradius3

    EDIT:

    Version 0.2: LDAP backend fixes (basic test passed but more advanced testing is appreciated)
    Version 0.3: SQL database fixes (basic test passed but more advanced testing is appreciated)
    Version 0.3.1: Fix for some missing mods-enabled directory entries
    Version 0.3.2: Fixes to ensure the raddb/ dir is clean/fresh and proper at install time
    Version 0.3.3: Fix parsing of datalimit useres
    Version 0.3.4: Fixed "View Config" entries to use current file locations. Some files will be missing/empty if the referenced modules are not configured.
    Version 0.4: Fixed mOTP, PEAP, and MAC auth
    Version 0.4.1: Fix a typo that could break file auth when disabling plain MAC auth
    Version 0.5: Automatically generate certificates for EAP if the user hasn't configured anything, rather than failing harshly and creating a notice
    Version 0.5.1: Fix formatting of extra user options
    Version 0.6: Added Google Authenticator OTP code based on https://github.com/pfsense/FreeBSD-ports/pull/357 (but adjusted for 3.x)
    Version 0.6_1 through 0.6_4 were not significant changes to the package from a user perspective, they were attempts to fix some build issues with GA.
    Version 0.6_5: No change, bumped version to trigger a rebuild for 2.3.4

    Due to the way pkg updates are deployed on snapshot branches, the new version will not appear until a new snapshot is triggered, which could be several hours.

    More discussion in the 2.4 snapshots board: https://forum.pfsense.org/index.php?topic=131932.0

    EDIT: As of 0.5.1 the package appears to be reasonably stable and working for a wide variety of situations, and it suitable for wider testing. Feedback is welcome!

    EDIT: Version 0.6_4 is now available on 2.3.x snapshots tests OK so far. 2.3.4 will follow in the next few days at most.

    EDIT: Version 0.6_5 is now available on 2.3.4!


  • Rebel Alliance Developer Netgate

    The FreeRADIUS 3 package is available for TESTING on 2.4. Feedback is welcome!


  • Rebel Alliance Global Moderator

    I will play with this this weekend for sure.  I use eap-tls auth for all my wifi devices… So be able to test that scenario for you ;)


  • Rebel Alliance Developer Netgate

    @johnpoz:

    I will play with this this weekend for sure.  I use eap-tls auth for all my wifi devices… So be able to test that scenario for you ;)

    Great, thanks!


  • Rebel Alliance Developer Netgate

    As of 0.5.1 the package appears to be reasonably stable and working for a wide variety of situations, and it suitable for wider testing. Feedback is welcome!

    Be sure to remove the FreeRADIUS 2.x before attempting to install FreeRADIUS 3.x.


  • Rebel Alliance Developer Netgate

    As of version 0.6_5, the package is available on 2.3.4, 2.3.x snapshots, and 2.4 snapshots!

    Please remember to uninstall freeradius2 before attempting to install freeradius3.



  • FreeRADIUS 3 (0.6.6)
    I just did some tests (EAP-TLS for wifi users)
    works great!  :)

    I have a question about OTP (Google-Authenticator) configuration: how to generate qrcode (or txt)? And the pin code is a mandatory field also using Google-Authenticator?
    Configuring OTP using app like DroidOTP is very easy (user decide for a pin and the mobile app generate a random init string) but how to configure Google-Authenticator?
    I didn't find exhaustive info about, here on the forum (but If I'm wrong please let me know)


  • Rebel Alliance Developer Netgate

    @LucaTo:

    I have a question about OTP (Google-Authenticator) configuration: how to generate qrcode (or txt)? And the pin code is a mandatory field also using Google-Authenticator?
    Configuring OTP using app like DroidOTP is very easy (user decide for a pin and the mobile app generate a random init string) but how to configure Google-Authenticator?
    I didn't find exhaustive info about, here on the forum (but If I'm wrong please let me know)

    That code was submitted very recently, so it probably still has some issues. I don't think the PIN is mandatory, I've not seen a PIN be required for GA before.

    The script says it was from http://www.brool.com/post/using-google-authenticator-for-your-website/ but the code on that site is a bit different.

    The original PR for the GA code is https://github.com/pfsense/FreeBSD-ports/pull/357 – I merged it in manually so that's why it shows closed.



  • Thanks for your reply.

    Now seems more clear to me:
    I need to:

    1. Manually generate a 16digit base32 "secret key" string (Base32 alphabet is: A-Z 1-7), like this for exmple: H2EFO7LD566Q22PB
    2. On G.A. mobile app add a new user account (username and the 16digit secret key just created)
    3. On pfsense create a new user in freeradius using the same username and the 16digit in "Init-Secret" field.

    Note: "PIN" field in "FreeRADIUS: Users/Edit/Users"  seems to be mandatory, I can't leave it empty, error "The 'PIN' field may not be empty when 'Enable One-Time-Password for this user' is checked."



  • Appears that the password field for the LDAP account to use when connecting is not properly escaping or sanitizing input;

    
    radiusd -C -X 
    ...
    /usr/local/etc/raddb/mods-enabled/ldap[5]: Parse error after <redacted>: unexpected token "}"</redacted> 
    

  • Rebel Alliance Developer Netgate

    @gerby123:

    Appears that the password field for the LDAP account to use when connecting is not properly escaping or sanitizing input;

    
    radiusd -C -X 
    ...
    /usr/local/etc/raddb/mods-enabled/ldap[5]: Parse error after <redacted>: unexpected token "}"</redacted> 
    

    Did that work in FreeRADIUS 2.x or was it also broken there? At the moment I'm only concentrating on regressions in behavior. I'll get around to fixing other issues once the dust settles.



