23.09.1 from 23.05.1 freeRadius broke
-
I just upgraded from 23.05.1 to 23.09.1 and have a mix bag of clients most have no issues; but those running macOS using WPA2 Enterprise are no longer able to connect via freeradius. No other changes were made.
When I switch back via boot environments they can connect again
Any clues what changes in 23.09.1 might have caused this?
Thank you
Rip -
The old version of the FreeRADIUS package had a bug:
https://redmine.pfsense.org/issues/14806
It's fixed in the new version, but the old/buggy version probably removed the settings during the upgrade.
-
I will debug more later, but I have the configs there. More over other clients are able to connect, it’s just macOS clients are not authenticating
Thank you for the suggestion though
-
I can’t find anything in the logs that indicates an issue
Essentially when a user with the same credentials via windows 10 or iPhones it works, only when using macOS does it fail. The logs show multiple records of login attempts and fails saying the credentials are wrong. But the same credentials work on non macOS clients
I did not copy the logs to show here , I put it back to 23.05.1
Any clues? Or rather did anyone else have issues with macOS clients and 23.09.1 with freeRadius?
I’m hesitant committing to upgrade until resolved, but don’t want to have to go back to debug considering I’m not smart enough to fix.
One thing to note I didn’t remove the packages prior to upgrading, could this have been the reason?
-
I found this post:
Sounds like the same issue I have, how does one change the eap config file? Or change the cipher entry in the gui?
I’d like to see if this does it, but then it begs the question is there something wrong with the certs?
-
I'm seeing the same issue on the pFsense CE 2.7.2-RELEASE (amd64) built on Fri Dec 8 14:55:00 CST 2023 FreeBSD 14.0-CURRENT
-
I found this:
As of 2021, it is STRONGLY RECOMMENDED to set
tls_min_version = "1.2"
Older TLS versions are insecure and deprecated.In order to enable TLS 1.0 and TLS 1.1, you may also need to update cipher_list below to:
- OpenSSL >= 3.x
cipher_list = "DEFAULT@SECLEVEL=0" - OpenSSL < 3.x
cipher_list = "DEFAULT@SECLEVEL=1"
- OpenSSL >= 3.x
-
Also I can firm that this fix works for at least one macOS client that is running on Sierra
To update the eap.config file
You go to
diagnostics > edit fileThen browse to
/usr/local/etc/raddb/mods-enabled/eap -
@vanwinkle-rip, thanks for posting this! The log suggested to make that change but didn't specify where. You pointed in the right direction.
Do you or anyone else know how to make this change permanent? Any changes in the GUI revert the changes. Maybe we can create an eap.local file or something like this?
