NEW Package: freeRADIUS 2.x

Nachtfalke

Strange - I could not modify my post.
But I changed the description on the package GUI of pfsense ;o)

I am sure there will be further mistakes in the future but english isn't my native language.

ptt

New FreeRadius2 doesn't start, in system logs i get this:


Dec 5 19:15:32 	php: : Not calling package sync code for dependency freeradiussettings of freeradius2 because some include files are missing.
Dec 5 19:15:32 	php: : Not calling package sync code for dependency freeradiusclients of freeradius2 because some include files are missing.
Dec 5 19:15:30 	php: : Restarting/Starting all packages.

But the old FreeRadius version starts OK

Nachtfalke

I have got these problems on freeradius and freeradius2.
But only after reboot of pfsense.
I pushed a fix for freeradius2.

Try with package version 0.3

Nachtfalke

I updated freeradius2 from 0.3 ALPHA up to 1.0 BETA.

The freeradius2 package should now have all the features that freeradius has and some improvements.

New freeradius2 features:

IPv6 for clients and listening interfaces
select different interfaces for different tasks (auth, acct, proxy, status, detail, CoA)
additional parameters added in settings
enable server to run in threaded mode

gionag

hello,
I wanted to understand how to implement freeradius2 of a system that works with version 1.

Uninstalled the previous version and then installed version 2 the applications that worked now no longer work. Specifically, the authentication for openvpn road warriors no longer works. A log level I do not see things very useful. Just somthing about "0 packets in queue".

What are the steps to authenticate freeradius2 of openvpn? I have to do something different?

Summing up I set like this:

Services -> "freeradius"

User: test pass: test
NAS: 192.168.1.1 (ip of the router), ShortNome: pfSense, secret: testing

under "users" -> "server"
RADIUS: 192.168.1.1
Secret: test
description : Local Radius Server

under "openvpn"
Selected > Local Radius server

I've done something wrong?

thanks

(pfsense 2.0)

Nachtfalke

Hi,

I do not know, how to use OpenVPN RoadWarrior with RADIUS. Is there any tutorial ?
Generally I didn't change much in the background.

In the users tab I didn't change anything
The settings tab is the same as before just some different syntax for logging and some additional parameters but they are all at default.
In the client tab I had to change the syntax of the clients.conf to new freeradius2 version but the parameters are still the same.

Where I did many changes is the "interfaces" tab.
If you have one Interface (LAN) which should do authentication and accounting than you need two entries:

Interface IP: 192.168.100.1
Port: 1812
type: auth

Interface IP: 192.168.100.1
Port: 1813
type: acct

If radius should listen on any interface than you can use a * instead of the IP.
Not sure if * is listening on 127.0.0.1

PS: Further it would/could help if you delete all freeradius entries from your config.xml

/conf/config.xml

and reboot and reconfigure freeradius2.

Your old settings from freeradius1 are NOT compatible with freeradius2

gionag

also installed in a fresh installed system…
same problem

used * insted of the real ip...

Still testing

Nachtfalke

Hi,

I read short through this:
http://doc.pfsense.org/index.php/Using_OpenVPN_With_FreeRADIUS
This needs PAM authentication as far as I understand this.

I took a look at

/usr/local/pkg/freeradius.inc

And changed line 432:

#pam

to this line:

pam

Save the file and then go to the freeRADIUS GUI -> Settings -> Save and try again.

Nachtfalke

Hi,

I tested the freeRADIUS2 package with this tool:
http://www.novell.com/coolsolutions/tools/14377.html

The problem is the freeRADIUS. I think there are some bigger changes in module handling in the new radiusd.conf. We need to enable/link to the modules listed in the /usr/local/etc/raddb/sites-enabled/ directory.
In the old freeRADIUS 1.x configuration the modules were configured only in radiud.conf.
FreeRADIUS is starting and listening on requests but there seems to be no "Auth-type" selected so that the request could not be used with and authorization module.