  • Continuing to see issues with the STARTLS

    
    (1) ldap: EXPAND (|(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}@corp.contoso.com)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))
    (1) ldap:    --> (|(userPrincipalName=test@corp.contoso.com)(sAMAccountName=test))
    (1) ldap: Performing search in "dc=corp,dc=contoso,dc=com" with filter "(|(userPrincipalName=test@corp.contoso.com)(sAMAccountName=test))", scope "sub"
    (1) ldap: Waiting for search result...
    rlm_ldap (ldap): Rebinding to URL ldap://corp.contoso.com/CN=Configuration,DC=corp,DC=contoso,DC=com
    rlm_ldap (ldap): Waiting for bind result...
    rlm_ldap (ldap): Bind with cn=radius,cn=users,dc=corp,dc=contoso,dc=com to ldap://hypnotoad.corp.contoso.com:389 failed: Strong(er) authentication required
    rlm_ldap (ldap): Server said: BindSimple: Transport encryption required..
    
    


  • @jimp:

    @gerby123:

    Appears that the password field for the LDAP account to use when connecting is not properly escaping or sanitizing input;

    
    radiusd -C -X 
    ...
    /usr/local/etc/raddb/mods-enabled/ldap[5]: Parse error after <redacted>: unexpected token "}"</redacted> 
    

    Did that work in FreeRADIUS 2.x or was it also broken there? At the moment I'm only concentrating on regressions in behavior. I'll get around to fixing other issues once the dust settles.

    This was working on 2.x; I've created a new user on the LDAP server for the time being with a simpler password to continue testing.


  • Rebel Alliance Developer Netgate

    @gerby123:

    Continuing to see issues with the STARTLS

    Did you check the new box to use STARTTLS near the bottom? It was assumed before, but it shouldn't have been. Now TLS on its own == TLS on a TLS port (LDAPS), and TLS+STARTTLS does STARTTLS on a traditional LDAP port like you want. Previously it was impossible to configure plain TLS.

    @gerby123:

    @gerby123:

    
    /usr/local/etc/raddb/mods-enabled/ldap[5]: Parse error after <redacted>: unexpected token "}"</redacted> 
    

    This was working on 2.x; I've created a new user on the LDAP server for the time being with a simpler password to continue testing.

    Can you check how that password was formatted in the actual configuration file(s) on 2.x vs 3.x? It may be too late now. It's difficult for me to test every permutation of all these settings.



  • @jimp:

    @gerby123:

    Continuing to see issues with the STARTLS

    Did you check the new box to use STARTTLS near the bottom? It was assumed before, but it shouldn't have been. Now TLS on its own == TLS on a TLS port (LDAPS), and TLS+STARTTLS does STARTTLS on a traditional LDAP port like you want. Previously it was impossible to configure plain TLS.

    @gerby123:

    @gerby123:

    
    /usr/local/etc/raddb/mods-enabled/ldap[5]: Parse error after <redacted>: unexpected token "}"</redacted> 
    

    This was working on 2.x; I've created a new user on the LDAP server for the time being with a simpler password to continue testing.

    Can you check how that password was formatted in the actual configuration file(s) on 2.x vs 3.x? It may be too late now. It's difficult for me to test every permutation of all these settings.

    I don't have the 2.x config anymore; I can try and reinstall and check later.  Below is a slightly redacted sample of my ldap config, please note that the password was not quoted before I redacted.

    Packet captures do show that a TLS session is established to the LDAP server on 389 with clear text communication interleaved.

    
    ldap {
    	server = "hypnotoad.corp.contoso.com"
    	port = "389"
    	identity = "cn=radius,cn=users,dc=corp,dc=contoso,dc=com"
    	password = <redacted>base_dn = "dc=corp,dc=contoso,dc=com"
    
    	user {
    		base_dn = "${..base_dn}"
    		filter = "(|(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}@corp.contoso.com)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))"
    		### access_attr = "dialupAccess" ###
    	}
    	group {
    		base_dn = "${..base_dn}"
    		filter = '(objectClass=posixGroup)'
    		### name_attribute = cn ###
    		### membership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ###
    		### membership_attribute = radiusGroupName ###
    		### compare_check_items = yes ###
    		### do_xlat = yes ###
    		### access_attr_used_for_allow = yes ###
    	}
    	profile {
    		filter = "(objectclass=radiusprofile)"
    		### default_profile = "cn=radprofile,ou=dialup,o=My Company Ltd,c=US" ###
    		### profile_attribute = "radiusProfileDn" ###
    	}
    
    	tls {
    		start_tls = yes
    		ca_file = /usr/local/etc/raddb/certs/ca_ldap1_cert.pem
    		ca_path = /usr/local/etc/raddb/certs/
    		certificate_file = /usr/local/etc/raddb/certs/radius_ldap1_cert.crt
    		private_key_file = /usr/local/etc/raddb/certs/radius_ldap1_cert.key
    		random_file = /dev/urandom
    		require_cert = "never"
    	}</redacted> 
    

  • Rebel Alliance Developer Netgate

    Hmm, the password formatting is identical between versions. Their parser must have changed.

