Help trying to get EAP-TLS working (Pfsense / Unifi)
-
Hello all,
I am trying to get EAP-TLS working on a Unifi AP. So far no luck.
This is the issue:
When I try an login to my SSID, nothing happens. I click "Connect using a certificate" below the SSID and nothing happens and Windows gives up.This is my setup:
I have an SG3100 with pfsense v2.4.5-RELEASE-p1 loaded on it. [IP is 172.25.10.1]
I run a UAP-nanoHD AP (latest firmware). Controller version is 6.0.43.0. [IP is 172.25.20.2]
So this are my settings in pfSense - stitched it together as there is no singular guide for the pfsense/unifi combination.
NAS details:
Interface details:
EAP details:
Unifi Wireless
Radius profile;
Pfsense logs:
Windows:
Server certificate:
User certificate:
CA certificate
-
Do you see connections coming into pfSense in port 21812?
Do you see blocked traffic?
Do you see anything logged when clients try to connect?
Steve
-
I didn't get past your listening interface of 127.0.0.1 - how would that ever work?
BTW - what theme are you running? That really doesn't look like 2.4.5p1 to me..
Also you have accounting set, but did you set freerad to listen on that port? Also why do you have dynamic vlans check, are you wanting to do that?
-
Ha, good point. Localhost only works there for queries from other services on the firewall.
The Compact-Red theme looks like that.
Steve
-
I can post up my config(s) I am running unifi, and have been using eap-tls for years..
I had logging turned off - just turned it on and reconnected my phone
Jan 25 09:48:45 radiusd 18361 (7) Login OK: [johnsXR] (from client uap-pro port 0 cli F4-06-16-4F-F6-36) 192.168.2.2 Auth-Type: eap -
Thanks for the replies.
Yes, I am on version 2.4.5-RELEASE-p1 (arm).
I made the following changes
Radius Auth/Acc servers changed - made a big difference (we are getting somewhere now!)
I unselected the two checkboxes for RADIUS assigned VLANs (enabled them so I could confirm that they were not the cause)
I am beginning to see logs on pfsense of a failed Radius authentication, what I see is that Windows is automatically selecting a different certificate generated by another CA instead of my pfsense CA. I can't seem to select my user certificate at all.
Pfsense logs:
This is the Windows error
Did you have to encode your client or server files in any particular way? Such as the common name to get it to work? Also did you select the WPA-Enterprise SSID straight out of the box, or did you have to manually add a network to get it going?
-
I also have tried to import the certificate on a brand new Windows 10 laptop, still no luck with getting it to work.
-
@alnico You can also do a radsniff -x on your pfSense box to help diagnose radius issues.
Any reason why you're using nonstandard ports for radius ?
Are you trying to do radius assigned VLANS or just WPA2 Enterprise?
Try switching off Enable RADIUS assigned VLAN for wired network & Enable RADIUS assigned VLAN for wireless network if you don't need it.
-
@nogbadthebad I am using non standard ports as I used the standard ports for OpenVPN authentication. I wasn't sure if I was to reuse the same ports for EAP-TLS, so I changed them.
Radsniff did not throw up anything unfortunately.
[2.4.5-RELEASE][admin@pfsense.home]/root: radsniff -x Logging all events Defaulting to capture on all interfaces Sniffing on (pppoe0 mvneta1 ovpns1 mvneta2 mvneta1.100 mvneta1.101 mvneta1.102 mvneta1.103 lo0 pflog0 mvneta0) ^CDone sniffing -
@alnico If radsniff doesn't show anything radius requests aren't hitting your router.
