Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    radius and wpa3 with client wpa2 ?

    Wireless
    3
    21
    345
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NogBadTheBad
      NogBadTheBad @furom last edited by NogBadTheBad

      @furom From the pfsense CLI run radsniff -x you may see something.

      FWIW I had to untick WPA2 + WPA3 Personal on my Aruba InstantON AP22.

      Andy

      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

      F 1 Reply Last reply Reply Quote 1
      • F
        furom @NogBadTheBad last edited by

        @nogbadthebad Thanks, I will check out radsniff :)

        johnpoz 1 Reply Last reply Reply Quote 0
        • johnpoz
          johnpoz LAYER 8 Global Moderator @furom last edited by johnpoz

          @furom I need to get back to this - I had disabled the wpa2 enterprise auth I was using when my company freaking locked their phone down so hard could no longer install profiles.

          But no longer work for that company, and I can now do what I want with my phone ;) So should be able get back to doing eap-tls auth.

          I do have wpa3 working - I have a thread around here somewhere about doing that with unifi and validating your phone is using it via developers profile from apple you can install... Let me see if I can find that thread. And when I get a chance maybe I will fire up wpa3 enterprise again.

          edit: here is the old thread I mentioned

          https://forum.netgate.com/topic/160352/wpa3-via-unifi-aps

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 23.01 | Lab VMs CE 2.6, 2.7

          F 1 Reply Last reply Reply Quote 1
          • F
            furom @johnpoz last edited by

            @johnpoz Probably a given answer here, but I suppose I need to install PCAP to mitigate this error?

            : radsniff -x
            Logging all events
            Defaulting to capture on all interfaces
            radsniff: No PCAP sources available```
            johnpoz NogBadTheBad 2 Replies Last reply Reply Quote 0
            • NogBadTheBad
              NogBadTheBad @furom last edited by

              @furom I’ll have a look at radsniff when I get back home, it used to just work.

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 1
              • johnpoz
                johnpoz LAYER 8 Global Moderator @furom last edited by johnpoz

                @furom that seems odd - what version of pfsense are you running?

                When I run that it starts listening on all my interfaces

                [22.05-RELEASE][admin@sg4860.local.lan]/: radsniff -x
                Logging all events
                Defaulting to capture on all interfaces
                Sniffing on (igb0 gif0 tailscale0 igb1 ovpns1 igb2 ovpns2 igb3 ovpnc3 igb4 igb2.4 igb5 igb2.6 lo0 pflog0)
                
                
                [22.05-RELEASE][admin@sg4860.local.lan]/: radsniff -v
                radsniff version 3.0.25, built on Jun  2 2022 at 00:26:34 libpcap version 1.9.1
                [22.05-RELEASE][admin@sg4860.local.lan]/: 
                

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                NogBadTheBad 1 Reply Last reply Reply Quote 0
                • NogBadTheBad
                  NogBadTheBad @johnpoz last edited by

                  @johnpoz I wonder if he’s ran it on the AP.

                  Andy

                  1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                  johnpoz F 2 Replies Last reply Reply Quote 0
                  • F
                    furom last edited by

                    @johnpoz Agreed. I am running latest pfSense Plus (22.05) I just found this topic, which shows a few this I did not have configured strangely enough. I was following a guide before I no longer have, so guess a wipe and redo is what I need to do. Biggest woes is what I will need to configure in Unifi?

                    johnpoz 1 Reply Last reply Reply Quote 0
                    • johnpoz
                      johnpoz LAYER 8 Global Moderator @NogBadTheBad last edited by johnpoz

                      @nogbadthebad Its not available on any of my unifi APs

                      Hallway-BZ.6.5.26# radsniff
                      -ash: radsniff: not found
                      Hallway-BZ.6.5.26# 
                      

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                      1 Reply Last reply Reply Quote 0
                      • F
                        furom @NogBadTheBad last edited by

                        @nogbadthebad said in radius and wpa3 with client wpa2 ?:

                        @johnpoz I wonder if he’s ran it on the AP.

                        Nah, the 'radsniff -x ' was issued in pfSense CLI via SSH.

                        1 Reply Last reply Reply Quote 0
                        • johnpoz
                          johnpoz LAYER 8 Global Moderator @furom last edited by

                          @furom said in radius and wpa3 with client wpa2 ?:

                          Biggest woes is what I will need to configure in Unifi?

                          There shouldn't be much to configure on the unifi side, let me see if I still have it there as option that just not using.

                          My profile is still there

                          freerad.jpg

                          That IP is the IP of pfsense on the vlan the AP sit on for their management..

                          I even have the setup for the AP in freerad on pfsense - just not using it currently..