    Can you try this patch?

    diff --git a/usr/local/pkg/freeradius.inc b/usr/local/pkg/freeradius.inc
    index 87753d6..418b28a 100644
    --- a/usr/local/pkg/freeradius.inc
    +++ b/usr/local/pkg/freeradius.inc
    @@ -2725,7 +2725,7 @@ function freeradius_modulesldap_resync($restart_svc = true) {
     	$varmodulesldapserver = ($arrmodulesldap['varmodulesldapserver'] ?: 'ldap.example.com');
     	$varmodulesldapserverport = ($arrmodulesldap['varmodulesldapserverport'] ?: '389');
     	$varmodulesldapidentity = ($arrmodulesldap['varmodulesldapidentity'] ?: 'cn=admin,o=My Company Ltd,c=US');
    -	$varmodulesldappassword = ($arrmodulesldap['varmodulesldappassword'] ?: 'mypass');
    +	$varmodulesldappassword = (escapeshellarg($arrmodulesldap['varmodulesldappassword']) ?: 'mypass');
     	$varmodulesldapbasedn = ($arrmodulesldap['varmodulesldapbasedn'] ?: 'o=My Company Ltd,c=US');
     	$varmodulesldapfilter = ($arrmodulesldap['varmodulesldapfilter'] ?: '(uid=%{%{Stripped-User-Name}:-%{User-Name}})');
     	$varmodulesldapbasefilter = ($arrmodulesldap['varmodulesldapbasefilter'] ?: '(objectclass=radiusprofile)');
    @@ -2738,7 +2738,7 @@ function freeradius_modulesldap_resync($restart_svc = true) {
     	$varmodulesldap2server = ($arrmodulesldap['varmodulesldap2server'] ?: 'ldap.example.com');
     	$varmodulesldap2serverport = ($arrmodulesldap['varmodulesldap2serverport'] ?: '389');
     	$varmodulesldap2identity = ($arrmodulesldap['varmodulesldap2identity'] ?: 'cn=admin,o=My Company Ltd,c=US');
    -	$varmodulesldap2password = ($arrmodulesldap['varmodulesldap2password'] ?: 'mypass');
    +	$varmodulesldap2password = (escapeshellarg($arrmodulesldap['varmodulesldap2password']) ?: 'mypass');
     	$varmodulesldap2basedn = ($arrmodulesldap['varmodulesldap2basedn'] ?: 'o=My Company Ltd,c=US');
     	$varmodulesldap2filter = ($arrmodulesldap['varmodulesldap2filter'] ?: '(uid=%{%{Stripped-User-Name}:-%{User-Name}})');
     	$varmodulesldap2basefilter = ($arrmodulesldap['varmodulesldap2basefilter'] ?: '(objectclass=radiusprofile)');
    
    

    As for STARTTLS I can't really comment on that behavior. I'd expect the initial exchange to be plain until STARTTLS kicked in and then it should be encrypted, but it looks like we're setting all the correct options, it may also be something in FreeRADIUS 3.x that changed.

    I don't have a viable test setup for LDAP-backed connections, I'd have to try to rig one up and test more.



  • I'll give that a shot and report back as soon as I can; pulled to another issue at the moment.



  • That patch does appear to have resolved the issue with the password contents according to radiusd -C -X; not sure whether it's transmitting correctly to the LDAP server yet.



  • Disabling STARTLS and moving to 636 has resolved further issues.  I am still having LDAP integration issues and may need to modify some config files by hand.


  • Galactic Empire

    Setup a WPA2-EAP SSID for testing works fine.

    Thought I'd have a play with accounting.

    One thing that would be nice would be changing the port when you change the interface type, ie changing from Auth to Accounting the port stays on 1812 rather than changing to 1813

    Not sure if this was the same with V2.


  • Rebel Alliance Developer Netgate

    @gerby123:

    That patch does appear to have resolved the issue with the password contents according to radiusd -C -X; not sure whether it's transmitting correctly to the LDAP server yet.

    I just pushed an update that contains the patch (and that's the only change), so next time you update that your password should keep working.



  • Hi guys,

    great job. Thanks for developing. I've test the google authentificator otp while using OpenVPN with freeradius. First i was a little bit confused, because i expected an automatic generated init secret-code and don't know what i had to type in. After reading in this topic i found out, that i've to create an base32 code. Now it runs glad. It would be nice, if the secret-code will be generated automaticaly und an icon is behind the input-bar, so that there could be generated another one, if you click to them.

    Sencond it would be fantastic if it would possible to login with freeradius and otp in the webgui.

    Many thanks and great job.

    Chris



  • Just switched over from FreeRADIUS 2 to 3 - upgrade went smooth and everything appears to be working just fine.  Thanks for all your hard work on this.



  • Unfortunately upgrading to Version 3 breaks authentication enitrely for me.
    I uninstalled Version 2 and installed version 3.
    I'm using local users i.e. no sql or ldap.

    For Users authenticating with a username password (Cleartext) I get the following error:
    (98) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [USERNAME] (from client NAS port 15 cli XX-XX-XX-XX-XX-X via TLS tunnel)

    Devices that do not support 802.1x and which get authenticated with their MAC-Address as username and password, I get the follwoing error:
    (103) Login incorrect (Failed retrieving values required to evaluate condition): [MAC_ADDRESS] (from client NAS port 23 cli XX:XX:XX:XX:XX:XX)

    Until I figure this out I have reverted to Version 2.


  • Rebel Alliance Developer Netgate

    @peer46:

    For Users authenticating with a username password (Cleartext) I get the following error:
    (98) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [USERNAME] (from client NAS port 15 cli XX-XX-XX-XX-XX-X via TLS tunnel)

    Devices that do not support 802.1x and which get authenticated with their MAC-Address as username and password, I get the follwoing error:
    (103) Login incorrect (Failed retrieving values required to evaluate condition): [MAC_ADDRESS] (from client NAS port 23 cli XX:XX:XX:XX:XX:XX)

    What sort of device is handing off authentication requests to haproxy? Switch? AP? If so, how is it setup? What options do you have set there?

