radius and wpa3 with client wpa2 ?

johnpoz

@furom said in radius and wpa3 with client wpa2 ?:

Biggest woes is what I will need to configure in Unifi?

There shouldn't be much to configure on the unifi side, let me see if I still have it there as option that just not using.

My profile is still there

That IP is the IP of pfsense on the vlan the AP sit on for their management..

I even have the setup for the AP in freerad on pfsense - just not using it currently..

Not exactly sure when I will get around to testing this out again - got football this weekend, and tonight is movie night with the wife.. But I am normally up early, so might get around to testing it out tmrw morning before the wife gets up, etc.

furom

@johnpoz Thanks, that looks what I had there already, then selecting that profile in the wifi setup... I will have to debug this I think. Thank you both for your support so far, I'll start over and set it up again, there is something odd somewhere. :)

furom

@johnpoz said in radius and wpa3 with client wpa2 ?:

Not exactly sure when I will get around to testing this out again - got football this weekend, and tonight is movie night with the wife.. But I am normally up early, so might get around to testing it out tmrw morning before the wife gets up, etc.

No rush, this is for sure not critical, but fun and I do appreciate the help :) Thanks!

johnpoz

@furom well that was easy.. Clicky Clicky back in.. using wpa3 enterprise..

The biggest issue I had was update in openssl and or apple or whatever and now adding a password to the .p12 wasn't working, took me a bit to find adding -legacy to the end..

So all my stuff was still in place, just just created a new ssid using wpa3 enteprise, with my freerad profile.

Installed the ca and freerad server certs and my user cert and key, after adding password with openssl

here is the cmd I used

openssl pkcs12 -export -certfile freerad.crt -in johnsXR.crt -inkey johnsXR.key -out user.p12 -legacy

I just used the old cert I had on this new phone.. name doesn't matter as long as all matches up with your user your create in freerad and the cert cn, etc.

edit: now wonder if work with the 192 fips setting?? hmmm
edit2: well shoot, my APs don't support it - shucks!

Well now that got it up and running again - what exact question(s) do you have??

turned logging back on

Jan 27 14:05:49 	radiusd 	89431 	(7) Login OK: [johnsXR/<via Auth-Type = eap>] (from client uap-pro port 0 cli BE-61-59-13-C9-48) 192.168.2.2 Auth-Type: eap 

edit3: are you trying to setup wpa3 enterprise - what eap are you using. I have always used nothing be eap-tls, ie a cert to auth.. I could try changing the eap.. But to me if your going to to the trouble of setting it up, might as well use the added strength of certs vs just some username password.. I reread your first post, does your client not support wpa3?

furom

@johnpoz said in radius and wpa3 with client wpa2 ?:

I reread your first post, does your client not support wpa3?

Thanks for testing! I have been so far been using eap-ttls when on WPA2 Enterprise. That is really my goal here, but any config working must be the first...

Client for now is an older android tablet, only capable of WPA2 Enterprise, but still thought I'd set server-end up with WPA3 if I later should upgrade the client. I thought WPA3 Enterprise was backwards compatible, but must have missed something obviously.

I thought I was ready for test so retried the radsniff -x via ssh, but was still getting the same error as before; No PCAP sources available. So figured it could have something to do with permissions... So I ended up installing sudo - which now allows me to run 'sudo radsniff -x'..! :) So a little progress at least.

Unfortunately, it captures no activity what-so-ever when trying to authenticate my client. My SSID is visible in the list on the client as "saved" only, and when hitting 'Connect', it just closes that dialog, nothing else...

Since my certificates worked fine on WPA2 Enterprise until the other day when I decided this was a great idea :) I suppose they are not to blame for this mishap.

Perhaps I should retry with WPA2 Enterprise just to verify the rest of the setup... If that works, a new client will perhaps be a good idea after all...

furom

@furom Well... tested reverting back to WPA2 Enterprise (eap-ttls/mschapv2) and then realized one issue was my tablet actually forgot about the certificate which then had to be reinstalled for WLAN, but after that it worked fine. :)

Switching back to WPA3 Enterprise, thinking it now perhaps could work, I had to install the cert once again strange enough, and after authenticating it just shows the SSID as "saved" in the list once again... No other messages or activity on Radius server (radsniff).