                          pfsense.jpg

                          Not exactly sure when I will get around to testing this out again - got football this weekend, and tonight is movie night with the wife.. But I am normally up early, so might get around to testing it out tmrw morning before the wife gets up, etc.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                          F 2 Replies Last reply Reply Quote 1
                          • F
                            furom @johnpoz last edited by

                            @johnpoz Thanks, that looks what I had there already, then selecting that profile in the wifi setup... I will have to debug this I think. Thank you both for your support so far, I'll start over and set it up again, there is something odd somewhere. :)

                            1 Reply Last reply Reply Quote 0
                            • F
                              furom @johnpoz last edited by

                              @johnpoz said in radius and wpa3 with client wpa2 ?:

                              Not exactly sure when I will get around to testing this out again - got football this weekend, and tonight is movie night with the wife.. But I am normally up early, so might get around to testing it out tmrw morning before the wife gets up, etc.

                              No rush, this is for sure not critical, but fun and I do appreciate the help :) Thanks!

                              1 Reply Last reply Reply Quote 0
                              • johnpoz
                                johnpoz LAYER 8 Global Moderator last edited by johnpoz

                                @furom well that was easy.. Clicky Clicky back in.. using wpa3 enterprise..

                                The biggest issue I had was update in openssl and or apple or whatever and now adding a password to the .p12 wasn't working, took me a bit to find adding -legacy to the end..

                                So all my stuff was still in place, just just created a new ssid using wpa3 enteprise, with my freerad profile.

                                Installed the ca and freerad server certs and my user cert and key, after adding password with openssl

                                here is the cmd I used

                                openssl pkcs12 -export -certfile freerad.crt -in johnsXR.crt -inkey johnsXR.key -out user.p12 -legacy
                                

                                I just used the old cert I had on this new phone.. name doesn't matter as long as all matches up with your user your create in freerad and the cert cn, etc.

                                wpa3.jpg

                                edit: now wonder if work with the 192 fips setting?? hmmm
                                edit2: well shoot, my APs don't support it - shucks!

                                Well now that got it up and running again - what exact question(s) do you have??

                                turned logging back on

                                Jan 27 14:05:49 	radiusd 	89431 	(7) Login OK: [johnsXR/<via Auth-Type = eap>] (from client uap-pro port 0 cli BE-61-59-13-C9-48) 192.168.2.2 Auth-Type: eap 
                                

                                edit3: are you trying to setup wpa3 enterprise - what eap are you using. I have always used nothing be eap-tls, ie a cert to auth.. I could try changing the eap.. But to me if your going to to the trouble of setting it up, might as well use the added strength of certs vs just some username password.. I reread your first post, does your client not support wpa3?

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                                F 1 Reply Last reply Reply Quote 1
                                • F
                                  furom @johnpoz last edited by

                                  @johnpoz said in radius and wpa3 with client wpa2 ?:

                                  I reread your first post, does your client not support wpa3?

                                  Thanks for testing! I have been so far been using eap-ttls when on WPA2 Enterprise. That is really my goal here, but any config working must be the first...

                                  Client for now is an older android tablet, only capable of WPA2 Enterprise, but still thought I'd set server-end up with WPA3 if I later should upgrade the client. I thought WPA3 Enterprise was backwards compatible, but must have missed something obviously.

                                  I thought I was ready for test so retried the radsniff -x via ssh, but was still getting the same error as before; No PCAP sources available. So figured it could have something to do with permissions... So I ended up installing sudo - which now allows me to run 'sudo radsniff -x'..! :) So a little progress at least.

                                  Unfortunately, it captures no activity what-so-ever when trying to authenticate my client. My SSID is visible in the list on the client as "saved" only, and when hitting 'Connect', it just closes that dialog, nothing else...

                                  Since my certificates worked fine on WPA2 Enterprise until the other day when I decided this was a great idea :) I suppose they are not to blame for this mishap.

                                  Perhaps I should retry with WPA2 Enterprise just to verify the rest of the setup... If that works, a new client will perhaps be a good idea after all...

                                  F 1 Reply Last reply Reply Quote 0
                                  • F
                                    furom @furom last edited by furom

                                    @furom Well... tested reverting back to WPA2 Enterprise (eap-ttls/mschapv2) and then realized one issue was my tablet actually forgot about the certificate which then had to be reinstalled for WLAN, but after that it worked fine. :)

                                    Switching back to WPA3 Enterprise, thinking it now perhaps could work, I had to install the cert once again strange enough, and after authenticating it just shows the SSID as "saved" in the list once again... No other messages or activity on Radius server (radsniff).

                                    Based on this I can only assume it is some sort of limitation on client side. And as nothing gets in the logs I don't know how to really verify the actual cause, but not working is perhaps clear enough... :) I will continue for a bit to see if there is something that can be done to get it working, but suppose I have to upgrade the tablet if I want WPA3...

