PFsense as Freeradius server authenticating connected device via 802.1x
-
Hello,
I followed this guide link textto help me set up pfsense as the freeradius server and authenticator.
I was able to set up my router to work in enterprise mode as well. When my device connected to my router it asked for username and password. After enter it in I was able to received certificaiton send from PFsense so I think Radius is working fine. However after I trust the cert, I kep receiving error saying that cannot connect to network.
May I ask what could I have done wrong?
Thank you for your time
-
@bohaman You should look at the logs generated by Freeradius and why it decided to reject your autentication.
Likely it has something to do with:1: Misalignment between client and authenticator of the format the authentication request is done in - EAP-CHAPv2 or PEAP? Or perhaps just PAP or CHAP? The Client and the authenticator needs to agree on which format the radius authentication request should have.
2: the format and options of user/pass entries you have created in freeradius
-
@keyser Thank you so much for writing back. May I ask if there is a way for me to see the log, I'm still googling it but i couldn't find a way to see the log yet.
However, when I tried to authenticate using my windows PC, it kicked me out like on my iphone. However, when I turned off and on wifi again now my wifi ssid appeared with the additional (2) and for some reason my laptop authenticated and got to the network.
I'm not sure if I'm doing something wrong at the router level or at pfsense level.
Hope to hear back from you
-
@bohaman Hello, Just want to give you an update. So I was reading another post and other user is running into the same problem. So if I go to the user tab and changed the password to clear text, everything went smoothly but as soon as I changed it to MD5, I cannot get access to net work. As for my PC running windows I'm not sure why it behave like that but even with MD5 I can still connect to the network but it just the SSID no changed to name(2).
I've read up on other post about why it work in cleartext but not in MD5. May I ask if you have any idea on how could I solve this?
Thank you so much
-
@bohaman Unfortunately I’m not very familiar with Freeradius as all my clients use Windows NPS, but the problems remain the same.
Windows clients are generally very compatible with everything regardless of how insecure the setup is. So I’m quite sure your setup works from Windows because you are only supporting a very insecure authentication model in your freeradius that other clients will not accept.
Clear-text password authentication is known as PAP and MD5 hashed passwords are known as CHAP. Neither solution is considered safe by ANY means today. But Windows likely still allows it. I’m guessing that’s why the SSID with a (2) is shown - because Windows like the other OSes at least expects some kind of EAP negotiation about which auth protocol to use, but your radius is configured to PAP/CHAP requiring the client to send the auth information out in the open.Even though this article is about PPP, the auth models are identical with 802.1x networks:
https://workos.com/blog/authentication-protocols-your-guide-to-the-basicsYou want to make sure that your radius only offers a EAP based method of auth, and it should be at least CHAPv2 based if you want to use username/password authentication instead of certificates -preferably work towards getting it encapsulated in PEAP (TLS session inside EAP) to make sure the request cannot be eavesdropped on as CHAPv2 is also considered insecure today.
-
@keyser Oh I see, thank you so much for your explaination, I went toward freeradius webpage and they did listed TLS only supported cleartext password. I have also made sure to disable weak protocol like MD5 or anythig less than TTLS.
Thank you so much for your time