Wireless with WPA2/EAP (802.1x)?



  • Right now I'm trying to replace some old PC's I have set up at work that runs as WAP's. They authenticate users using Radius, we issue certificates to each user who needs to connect to our wireless.

    I bought an ALIX board with wireless kit and pfsense installed on it, I'm wondering if there is a way to set up the same thing on this. I tried installing the radius package but it fails, then read the stick in the forum stating the embedded pfsense does not support packages, so I'm not quite sure what to do.

    Anyone have any suggestions?

    Thanks



  • What version of pfSense are you running (for example 1.2.3, full install)?  What exact error did you get when trying to install the FreeRadius package?


  • Rebel Alliance Developer Netgate

    2.0 has support in the GUI for this built in. You don't run radius on each box though, you point all of your WAPs at a single RADIUS instance (Either a standalone server, or perhaps IAS, etc)



  • Thanks for the reply!

    I can't believe I left out the version I'm running, sorry about that. It's:

    Version: 1.2.3-RELEASE
    Platform: nanobsd

    The exact message after clicking install (add) on the package is:

    Installing freeradius and its dependencies.

    **Downloading package configuration file… done.
    Saving updated package information... done.
    Downloading freeradius and its dependencies... done.
    Checking for successful package installation... failed!

    Installation aborted.**

    If there's any other information I can give please just let me know.


  • Rebel Alliance Developer Netgate

    Yeah, FreeRADIUS won't really run on NanoBSD without a lot of hacking at it, and especially without having the actual database reside on a different server.



  • Unfortunately it's a requirement for me to set up certificates for connecting to wireless, I can have the RADB reside somewhere else.

    Is there a different embedded OS better suited for what I'm trying to do?

    BTW, I think my problem installing it is that I can get to the file it's trying to install:

    "ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.2-release/Latest/freeradius.tbz"  <–- when posting this it auto hyperlinks it, I'm actually typing fxp://fxp.free.....

    I ran pkg_add -r freeradius and got:

    pkg_add -r freeradius
    Error: FTP Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.2-release/Latest/freeradius.tbz: File unavailable (e.g., file not found, no access)
    pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.2-release/Latest/freeradius.tbz' by URL

    Tried in my browser with no luck, and remoted in to my PC to try at home and had no luck as well.


  • Rebel Alliance Developer Netgate

    Having FreeRADIUS installed locally is not necessary to do what you want to do.

    On the wireless settings, just point it at wherever your real radius server resides, and it can do the authentication.

    I'd start with pfSense 2.0 as a base instead of 1.2.x.



  • Thanks for the answer!

    I could never find where the field is that you input your radius server in the wireless settings? This is what made me assume I need to install freeradius, is this something I'll need to upgrade to 2.0 to do? Ideally I'd like to get a proof of concept working as soon as possible (deadline is very soon) so that I can order more hardware, and then try upgrading, fine tuning etc..



  • Jimp… I just saw (for the first time) your first reply  to me about the GUI in 2.0 to do this, so you can ignore my last post.

    However, is there a way to set it up in 1.2 using the shell?

    I'll work on learning how to upgrade/install 2.0 now.

    Edit: Looking now.. it looks like there is no stable release of 2.0. This will be in a production environment, I'm building 10-12 WAP's using this software, so I'd feel more comfortable using 1.2.3 which seems to be the newest stable version, so if there is a way to do this in 1.2.3 that would be great (here's hoping).


  • Rebel Alliance Developer Netgate

    I don't know if hostapd on 1.2.x had the right features compiled in to make it happen.

    To upgrade to 2.0 just make a config backup and then you can simply upload a 2.0 firmware update file from the snapshot server.



  • Alright, I'll give this a try, just nervous using a BETA for my production environment, but can't hurt to try it out, I'm downloading pfSense-2.0-BETA4-2g-20101213-0039-nanobsd-upgrade.img.gz  right now.

    Thanks a LOT for the help jimp, you've been great, I'll let you know how I make out with the wireless set up once I've upgraded.



  • Wow, that was quite easy, I upgraded to 2.0, set the correct settings on the WIFI interface page, and now it's authenticating me. Only thing I can't find in the new interface is how to bridge the wifi adapter and LAN connection?

    Edit: Nevermind: Interfaces/Assign/Bridges tab


Log in to reply