[2.4.5-RELEASE][admin@pfsense.xxxxxxx.net]/root: radsniff -x Logging all events Defaulting to capture on all interfaces Sniffing on (igb0 pppoe0 igb1 ovpnc1 igb0.2 ovpnc2 igb0.3 ovpnc3 igb0.4 igb0.5 igb0.6 igb0.7 igb0.9 igb0.11 lo0 pflog0 igb2 igb3 igb4 igb5) 2021-01-27 10:01:22.364260 (1) Access-Request Id 165 igb0:172.16.1.11:56877 -> 172.16.0.1:1812 +0.000 User-Name = "andyk" NAS-IP-Address = 172.16.1.11 Service-Type = Framed-User Framed-MTU = 1400 Called-Station-Id = "A2-2A-A8-98-9D-8C:L-Space RADIUS" Calling-Station-Id = "40-9C-28-A2-E0-7E" NAS-Identifier = "a22aa8989d8c" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "1144BCBA29D7B258" Acct-Multi-Session-Id = "554A8AF77C09B840" Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x029e000a01616e64796b Message-Authenticator = 0xb7eeadb31283e15a427c4d5c75d5b0aa WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027076 WLAN-AKM-Suite = 1027073 Authenticator-Field = 0x3c008709e2d48bd8beb64afdded32fba 2021-01-27 10:01:22.371210 (2) Access-Challenge Id 165 igb0:172.16.1.11:56877 <- 172.16.0.1:1812 +0.000 +0.000 State = 0x70c07eb4705f677d3e006abac136d6d9 EAP-Message = 0x019f00061920 Message-Authenticator = 0x869a29563272722653e6bfb1aed13cea Authenticator-Field = 0xe633d547195ee13f9163c1684b7fa6a1 2021-01-27 10:01:22.102423 (3) Access-Request Id 166 igb0:172.16.1.11:56877 -> 172.16.0.1:1812 +0.065 User-Name = "andyk" NAS-IP-Address = 172.16.1.11 Service-Type = Framed-User Framed-MTU = 1400 State = 0x70c07eb4705f677d3e006abac136d6d9 Called-Station-Id = "A2-2A-A8-98-9D-8C:L-Space RADIUS" Calling-Station-Id = "40-9C-28-A2-E0-7E" NAS-Identifier = "a22aa8989d8c" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "1144BCBA29D7B258" Acct-Multi-Session-Id = "554A8AF77C09B840" Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x029f00a119800000009716030100920100008e0303601139f2571834ca6ebc5341a674636aa379c3a9370ff71263f82291b053158500002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000 Message-Authenticator = 0x8b989303eae341b82a73953e5e15c8be WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027076 WLAN-AKM-Suite = 1027073 Authenticator-Field = 0xd5b7f3c7255c764eecc669418304edcb 2021-01-27 10:01:22.108220 (4) Access-Challenge Id 166 igb0:172.16.1.11:56877 <- 172.16.0.1:1812 +0.071 +0.005 State = 0x70c07eb47160677d3e006abac136d6d9 EAP-Message = 0x01a003ec19c0000008b11603030039020000350303d180b5cd149369b218ab4d8b7d1c6fa5b7f1569be5b2469af54db92fad99d9d600c03000000dff01000100000b00040300010216030307130b00070f00070c0003d2308203ce308202b6a003020102020101300d06092a864886f70d01010b0500301a311830160603550403130f4e6574776f726b476e6f6d65204341301e170d3230303332373131353531305a170d3231303432383131353531305a30223120301e060355040313174e6574776f726b476e6f6d65204672656552414449555330820122300d06092a864886f70d01010105000382010f003082010a0282010100b29d6caac4fab1822c0bc0546e449293a28475b48fa7576fae0c59f9f8b6319d19582d66841b2d727fd7231420c68d470a0f57b14335efc1ffc54b8cd5fc8a6db56a83e1e533e16fe55e4453703e786d6a0f87bfd4bedfef7c5c15eef935360b04ac675e6becc83056f0604c11f0a9d3ca253335deb31e82f6642ab53e13d8dd483e444365ed852b3508e1c390f212d4b7d7c4efb387dfd32f4bb446c6ad16a92063b46ea3dbf10f19e9b3d20f999390d5c0ad4c439e07f03ff8595053f47b0631b85ccbf9ad0b237c84ed10e865da2a46faea4e3fb4df6198e3a77b160fd1467e05c3dade622a9c50da3ee23c577ec139bc997b1d42185503a71df2b4c0ab5 Message-Authenticator = 0xc1a12306ccc180dfa7d77c416b94ce21 Authenticator-Field = 0xceb2c5b0a11d650b8a51df2b97a6105aAlso try a radtest while running radsniff -x
What does your NAS / Client view look like, it should be something like this, radius requests come from the Unifi APs rather than the controller:-
Another reason why Ubiquity will never make it big in the enterprise market.
-
I'd try to get radtest working from the pfSense box first.
-
Thanks @NogBadTheBad
This are the settings:
Interfaces:
I've created an account 'laptop' with password 'abcd1234' (for testing) and these are the results from inside the SG3100:
[2.4.5-RELEASE][admin@pfsense.home]/root: radtest laptop abcd1234 127.0.0.1 10 abcd1234 Sent Access-Request Id 150 from 0.0.0.0:33851 to 127.0.0.1:1812 length 76 User-Name = "laptop" User-Password = "abcd1234" NAS-IP-Address = 172.25.10.1 NAS-Port = 10 Message-Authenticator = 0x00 Cleartext-Password = "abcd1234" Sent Access-Request Id 150 from 0.0.0.0:33851 to 127.0.0.1:1812 length 76 User-Name = "laptop" User-Password = "abcd1234" NAS-IP-Address = 172.25.10.1 NAS-Port = 10 Message-Authenticator = 0x00 Cleartext-Password = "abcd1234" Sent Access-Request Id 150 from 0.0.0.0:33851 to 127.0.0.1:1812 length 76 User-Name = "laptop" User-Password = "abcd1234" NAS-IP-Address = 172.25.10.1 NAS-Port = 10 Message-Authenticator = 0x00 Cleartext-Password = "abcd1234" (0) No reply from server for ID 150 socket 3 [2.4.5-RELEASE][admin@pfsense.home]/root:This is what shows up on Radsniff on another putty session:
These are the firewall rules on the LAN side:
Still no luck "(0) No reply from server for ID 150 socket 3" seems to be the key.