    What do you have setup on the EAP tab? It's apparently not happy with something there. Though my setup works fine with EAP-MSCHAPv2 on FreeRADIUS 3.

    And if you could describe any other settings you have put in place anywhere in FreeRADIUS, that would be helpful as well.



  • The first error is a wireless client where authentication is handled by a WAP. The second is a wired device and authentication is done by a switch.

    In Freeradius Version 2 log output looks like this:
    Wireless client with username/password:

    
    Login OK: [wirelessDevice] (from client wap-1 port 0 cli 4A-77-8F-C3-AB-91)
    Login OK: [wirelessDevice] (from client wap-1 port 0 cli 4A-77-8F-C3-AB-91 via TLS tunnel) 
    
    

    Wired client with mac address as username/password:

    
    Login OK: [771CD36F33C4] (from client switch-1 port 23 cli 77:1c:d3:6f:33:c4)
    
    

    Below I've attached my freeradius config. I've changed names, passwords and mac addresses. One thing to note here is that the check-items don't work out of the box with the vertical bar "|" because ootb pfsense uses the vertical bar as a line seperator. So for that to work I have to adapt freeradius.inc after every update.

    
     <freeradiusinterfaces><config><varinterfaceip>*</varinterfaceip>
    		<varinterfaceport>1812</varinterfaceport>
    		<varinterfacetype>auth</varinterfacetype>
    		<varinterfaceipversion>ipaddr</varinterfaceipversion></config> 
    	 <config><varinterfaceip>*</varinterfaceip>
    		<varinterfaceport>1813</varinterfaceport>
    		<varinterfacetype>acct</varinterfacetype>
    		<varinterfaceipversion>ipaddr</varinterfaceipversion></config></freeradiusinterfaces> 
     <freeradiusclients><config><varclientip>10.0.20.2</varclientip>
    		<varclientipversion>ipaddr</varclientipversion>
    		<varclientshortname>switch-1</varclientshortname>
    		<varclientsharedsecret>xyz</varclientsharedsecret>
    		<varclientproto>udp</varclientproto>
    		<varclientnastype>other</varclientnastype>
    		<varrequiremessageauthenticator>no</varrequiremessageauthenticator>
    		<varclientmaxconnections>16</varclientmaxconnections>
    		<varclientlogininput></varclientlogininput>
    		<varclientpasswordinput></varclientpasswordinput></config> 
    	 <config><varclientip>10.0.20.3</varclientip>
    		<varclientipversion>ipaddr</varclientipversion>
    		<varclientshortname>switch-2</varclientshortname>
    		<varclientsharedsecret>xyz</varclientsharedsecret>
    		<varclientproto>udp</varclientproto>
    		<varclientnastype>other</varclientnastype>
    		<varrequiremessageauthenticator>no</varrequiremessageauthenticator>
    		<varclientmaxconnections>16</varclientmaxconnections>
    		<varclientlogininput></varclientlogininput>
    		<varclientpasswordinput></varclientpasswordinput></config> 
    	 <config><varclientip>10.0.20.4</varclientip>
    		<varclientipversion>ipaddr</varclientipversion>
    		<varclientshortname>wap-2</varclientshortname>
    		<varclientsharedsecret>xyz</varclientsharedsecret>
    		<varclientproto>udp</varclientproto>
    		<varclientnastype>other</varclientnastype>
    		<varrequiremessageauthenticator>no</varrequiremessageauthenticator>
    		<varclientmaxconnections>16</varclientmaxconnections>
    		<varclientlogininput></varclientlogininput>
    		<varclientpasswordinput></varclientpasswordinput></config> 
    	 <config><varclientip>10.0.20.5</varclientip>
    		<varclientipversion>ipaddr</varclientipversion>
    		<varclientshortname>wap-1</varclientshortname>
    		<varclientsharedsecret>xyz</varclientsharedsecret>
    		<varclientproto>udp</varclientproto>
    		<varclientnastype>other</varclientnastype>
    		<varrequiremessageauthenticator>no</varrequiremessageauthenticator>
    		<varclientmaxconnections>16</varclientmaxconnections>
    		<varclientlogininput></varclientlogininput>
    		<varclientpasswordinput></varclientpasswordinput></config></freeradiusclients> 
     <freeradiuseapconf><config><vareapconfdisableweakeaptypes></vareapconfdisableweakeaptypes>
    		<vareapconfdefaulteaptype>md5</vareapconfdefaulteaptype>
    		<vareapconftimerexpire>60</vareapconftimerexpire>
    		<vareapconfignoreunknowneaptypes>no</vareapconfignoreunknowneaptypes>
    		<vareapconfciscoaccountingusernamebug>no</vareapconfciscoaccountingusernamebug>
    		<vareapconfmaxsessions>4096</vareapconfmaxsessions>
    		<ssl_ca_cert>XXXXXXXXXXXX</ssl_ca_cert>
    		<ssl_ca_crl>XXXXXXXXXXX</ssl_ca_crl>
    		<ssl_server_cert>XXXXXXXXXXX</ssl_server_cert>
    		<vareapconfincludelength>yes</vareapconfincludelength>
    		<vareapconffragmentsize>1024</vareapconffragmentsize>
    		<vareapconfenablecheckcertissuer></vareapconfenablecheckcertissuer>
    		<vareapconfcountry></vareapconfcountry>
    		<vareapconfstate></vareapconfstate>
    		<vareapconfcity></vareapconfcity>
    		<vareapconforganization></vareapconforganization>
    		<vareapconfemail></vareapconfemail>
    		<vareapconfcommonname></vareapconfcommonname>
    		<vareapconfenablecheckcertcn></vareapconfenablecheckcertcn>
    		<vareapconfcacheenablecache>no</vareapconfcacheenablecache>
    		<vareapconfcachelifetime>24</vareapconfcachelifetime>
    		<vareapconfcachemaxentries>255</vareapconfcachemaxentries>
    		<vareapconfocspenable>no</vareapconfocspenable>
    		<vareapconfocspoverridecerturl>no</vareapconfocspoverridecerturl>
    		<vareapconfocspurl>http://127.0.0.1/ocsp/</vareapconfocspurl>
    		<vareapconfttlsdefaulteaptype>md5</vareapconfttlsdefaulteaptype>
    		<vareapconfttlscopyrequesttotunnel>yes</vareapconfttlscopyrequesttotunnel>
    		<vareapconfttlsusetunneledreply>yes</vareapconfttlsusetunneledreply>
    		<vareapconfttlsincludelength>yes</vareapconfttlsincludelength>
    		<vareapconfpeapdefaulteaptype>mschapv2</vareapconfpeapdefaulteaptype>
    		<vareapconfpeapcopyrequesttotunnel>yes</vareapconfpeapcopyrequesttotunnel>
    		<vareapconfpeapusetunneledreply>yes</vareapconfpeapusetunneledreply>
    		<vareapconfpeapsohenable>Disable</vareapconfpeapsohenable></config></freeradiuseapconf> 
     <freeradius><config><sortable></sortable>
    		<varusersusername>wirelessDevice</varusersusername>
    		<varuserspassword>xyz</varuserspassword>
    		<varuserspasswordencryption>Cleartext-Password</varuserspasswordencryption>
    		<varusersmotpenable></varusersmotpenable>
    		<varusersmotpinitsecret></varusersmotpinitsecret>
    		<varusersmotppin></varusersmotppin>
    		<varusersmotpoffset></varusersmotpoffset>
    		<varuserswisprredirectionurl></varuserswisprredirectionurl>
    		<varuserssimultaneousconnect></varuserssimultaneousconnect>
    