If someone could/would fix that - don't hesitate. I will try as far as I found time. Next week I am on vacation and I think I will find some time to work on this problem and hopefully fix it.

Nachtfalke

@gionag
I could reproduce this error.
There was a bug in creating the "users" file. I think I fixed this so it should now authenticate fine.

Additional changes pkg v1.1.0 Beta:

Added some code which prevents that freeradius service isn't starting if interface typ is "detail"
Swaped authorize, authenticate, … sections from radiusd.conf to the correct place (/usr/local/etc/raddb/sites-enabled/default && /usr/local/etc/raddb/sites-enabled/inner-tunnel)

Nachtfalke

Updates: pkg v1.1.1:

disabled virtual-server "control-socket" which is experimental and if misconfigured a security issue
disabled module proxy because in most environments we do not need to proxy requests to another RADIUS PROXY server

Nachtfalke

Updates: pkg v1.2.0

Added GUI to configure eap.conf (EAP, EAP-TLS, EAP-TLS with OCSP support, EAP-TTLS, EAP-PEAP with MSCHAPv2

The GUI contains the by default "uncommented" options in the eap.conf

This authentication methods were tested and work:

PAP
CHAP
MSCHAP
EAP-MD5

Added "CDATA" for all <description>parts in .XML files.</description>

Nachtfalke

Updates: pkg v1.3.0

Added GUI to configure sql.conf
Just some small typo/cosmetic GUI fixes

–- edit ---
The GUI is working but I found out that the precompiled freeradius-2.1.12 package is not compiled with MySQL, PostgreSQL.
So there are modules (rlm_sql) missing. We need to build a package from source with additional build_options to support these features.
Help would be appreciated!

Further I would like to have LDAP and KERBEROS support so that we can build a GUI for connecting to LDAP and/or AD.

Nachtfalke

Updates: pkg v1.3.1

Some small fixes with empty variables after installation

Thank you marcelloc for your help!

Nachtfalke

Updates: pkg v1.3.2

Check and only enable virtual-server "coa" if there is a need from interface-type "coa"
Put virtual-server "default" into .inc file. We need this in future for LDAP, SQL and other modules

Nachtfalke

Updates: pkg v1.3.3

Adding tab to view config files.

@marcelloc: Thank you for that!

Nachtfalke

Updates: pkg v1.3.4

freeradius2 is working on pfsense 2.0.1 (i386 and amd64)
added GUI to create certificates (CA, Server, Client) for EAP-TLS
extended "view config" tab to view certificate files

Nachtfalke

Updates: pkg 1.3.5

Added some info about dis-/advantages of pfsense cert-manager compared to freeradius-cert editor. pfsense cert-manager should be the first manager to use!
freeradius server is starting with certs and keys (different typs) from pfsense built-in manager but this needs more testing with clients and real NAS
Some small typo fixes in freeradiuseapconf.xml with double entry
Added some checks and renamings on client cert building script (Thanks to marcelloc)

Nachtfalke

Updates: pkg v1.3.6

Added ability to choose between the freeradius cert manager or the pfsense built-in cert manager. (Thank you very much jimp and sullrich)

Nachtfalke

Updates: pkg v1.3.7

Corrected starting parameters of variables for "Settings"
Enabled logging and logging to syslog is now default
DH and RANDOM file will be created new when changing to "pfsense cert-manager". So not everybody will use the same files delivered with the freeradius package.
Adding Custom-Options on TOP and BOTTOM of all other user options
New variables and structur of the "users"-file creation. It was neccessary to add additional custom options on TOP and BOTTOM. User entries from older freeradius2 versions are NOT compatible. You need to add them again. Sorry.
Username can now contain whitespaces
Added Copyright
Added new features to dis-/enable SQL (Instantiate, authorize, accounting, session, post-auth) - we still need to build freeradius2 package with additional modules.