pfSense - FreeRadius. WiFi EAP (TLS). How apply checking attributes NAS-Identifier ?



  • pfSense - FreeRadius. Access Point : OpenWRT -WiFi EAP (TLS).
    I try limit connected user by wifi name of AP used NAS-Identifier.
    Additional RADIUS Attributes (CHECK-ITEM)
    NAS-Identifier == "ap-test"
    It work for users of FreeRadius that use password like PEAP.

    But in case if wifi users authorized by certificates only (TLS), then this limitation not work. And users can access to any wireless name of AP that use RADIUS.

    freerad-01.png

    How apply checking attributes NAS-Identifier == "ap-test" for users that use EAP TLS ?


  • LAYER 8 Global Moderator

    Why would you think user would be used if your authing with a eap-tls?


  • Galactic Empire

    As I said elsewhere, try running a radsniff -x on pfSense.

    FYI running WPA2EAP on a Test SSID on my Unifi kit:-

    2019-05-16 07:52:51.787204 (21) Access-Request Id 11 igb0:172.16.1.11:42825 -> 172.16.0.1:1812 +9.709
    User-Name = "test"
    Service-Type = Framed-User
    Framed-MTU = 1400
    State = 0xdd2b3914d420206ea493e31f171cb95b
    Called-Station-Id = "B2-2A-A8-98-9D-8C:Test"
    Calling-Station-Id = "40-9C-28-A2-E0-7E"
    NAS-Identifier = "802aa8969d8c"
    NAS-Port-Type = Wireless-802.11
    Acct-Session-Id = "DF62544CBD437E21"
    Connect-Info = "CONNECT 0Mbps 802.11b"
    EAP-Message = 0x020b002e19001703030023ebd0e3a3d0088a72727e2a1aa66622e57f582ef501c6f895a438b5c9702cc78a0c7def
    Message-Authenticator = 0x6c905f688a8021116faf602b406cf986
    WLAN-Pairwise-Cipher = 1027076
    WLAN-Group-Cipher = 1027076
    WLAN-AKM-Suite = 1027073
    Authenticator-Field = 0x6cb6cf3d0fe08af032cd91b0f3b46115

    Called-Station-Id = the AP Mac+SSID
    NAS-Identifier = AP MAC

    If I input the wrong NAS-Identifier I can't connect to the test SSID anymore.


  • LAYER 8 Global Moderator

    And he is using eap-TLS...


  • Galactic Empire

    lol didn’t spot that @johnpoz



  • @johnpoz Since username linked to certificate common name.


  • LAYER 8 Global Moderator

    ok that just checks the cn
    "Validate the Client Certificate Common Name"

    What exactly are you looking to accomplish..



  • @johnpoz Validate enabled
    TASK check username (from certificate) and SSID name both after auth.
    Some users must auth only on specific SSID WIFI.
    User-Name = "user1" && NAS-Identifier == "ap-test" : OK
    User-Name = "user2" && NAS-Identifier == "ap-test" : OK
    User-Name = "user1" && NAS-Identifier == "ap-test-corp" : ERROR
    User-Name = "user2" && NAS-Identifier == "ap-test-corp" : ERROR
    User-Name = "user3" && NAS-Identifier == "ap-test-corp" : OK
    User-Name = "user3" && NAS-Identifier == "ap-test" : ERROR


  • LAYER 8 Global Moderator

    So want the user that auths with his cert to only be able to use specific AP?



  • @johnpoz YES
    Corporate access only for specific users like specific LDAP GROUP access.
    For now any users of FreeRADUIS can auth.
    If users of FreeRADUIS use not only for WIFi, for PPPoE for example.
    Need split users of FreeRADUIS by tasks.


  • LAYER 8 Global Moderator

    You normally don't use eap-tls in when you need to do such a thing.


Log in to reply