    		<varusersframedipaddress></varusersframedipaddress>
    		<varusersframedipnetmask></varusersframedipnetmask>
    		<varusersframedroute></varusersframedroute>
    		<varusersvlanid>10</varusersvlanid>
    		<varusersexpiration></varusersexpiration>
    		<varuserssessiontimeout>14400</varuserssessiontimeout>
    		<varuserslogintime></varuserslogintime>
    		<varusersamountoftime></varusersamountoftime>
    		<varuserspointoftime>Daily</varuserspointoftime>
    		<varusersmaxtotaloctets></varusersmaxtotaloctets>
    		<varusersmaxtotaloctetstimerange>daily</varusersmaxtotaloctetstimerange>
    		<varusersmaxbandwidthdown></varusersmaxbandwidthdown>
    		<varusersmaxbandwidthup></varusersmaxbandwidthup>
    		<varusersacctinteriminterval></varusersacctinteriminterval>
    		<varuserstopadditionaloptions></varuserstopadditionaloptions>
    		<varuserscheckitemsadditionaloptions>NAS-IP-Address =~ "10.0.20.4|10.0.20.5", Calling-Station-ID == "4A-77-8F-C3-AB-91", Called-Station-ID =~ ".*(:Foobar)$"</varuserscheckitemsadditionaloptions>
    		<varusersreplyitemsadditionaloptions>Termination-Action = 1</varusersreplyitemsadditionaloptions></config> 
    	 <config><sortable></sortable>
    		<varusersusername>771CD36F33C4</varusersusername>
    		<varuserspassword>771CD36F33C4</varuserspassword>
    		<varuserspasswordencryption>Cleartext-Password</varuserspasswordencryption>
    		<varusersmotpenable></varusersmotpenable>
    		<varusersmotpinitsecret></varusersmotpinitsecret>
    		<varusersmotppin></varusersmotppin>
    		<varusersmotpoffset></varusersmotpoffset>
    		<varuserswisprredirectionurl></varuserswisprredirectionurl>
    		<varuserssimultaneousconnect></varuserssimultaneousconnect>
    