                                    Edit: Found several posts saying WPA3 is backwards compatible with WPA2, but that this is not the case for WPA3 Enterprise. This from Unifi config seems to confirm that;
                                    857c4b46-a81b-413f-9e57-73cc723e6199-image.png

                                    Thanks @johnpoz & @NogBadTheBad !!

                                    johnpoz 1 Reply Last reply Reply Quote 0
                                    • johnpoz
                                      johnpoz LAYER 8 Global Moderator @furom last edited by johnpoz

                                      @furom you understand security protocol be it wpa2 or wpa3 psk or enterprise is from the client to the AP right. This has nothing to do with the auth being done from the AP to the radius server.

                                      if your client is not able to do wpa3 enterprise then no it wouldn't work. Update your client to something that supports wpa3 enterprise and you should be fine.

                                      You can see my iphone shows that its using wpa3 enterprise via the developer profile I added on the phone to get that info.

                                      Or just use wpa2 enterprise - I do not believe there is much more security in wpa2 enterprise vs wpa3 psk for example.

                                      If your client is not able to negotiate with the AP to auth, then no the AP would never send anything to radius so no your radsniff wouldn't see anything..

                                      Here I grabbed my phone.. And connected to my wap3 enterprise ssid, while running radsniff on my pfsense

                                      sniff.jpg

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                                      F 1 Reply Last reply Reply Quote 0
                                      • F
                                        furom @johnpoz last edited by

                                        @johnpoz said in radius and wpa3 with client wpa2 ?:

                                        @furom you understand security protocol be it wpa2 or wpa3 psk or enterprise is from the client to the AP right. This has nothing to do with the auth being done from the AP to the radius server.

                                        if your client is not able to do wpa3 enterprise then no it wouldn't work. Update your client to something that supports wpa3 enterprise and you should be fine.

                                        You can see my iphone shows that its using wpa3 enterprise via the developer profile I added on the phone to get that info.

                                        Or just use wpa2 enterprise - I do not believe there is much more security in wpa2 enterprise vs wpa3 psk for example.

                                        Yes I do get the setup, but the woe was if the protocol in fact was backwards compatible or not, which it for Enterprise turned out not to be.

                                        You have a valid point... I automatically assumed I would want to go for WPA3 Enterprise... I need to do more reading on what WPA3-psk offers over WPA2 Enterprise. I surely don't "need" all this, but if available, why not? :) Thanks!

                                        johnpoz 1 Reply Last reply Reply Quote 0
                                        • johnpoz
                                          johnpoz LAYER 8 Global Moderator @furom last edited by johnpoz

                                          @furom said in radius and wpa3 with client wpa2 ?:

                                          surely don't "need" all this, but if available, why not? :) Thanks!

                                          I hear ya - and agree, if I can do wpa3 enterprise, why not use it! ;) Problem is with any new protocol, is its going to take time for everything to catch up..

                                          And good luck with shit devices like iot devices, have never seen one support wpa enterprise anything. They only do psk, which ok they should support wpa3 psk.. But that prob going to take quite a few years, and the current iot stuff you have will most likely not just have a software upgrade, etc. so if you wanted to true go to wpa3 all your iot stuff prob have to be swapped out for stuff that supports it.

                                          When it first came out, I tried making my guest network wpa3 psk only - guess what, nobodies clients that came over supported it ;) And I had to drop it back to wpa2.. I really don't think there is much point in running compatible mode wpa2/wpa3 psk - if you have devices that are still doing wpa2 kind of defeats the point of wpa3 being stronger, since wpa2 is still there..

                                          Other than you can ;) and nice to get new stuff working - even if only partially. Which ticks me off about both iphone and unifi - why not show what the client used to auth.. This is good info to know if your trying to move to the new standard.. In unifi it would be really helpful to see which clients are authing with the new wpa3 psk, and which ones are still using wpa2

                                          At least with the iphone I can install that developers profile and get the info, but the profile is only valid for a couple of weeks, and then it has to be reinstalled..

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                                          F 1 Reply Last reply Reply Quote 1
                                          • F
                                            furom @johnpoz last edited by

                                            @johnpoz Agreed, I too hope IoT catch up soon on security related stuff. Many nice gadgets only have wifi, and as is, I don't feel entirely comfortable using that for IoT. Of course it can and imho should, be zoned in contained vlans, but just the fact your wifi is offering your network to anyone who (can) listen, is not comforting, but very convenient.
                                            I've learned a lot on this exercize, enough to wanting to read more - WPA2 to WPA3 was indeed a big leap, and perhaps time for me to re-evaluate wifi for my purposes... :) (for now still excluding IoT)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post