Based on this I can only assume it is some sort of limitation on client side. And as nothing gets in the logs I don't know how to really verify the actual cause, but not working is perhaps clear enough... :) I will continue for a bit to see if there is something that can be done to get it working, but suppose I have to upgrade the tablet if I want WPA3...

Edit: Found several posts saying WPA3 is backwards compatible with WPA2, but that this is not the case for WPA3 Enterprise. This from Unifi config seems to confirm that;

Thanks @johnpoz & @NogBadTheBad !!

johnpoz

@furom you understand security protocol be it wpa2 or wpa3 psk or enterprise is from the client to the AP right. This has nothing to do with the auth being done from the AP to the radius server.

if your client is not able to do wpa3 enterprise then no it wouldn't work. Update your client to something that supports wpa3 enterprise and you should be fine.

You can see my iphone shows that its using wpa3 enterprise via the developer profile I added on the phone to get that info.

Or just use wpa2 enterprise - I do not believe there is much more security in wpa2 enterprise vs wpa3 psk for example.

If your client is not able to negotiate with the AP to auth, then no the AP would never send anything to radius so no your radsniff wouldn't see anything..

Here I grabbed my phone.. And connected to my wap3 enterprise ssid, while running radsniff on my pfsense

furom

@johnpoz said in radius and wpa3 with client wpa2 ?:

@furom you understand security protocol be it wpa2 or wpa3 psk or enterprise is from the client to the AP right. This has nothing to do with the auth being done from the AP to the radius server.

if your client is not able to do wpa3 enterprise then no it wouldn't work. Update your client to something that supports wpa3 enterprise and you should be fine.

You can see my iphone shows that its using wpa3 enterprise via the developer profile I added on the phone to get that info.

Or just use wpa2 enterprise - I do not believe there is much more security in wpa2 enterprise vs wpa3 psk for example.

Yes I do get the setup, but the woe was if the protocol in fact was backwards compatible or not, which it for Enterprise turned out not to be.

You have a valid point... I automatically assumed I would want to go for WPA3 Enterprise... I need to do more reading on what WPA3-psk offers over WPA2 Enterprise. I surely don't "need" all this, but if available, why not? :) Thanks!

johnpoz

@furom said in radius and wpa3 with client wpa2 ?:

surely don't "need" all this, but if available, why not? :) Thanks!

I hear ya - and agree, if I can do wpa3 enterprise, why not use it! ;) Problem is with any new protocol, is its going to take time for everything to catch up..

And good luck with shit devices like iot devices, have never seen one support wpa enterprise anything. They only do psk, which ok they should support wpa3 psk.. But that prob going to take quite a few years, and the current iot stuff you have will most likely not just have a software upgrade, etc. so if you wanted to true go to wpa3 all your iot stuff prob have to be swapped out for stuff that supports it.

When it first came out, I tried making my guest network wpa3 psk only - guess what, nobodies clients that came over supported it ;) And I had to drop it back to wpa2.. I really don't think there is much point in running compatible mode wpa2/wpa3 psk - if you have devices that are still doing wpa2 kind of defeats the point of wpa3 being stronger, since wpa2 is still there..

Other than you can ;) and nice to get new stuff working - even if only partially. Which ticks me off about both iphone and unifi - why not show what the client used to auth.. This is good info to know if your trying to move to the new standard.. In unifi it would be really helpful to see which clients are authing with the new wpa3 psk, and which ones are still using wpa2

At least with the iphone I can install that developers profile and get the info, but the profile is only valid for a couple of weeks, and then it has to be reinstalled..

furom

@johnpoz Agreed, I too hope IoT catch up soon on security related stuff. Many nice gadgets only have wifi, and as is, I don't feel entirely comfortable using that for IoT. Of course it can and imho should, be zoned in contained vlans, but just the fact your wifi is offering your network to anyone who (can) listen, is not comforting, but very convenient.
I've learned a lot on this exercize, enough to wanting to read more - WPA2 to WPA3 was indeed a big leap, and perhaps time for me to re-evaluate wifi for my purposes... :) (for now still excluding IoT)