    		<varusersframedipaddress></varusersframedipaddress>
    		<varusersframedipnetmask></varusersframedipnetmask>
    		<varusersframedroute></varusersframedroute>
    		<varusersvlanid>20</varusersvlanid>
    		<varusersexpiration></varusersexpiration>
    		<varuserssessiontimeout>14400</varuserssessiontimeout>
    		<varuserslogintime></varuserslogintime>
    		<varusersamountoftime></varusersamountoftime>
    		<varuserspointoftime>Daily</varuserspointoftime>
    		<varusersmaxtotaloctets></varusersmaxtotaloctets>
    		<varusersmaxtotaloctetstimerange>daily</varusersmaxtotaloctetstimerange>
    		<varusersmaxbandwidthdown></varusersmaxbandwidthdown>
    		<varusersmaxbandwidthup></varusersmaxbandwidthup>
    		<varusersacctinteriminterval></varusersacctinteriminterval>
    		<varuserstopadditionaloptions></varuserstopadditionaloptions>
    		<varuserscheckitemsadditionaloptions>NAS-IP-Address =~ "10.0.20.2|10.0.20.3", Calling-Station-ID =~ "77-1C-D3-6F-33-C4|77:1c:d3:6f:33:c4"</varuserscheckitemsadditionaloptions>
    		<varusersreplyitemsadditionaloptions>Termination-Action = 1</varusersreplyitemsadditionaloptions></config></freeradius> 
     <freeradiussettings><config><varsettingsmaxrequests>1024</varsettingsmaxrequests>
    		<varsettingsmaxrequesttime>30</varsettingsmaxrequesttime>
    		<varsettingscleanupdelay>5</varsettingscleanupdelay>
    		<varsettingsallowcoredumps>no</varsettingsallowcoredumps>
    		<varsettingsregularexpressions>yes</varsettingsregularexpressions>
    		<varsettingsextendedexpressions>yes</varsettingsextendedexpressions>
    		<varsettingslogdir>syslog</varsettingslogdir>
    		<varsettingsauth>yes</varsettingsauth>
    		<varsettingsauthbadpass>no</varsettingsauthbadpass>
    		<varsettingsauthbadpassmessage></varsettingsauthbadpassmessage>
    		<varsettingsauthgoodpass>no</varsettingsauthgoodpass>
    		<varsettingsauthgoodpassmessage></varsettingsauthgoodpassmessage>
    		<varsettingsstrippednames>no</varsettingsstrippednames>
    		<varsettingshostnamelookups>no</varsettingshostnamelookups>
    		<varsettingsmaxattributes>200</varsettingsmaxattributes>
    		<varsettingsrejectdelay>1</varsettingsrejectdelay>
    		<varsettingsstartservers>5</varsettingsstartservers>
    		<varsettingsmaxservers>32</varsettingsmaxservers>
    		<varsettingsminspareservers>3</varsettingsminspareservers>
    		<varsettingsmaxspareservers>10</varsettingsmaxspareservers>
    		<varsettingsmaxqueuesize>65536</varsettingsmaxqueuesize>
    		<varsettingsmaxrequestsperserver>0</varsettingsmaxrequestsperserver>
    		<varsettingsmotpenable></varsettingsmotpenable>
    		<varsettingsmotptimespan></varsettingsmotptimespan>
    		<varsettingsmotppasswordattempts></varsettingsmotppasswordattempts>
    		<varsettingsmotpchecksumtype>md5</varsettingsmotpchecksumtype>
    		<varsettingsmotptokenlength></varsettingsmotptokenlength>
    		<varsettingsenablemacauth></varsettingsenablemacauth>
    		<varsettingsenableacctunique></varsettingsenableacctunique></config></freeradiussettings> 
    
    


  • Hello!

    Just started using the new Freeradius package - with the OTP possibilities on a freshly installed pfsense server.
    I just cannot figure out how this part works.

    • user name: mandatory
    • password should be blank (at user page).
    • authentication method: Google Authenticator
    • init secret: 16 character long base32 encoded string. (used the same string as above)
    • pin: 4 digit numeric pin

    I enter the same secret to the google authenticator app on an android phone - this generates a time based OTP.
    Sending Auth Request from NTRadPing utility with correct user name and OTP from the Google Authenticator app - REJECT.
    Tried all the 3 Hash Algorithm - same.

    What is the meaning of the mandatory PIN? Google Authenticator not using PIN during password generation process (just the secret).
    How should I submit the radius auth request?

    radiusd -X:
    Ready to process requests
    (0) Received Access-Request Id 19 from 10.101.168.3:51815 to 10.148.64.76:1812 length 61
    (0)  User-Name = "pdudas"
    (0)  User-Password = "132988"
    (0)  Calling-Station-Id = "10.148.67.254"
    (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    (0)  authorize {
    (0)    [preprocess] = ok
    (0)    [chap] = noop
    (0)    [mschap] = noop
    (0)    [digest] = noop
    (0) suffix: Checking for suffix after "@"
    (0) suffix: No '@' in User-Name = "pdudas", skipping NULL due to config.
    (0)    [suffix] = noop
    (0) ntdomain: Checking for prefix before ""
    (0) ntdomain: No '' in User-Name = "pdudas", skipping NULL due to config.
    (0)    [ntdomain] = noop
    (0) eap: No EAP-Message, not doing EAP
    (0)    [eap] = noop
    (0) files: users: Matched entry pdudas at line 2
    (0)    [files] = ok
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    (0)    [daily] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    (0)    [weekly] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    (0)    [monthly] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    (0)    [forever] = noop
    (0)    if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
    (0)    ERROR: Failed retrieving values required to evaluate condition
    (0)    [expiration] = noop
    (0)    [logintime] = noop
    (0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
    (0) pap: WARNING: Authentication will fail unless a "known good" password is available
    (0)    [pap] = noop
    (0)  } # authorize = ok
    (0) Found Auth-Type = GOOGLEAUTH
    (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    (0)  Auth-Type GOOGLEAUTH {
    (0) googleauth: Executing: /usr/local/etc/raddb/scripts/googleauth.py %{request:User-Name} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{request:User-Password}:
    (0) googleauth: EXPAND %{request:User-Name}
    (0) googleauth:    –> pdudas
    (0) googleauth: EXPAND %{reply:MOTP-Init-Secret}
    (0) googleauth:    --> H2EFO7LD566Q22PB
    (0) googleauth: EXPAND %{reply:MOTP-PIN}
    (0) googleauth:    --> 3843
    (0) googleauth: EXPAND %{request:User-Password}
    (0) googleauth:    --> 132988
    (0) googleauth: ERROR: Program returned code (1) and output ''
    (0)    [googleauth] = reject
    (0)  } # Auth-Type GOOGLEAUTH = reject
    (0) Failed to authenticate the user
    (0) Using Post-Auth-Type Reject
    (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    (0)  Post-Auth-Type REJECT {
    (0) attr_filter.access_reject: EXPAND %{User-Name}
    (0) attr_filter.access_reject:    –> pdudas
    (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
    (0)    [attr_filter.access_reject] = updated
    (0)    [eap] = noop
    (0)    policy remove_reply_message_if_eap {
    (0)      if (&reply:EAP-Message && &reply:Reply-Message) {
    (0)      if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
    (0)      else {
    (0)        [noop] = noop
    (0)      } # else = noop
    (0)    } # policy remove_reply_message_if_eap = noop
    (0)  } # Post-Auth-Type REJECT = updated
    (0) Login incorrect (Failed retrieving values required to evaluate condition): [pdudas] (from client DC1 port 0 cli 10.148.67.254)
    (0) Delaying response for 1.000000 seconds
    Waking up in 0.2 seconds.
    Waking up in 0.6 seconds.
    (0) Sending delayed response
    (0) Sent Access-Reject Id 19 from 10.148.64.76:1812 to 10.101.168.3:51815 length 20
    Waking up in 3.9 seconds.
    (0) Cleaning up request packet ID 19 with timestamp +10
    Ready to process requests