-
Did you follow the instructions given here for testing.
https://pfsense-docs.readthedocs.io/en/latest/usermanager/testing-freeradius.html
I just did and boom - works
[2.4.5-RELEASE][admin@sg4860.local.lan]/root: radtest testuser testpassword 127.0.0.1:1812 0 testing123 Sent Access-Request Id 98 from 0.0.0.0:61162 to 127.0.0.1:1812 length 78 User-Name = "testuser" User-Password = "testpassword" NAS-IP-Address = 192.168.9.253 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "testpassword" Received Access-Accept Id 98 from 127.0.0.1:1812 to 127.0.0.1:61162 length 20 [2.4.5-RELEASE][admin@sg4860.local.lan]/root:Make sure you turn on logging in freerad, and if you do something wrong you get a log entry with some clue to why..
Here I changed the secret and it fails
[2.4.5-RELEASE][admin@sg4860.local.lan]/root: radtest testuser testpassword 127.0.0.1:1812 0 badpass Sent Access-Request Id 16 from 0.0.0.0:17422 to 127.0.0.1:1812 length 78 User-Name = "testuser" User-Password = "testpassword" NAS-IP-Address = 192.168.9.253 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "testpassword" Sent Access-Request Id 16 from 0.0.0.0:17422 to 127.0.0.1:1812 length 78 User-Name = "testuser" User-Password = "testpassword" NAS-IP-Address = 192.168.9.253 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "testpassword" Sent Access-Request Id 16 from 0.0.0.0:17422 to 127.0.0.1:1812 length 78 User-Name = "testuser" User-Password = "testpassword" NAS-IP-Address = 192.168.9.253 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "testpassword" (0) No reply from server for ID 16 socket 3 [2.4.5-RELEASE][admin@sg4860.local.lan]/root:
-
The radius requests come from the AP not the Unifi controller, is 172.25.10.1 your ap ?
If it isn’t you need to add the ap.
-
he needs to get the simple local test working first ;)
-
- My pfsense router (SG-3100) IP is 172.25.10.1.
- Unifi AP ip is 172.25.10.2
- Controller version upgraded to 6.0.45
- Radius package version is 0.15.7_21
- Radius logging destination is set to System Logs
I blew away all the prior configs (interface and NAS), rebooted the router, and managed to get an output from inside pfsense using the test case. Output below:
[2.4.5-RELEASE][admin@pfsense.home]/root: radtest testuser testpassword 127.0.0.1:1812 0 testing123 Sent Access-Request Id 195 from 0.0.0.0:57096 to 127.0.0.1:1812 length 78 User-Name = "testuser" User-Password = "testpassword" NAS-IP-Address = 172.25.10.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "testpassword" Received Access-Accept Id 195 from 127.0.0.1:1812 to 127.0.0.1:57096 length 20I now recreated a new NAS/Client and Interface and changed the Secret in the unifi controller to "testing123". This is what it looks like now:
I guess so far so good? Logically the next step is to test Unifi talking to pfsense I suppose - I can SSH into the unifi AP but can't seem to find a command such as Radtest that I can use. Does anyone have the EAP settings in FreeRadius and Unifi that they can share?
If I ever get this to work - I will write a user guide to configure Unifi with Pfsense :)
-
@alnico said in Help trying to get EAP-TLS working (Pfsense / Unifi):
I guess so far so good? Logically the next step is to test Unifi talking to pfsense I suppose - I can SSH into the unifi AP but can't seem to find a command such as Radtest that I can use. Does anyone have the EAP settings in FreeRadius and Unifi that they can share?
If I ever get this to work - I will write a user guide to configure Unifi with Pfsense :)
radtest isn't available on the ap, I just checked.
Here's what I have set:-
-
@nogbadthebad no still no good. Apologies for the delay in getting back, I had some pressing things I needed to attend to.
I will wait for the new pfsense update (since its due this month) and then see how I go.
-
Not sure what you believe is going to change with how freerad works with 2.5?
Simple way to validate - is look at your log, and just sniff. Do you see traffic hitting pfsense from your AP?
