Freeradius + EAP Certificates
-
I uploaded the files to an Ubuntu live CD and then it works with "make" and "make client"
no errors and files with more than zero bytes and p12 files :-)
Tomorrow I will try it with my pfsense and my switches.… great that everything is there now. Everything else should be a breeze ...
PS: Do you know if it is possible to do authentication on freeRADIUS using the device MAC address ?
I know freeRADIUS can do this but is it possible with the pfsense freeRADIUS GUI ?
Or do I have to edit the users file manually with different parameters ? I think this is the only way or do you have other experience ?If a MAC authentication is possible, then you definately can do it. You will have to manually edit the necessary files, since there isn't a GUI integration for all the features in freeradius. I personally don't have any experience with this feature.
Cheers
Alexander
-
Hi,
just want to let you know, that I got freeRADIUS on pfsense with my CISCO SG-300 and Windows XP working. The creation of the certificates is much easier under a linux distrubution which has "make" installed than under pfsense ;-)
But now I have another question:
To authenticate to the network I still need a to enter the username and password on the Windows XP machine. The problem is that in my network the PCs are NOT in a domain. They are all workgroup PCs.
And it is common, that many users use the same Windows Logon Name than others and the same password (or no password).Is it possible to enter (AND SAVE) a custom username and password so that the users do not need to enter them every time they connect to the network ?
I read something about "computer certificates" which work before the use will logon into windows.
Thank you!
-
Hi,
just want to let you know, that I got freeRADIUS on pfsense with my CISCO SG-300 and Windows XP working. The creation of the certificates is much easier under a linux distrubution which has "make" installed than under pfsense ;-)
But now I have another question:
To authenticate to the network I still need a to enter the username and password on the Windows XP machine. The problem is that in my network the PCs are NOT in a domain. They are all workgroup PCs.
And it is common, that many users use the same Windows Logon Name than others and the same password (or no password).Is it possible to enter (AND SAVE) a custom username and password so that the users do not need to enter them every time they connect to the network ?
I read something about "computer certificates" which work before the use will logon into windows.
Thank you!
Not quite sure I understand you.
The client certificates are being used for the authentication to the Wifi/Radius Network. I assume this works. As mentioned previously you need to copy the client.p12 and the ca certificate to each client and activate the "certificate authentication" in the wifi settings. This works without additional uid/pw. You have to have TLS (and not TTLS) authentication.
Do you want to have windows logon using a certificate (has nothing to do with wifi/radius)?
REgards
Alexander
-
Hi,
I am not using WiFi.
I would like to authenticate windows machines with certificates against radius. This is working.
If I do not install the client.p12 on the windows machine, I cannot authenticate.But in Windows I have always to enter a username and a password, if I connect the network cable.
The username/password is the same I have to enter in the freeRADIUS webGUI on pfsense.
Is this different to you ? Don't you have to enter a username/password in the freeRADIUS webGUI ?Thanks!
-
Hi Nachtfalke,
I'm using Radius+Certificates for the wifi EAP (WPA2) authentication. So this is to allow/disallow access to my wifi network using certificates.
Reading your last posts you it seems as if you want to use a certificate to log on to windows using a Radius server.
I'm sorry, but I cannot help you with that (if I understood your problem correctly)
Cheers
Alexander
-
Hi,
you didn't understand me correct or I didn't explain it correct.
Take a look at this thread:
http://www.administrator.de/index.php?content=154402#644826Scroll down to the chapter:
Clients für die 802.1x Zugangskontrolle einrichtenAfter I login into windows, with my username and password I can see the desktop, open word an so on.
If I connect my LAN cable to the switch, there appears a hint in the systray "There are additional information needed to access the network". There I have to enter the username/password I entered in the freeRADIUS users tab on pfsense.Windows XP allows you to use the same username and password for this authentication as you used for the windows logon. (This you can see in the third and fith picture in the chapter I told you above: (Clients für die 802.1x Zugangskontrolle einrichten) If you want to use a different username/password then the sixth picture appears.)
I want to save the information in the sixth picture for the entire computer and every user on this computer.
BUT I would be interested in, what your users file of freeradius contains.
I think there is a difference between using an AP or a switch to authenticate with freeradius.
-
Hi,
Ok, now I understand your problem. I've looked at the document you linked. I have one main difference:
in the authentication section it is posted that for the EAP type you need to select "Geschütztes EAP (PEAP)". I have "Smart Card or other Certificate" (this is the other setting).
If you look here -> http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol
It is described that PEAP is similar to TTLS. It is basically a tunnel that is generated. TTLS or PEAP has an inner and an outer layer. One is the certificate the other is uid/pw. thats why you are being prompted for uid/pw.
for my config I only used EAP (so only the certificate authentication without a tunnel). therefore also the "smart card or other certificate" setting in the EAP type.
Since your computers are not connected to a domain you cannot pass the creditials (thats why you're being prompted).
Now the question is do you need PEAP, or is EAP sufficiant ?
Cheers
Alexander
-
Hi,
I think it would be enough with EAP. It will be better than only MAC address filtering I think.
I tried with "other certificate or smartcard" but I think I missed some checkboxes there.
Do you have a solution for me how to configure it the right way ? -
Nachtfalke,
here are my config screens … in the second screen the "intern-CA" is my CA that is used for the client and server certificate.
I cannot test it on my LAN, since my radius isn't configed for this, but it is identical to my WLAN config. After connecting to the LAN, and aquiring an IP address you should be prompted for the certificate needed for the authentication.
Additional on your Cisco switch can you explicitly config the authentication to EAP ? So that the switch explicitly uses this authentication method.
If this doesn't work, could you post the config of the cisco and also the "radiusd -X" log (this then has the config and also the challenge/response during the authentication.
Regards
Alexander
-
Hi,
thanks for you help and screens. I think I did something close to your pics but not every checkboy is the same.
I will try it on monday.Thanks.
-
Hi,
erm I understand you correctly, you use your own radius install and not the package from the pfsense gui?
Thanks
Chunk0r -
Hi,
erm I understand you correctly, you use your own radius install and not the package from the pfsense gui?
Thanks
Chunk0rseggerman is using his own RADIUS, I am using the pfsense package.
-
Thanks,
I'm also confused of wifi access, so I want connect my AP with the Radius server, so that my clients has to be auth with wpa2 against radius.
So my wpa2 key is the secret share key of radius? Cauz if I activate wpa2+eap on my openwrt AP, I don't have any other key field. -
Your ap is the authenticator for the radius ( so you add it like client at radius )
One place where you can have more info for that is (sorry guys) microsoft technet, there is quite well explained the roles of the devices -
There is a difference between ENCRYPTION and AUTHENTICATION.
The WPA2 key is the key to encrypt the wireless traffic. It is used between the W-AP and the W-Client.
The password for AUTHENTICATION is between RADIUS and AP.
-
Quite easy photo, but it's written in Finnish
-
ah ok, but where I save my wpa key if the secret share is for the client auth?