    Could you please help what is wrong here?

    (ps - I have a successfully implemented multiOTP installation with AD authentication and then OTP as challenge, so Freeradius and Python is not new to me. Just this part has no info to use it properly. )

    Thank you!



  • Managed to figure out:

    In the radius authentication packet (sent to the server as test) the following attributes needed:

    User-Name: this is the user name configured at Freeradius Users.
    User-Password: PIN+OTP code.  So in case the PIN was 1234 and 'Google Authenticator' app generated 564782, then 1234564782

    In the Freeradius Settings I used SHA256 as Hash Algorithm at the "Mobile-One-Time-Password Configuration".

    So the key: password is the PIN+OTP.



  • Is it possible to run multiple instances of FreeRADIUS?
    I want to run 2 Radius server at once.


  • Rebel Alliance Developer Netgate

    @Panja:

    Is it possible to run multiple instances of FreeRADIUS?
    I want to run 2 Radius server at once.

    No, but what would be the use case for that? Why do you believe that you need two instances?



  • This is because I want to have a FreeRadius server for each SSID I have.
    I cannot get the user separation working. So having multiple FreeRadius servers can "fix" that.
    Of course this setup is not ideal and requires more administration etc but better something than nothing. ;)



  • I tried out the FreeRADIUS3 package today. The curious part was that I uninstalled v2 from the GUI, and installed v3, expecting to set up the RADIUS service and enter all the MACs.  All the settings and MAC addresses had been retained…. maybe this is an issue? Or there is another uninstall step?

    Basically, MacAuth was no joy, as that is the only thing I tested before rolling back to a previous snapshot. RADIUS sends back a REJECT. v2 works like a champ.

    Wireless users only with Proxim APs. RADIUS Mac Authentication enabled.


  • Rebel Alliance Developer Netgate

    @NetworkGuy:

    I tried out the FreeRADIUS3 package today. The curious part was that I uninstalled v2 from the GUI, and installed v3, expecting to set up the RADIUS service and enter all the MACs.  All the settings and MAC addresses had been retained…. maybe this is an issue? Or there is another uninstall step?

    That's by design, the GUI parts are nearly identical so the settings all carried over to make the transition easier.

    @NetworkGuy:

    Basically, MacAuth was no joy, as that is the only thing I tested before rolling back to a previous snapshot. RADIUS sends back a REJECT. v2 works like a champ.

    Wireless users only with Proxim APs. RADIUS Mac Authentication enabled.

    Curious, it works when I try it here. In the FreeRADIUS settings are your MAC addresses in upper or lower case? How are they transmitted from the APs? Perhaps something in the FreeRADIUS backend changed and it's expecting or using a different case now than before.



  • Very good. Glad I didn't miss a step.

    FreeRADIUS settings are lower-case, i.e. ab-cd-ef-01-02-03.

    pfSense Packet capture: AP>pfSense (FreeRADIUS2):

    Username: e4ce8fxxxxxx
    Password: 8e5e8b82…....
    Called-Station-ID: 00-20-A6-XX-XX-XX
    Calling-Station-ID: E4-CE-8F-XX-XX-XX
    Message Authenticator: f8e5ecbd......

    The response, RADIUS>AP is Access-Accept with the Authenticator in all CAPS, and life goes on.

    I'll revert back to v3 and repeat the capture a little later and post. Too much going on in the network at the moment.

    Curious if formatting is the issue as there are formatting "normalization" routines at work here within the configuration scripts. Or are you referring to the bowels of the implementation?


  • Rebel Alliance Developer Netgate

    @NetworkGuy:

    Curious if formatting is the issue as there are formatting "normalization" routines at work here within the configuration scripts. Or are you referring to the bowels of the implementation?

    Assuming the normalization is kicking in like it's supposed to… There is a policy in place that should be shifting the Calling-Station-ID to lowercase, but whether or not it's actually happening for your config is another question.



  • There are no differences between the captures, FreeRADIUSv2 versus v3. Everything on the wire is the same, with the exception of the RADIUS response for v3.

    v2: Access-Accept
    v3: Access-Reject

    Environment:
    VMware ESXi 5.5
    PfSense 2.3.4_1

    No hardware, application or environmental differences between the snapshots I am testing, with the exception of FreeRADIUSv2 versus v3

    Uninstall v3. Re-install v3. No joy.
    Restart radiusd. No joy.
    Reboot pfSense. No joy.
    Reboot workstation. No joy.
    Reboot AP. No joy.

    Full capture v3:

    14:03:37.079733 PROXIM AP > PFSENSE, ethertype IPv4 (0x0800), length 180: (tos 0x0, ttl 64, id 50596, offset 0, flags [none], proto UDP (17), length 166)
        172.29.10.61.33996 > 172.29.10.1.1812: [udp sum ok] RADIUS, length: 138
    Access Request (1), id: 0x0e, Authenticator: a4b81d694ec4f…............
      Username Attribute (1), length: 14, Value: 44d884xxxxxx
        0x0000:  3434 6438 3834 ......
      Password Attribute (2), length: 18, Value:
        0x0000:  bd58 76d8 2e10 0ea9 .............
      Called Station Attribute (30), length: 19, Value: 00-20-A6-XX-XX-XX
        0x0000:  3030 2d32 302d 4136 .........
        0x0010:  38
      NAS Port Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11
        0x0000:  0000 .......
      Calling Station Attribute (31), length: 19, Value: 44-D8-84-XX-XX-XX
        0x0000:  3434 2d44 382d 3834 ......
        0x0010:  39
      Connect Info Attribute (77), length: 24, Value: CONNECT 11Mbps 802.11b
        0x0000:  434f 4e4e 4543 5420 .......
        0x0010:  3032 2e31 ......
      Message Authentication Attribute (80), length: 18, Value: ?.     0x0000:  3f95 3c21 3291 d6c7 .............
    14:03:38.088976 PFSENSE > PROXIM AP, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 64, id 25537, offset 0, flags [none], proto UDP (17), length 48)
        172.29.10.1.1812 > 172.29.10.61.33996: [bad udp cksum 0x6ca6 -> 0x7be5!] RADIUS, length: 20
    Access Reject (3), id: 0x0e, Authenticator: 2a3e41ab58ca2b53…..........

    Full capture v2:

    14:22:24.796839 PROXIM AP > PFSENSE, ethertype IPv4 (0x0800), length 180: (tos 0x0, ttl 64, id 50598, offset 0, flags [none], proto UDP (17), length 166)
        172.29.10.61.33996 > 172.29.10.1.1812: [udp sum ok] RADIUS, length: 138
    Access Request (1), id: 0x10, Authenticator: 2afd1eec286178d3d…............
      Username Attribute (1), length: 14, Value: 44d884xxxxxx
        0x0000:  3434 6438 3834 ...........
      Password Attribute (2), length: 18, Value:
        0x0000:  4bde 25e9 aa8c 15fa ................
      Called Station Attribute (30), length: 19, Value: 00-20-A6-XX-XX-XX
        0x0000:  3030 2d32 302d 4136 .............
        0x0010:  38
      NAS Port Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11
        0x0000:  0000 .....
      Calling Station Attribute (31), length: 19, Value: 44-D8-84-XX-XX-XX
        0x0000:  3434 2d44 382d 3834 .............
        0x0010:  39
      Connect Info Attribute (77), length: 24, Value: CONNECT 11Mbps 802.11b
        0x0000:  434f 4e4e 4543 5420 .............
        0x0010:  3032 ..........
      Message Authentication Attribute (80), length: 18, Value: ...B.....a.`.4..
        0x0000:  f2cf de42 ecd0 8a95 fe61 ...........
    14:22:24.820913 PFSENSE > PROXIM AP, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 64, id 10718, offset 0, flags [none], proto UDP (17), length 48)
        172.29.10.1.1812 > 172.29.10.61.33996: [bad udp cksum 0x6ca6 -> 0x5db7!] RADIUS, length: 20
    Access Accept (2), id: 0x10, Authenticator: e5ff69f36735f1c8…............


  • Rebel Alliance Developer Netgate

    Did you try changing your MAC in the user records or MACs tab to upper case instead of lower case?



  • Yes, lower case, ab-cd-ef-01-23-45, does not work for v3 MacAuth, but UPPERCASE MACs, AB-CD-EF-01-23-45, does work with v3 MacAuth.

    Thanks for your help!


  • Rebel Alliance Developer Netgate

    @pdudas:

    • authentication method: Google Authenticator
    • init secret: 16 character long base32 encoded string. (used the same string as above)
    • pin: 4 digit numeric pin

    @pdudas:

    User-Password: PIN+OTP code.  So in case the PIN was 1234 and 'Google Authenticator' app generated 564782, then 1234564782
    […]
    So the key: password is the PIN+OTP.

    I added some notes to the FreeRADIUS 3 GUI to make this more clear. I also added a button to generate an OTP secret automatically of the correct type for the selected OTP method. So mOTP will generate one in hex (0-9,a-f) and GA will generate one in base32 (A-Z,2-7). I also added buttons to show the secret and PIN so they can stay obscured on the screen unless you want to see them. The secret is automatically displayed when generating a random one, otherwise you'd have no  way to view it :-)

    I'm also tinkering with a QR code generator for GA, we'll see how that goes tomorrow if I have time.


  • Rebel Alliance Developer Netgate

    0.12 has a QR Code generator for Google Authenticator and also has some more improvements to the field notes for OTP in general.


Locked