NEW Package: freeRADIUS 2.x
-
ok, first I want show you that PAP working for me:
first question:
radtest -t pap addressbook ppp123PPP 10.8.0.1 1 ppp123PPP Sending Access-Request of id 172 to 10.8.0.1 port 1812 User-Name = "addressbook" User-Password = "ppp123PPP" NAS-IP-Address = 10.8.0.1 NAS-Port = 1 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 10.8.0.1 port 1812, id=172, length=20
Now on radiusd -X side:
Ready to process requests. rad_recv: Access-Request packet from host 10.8.0.1 port 63417, id=172, length=81 User-Name = "addressbook" User-Password = "ppp123PPP" NAS-IP-Address = 10.8.0.1 NAS-Port = 1 Message-Authenticator = 0x84a2dbf3faa9c1eed0e6b541fe4773bb # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "addressbook", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "addressbook", skipping NULL due to config. ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] performing user authorization for addressbook [ldap] expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=addressbook) [ldap] expand: cn=Users,dc=p,dc=t -> cn=Users,dc=p,dc=t [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to server.p.t:389, authentication 0 [ldap] bind as cn=addressbook,cn=Users,dc=p,dc=t/ppp123PPP to server.p.t:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in cn=Users,dc=p,dc=t, with filter (sAMAccountName=addressbook) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] user addressbook authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] returns noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = LDAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by "addressbook" with password "ppp123PPP" [ldap] user DN: CN=addressbook,CN=Users,DC=p,DC=t [ldap] (re)connect to server.p.t:389, authentication 1 [ldap] bind as CN=addressbook,CN=Users,DC=p,DC=t/ppp123PPP to server.p.t:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user addressbook authenticated succesfully ++[ldap] returns ok Login OK: [addressbook] (from client admin port 1) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 172 to 10.8.0.1 port 63417 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 172 with timestamp +5 Ready to process requests.
Now I'm trying to get ktutil work, but not sure if really needed it.
-
ok, first I want show you that PAP working for me:
first question:
radtest -t pap addressbook ppp123PPP 10.8.0.1 1 ppp123PPP Sending Access-Request of id 172 to 10.8.0.1 port 1812 User-Name = "addressbook" User-Password = "ppp123PPP" NAS-IP-Address = 10.8.0.1 NAS-Port = 1 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 10.8.0.1 port 1812, id=172, length=20
Now on radiusd -X side:
Ready to process requests. rad_recv: Access-Request packet from host 10.8.0.1 port 63417, id=172, length=81 User-Name = "addressbook" User-Password = "ppp123PPP" NAS-IP-Address = 10.8.0.1 NAS-Port = 1 Message-Authenticator = 0x84a2dbf3faa9c1eed0e6b541fe4773bb # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "addressbook", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "addressbook", skipping NULL due to config. ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] performing user authorization for addressbook [ldap] expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=addressbook) [ldap] expand: cn=Users,dc=p,dc=t -> cn=Users,dc=p,dc=t [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to server.p.t:389, authentication 0 [ldap] bind as cn=addressbook,cn=Users,dc=p,dc=t/ppp123PPP to server.p.t:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in cn=Users,dc=p,dc=t, with filter (sAMAccountName=addressbook) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] user addressbook authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] returns noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = LDAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by "addressbook" with password "ppp123PPP" [ldap] user DN: CN=addressbook,CN=Users,DC=p,DC=t [ldap] (re)connect to server.p.t:389, authentication 1 [ldap] bind as CN=addressbook,CN=Users,DC=p,DC=t/ppp123PPP to server.p.t:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user addressbook authenticated succesfully ++[ldap] returns ok Login OK: [addressbook] (from client admin port 1) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 172 to 10.8.0.1 port 63417 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 172 with timestamp +5 Ready to process requests.
Now I'm trying to get ktutil work, but not sure if really needed it.
Looks good as far as I can see that.
It is ok that there are some warnings and some other auth-types which fail but this is the order of the auth-type modules.
And the output shows that the user gets authenticated with auth-type ldap. :)Not sure for what we need ktutil !?!
Perhaps you can write a little how-to how you configured that, whats your domain name, what you entered on AD and so on. It would help me and others. Did you have to edit some other files by hand ? If yes then tell me what and I will try to implement that into GUI if needed!
So far thank you very much for taking time and testing this - testing my package and functionalities I could not test at the moment! I really appreciate your help! :)
-
of course I will write about this soon, but this is not what we want to accomplish.
why?
PAP in Windows 7 is disabled by group policy and I agree with MS in that, because sending password in plain text via WiFi would be irresponsibleI need ktutil because that util is used in how to from link you gave ;)
-
so trully it is not so much to do:
1. Edit /usr/local/etc/raddb/sites-enabled/default
in authorize section (I'm not sure if it wasn't like this originally):
- comment unix line #
- uncomment line ntdomain
- uncomment ldap line
- uncomment or add pap line
in authenticate section:
- add or uncomment
Auth-Type PAP { pap }
in preacct section:
- uncomment ntdomain line
post-auth section:
- comment ldap section
===========================
in radiusd.conf add in the end of file:
$INCLUDE policy.conf
$INCLUDE sites-enabled/
===========================
modules/ldap looks like this:
ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "server.p.t" identity = "cn=freeradiususer,cn=Users,dc=p,dc=t" password = ppp123PPP basedn = "cn=Users,dc=p,dc=t" filter = "(sAMAccountName=%{mschap:User-Name})" #base_filter = "(objectclass=radiusprofile)"
I think that's it.
Now I'm trying to understand what we need to get MSCHAP working!
-
so trully it is not so much to do:
1. Edit /usr/local/etc/raddb/sites-enabled/default
in authorize section (I'm not sure if it wasn't like this originally):
- comment unix line #
- uncomment line ntdomain
- uncomment ldap line
- uncomment or add pap line
This is the default if you install freeradius2 package. I did all these changes. Unis line is commented by default. I configured ntdomain as you need it here. LDAP line will be commented or uncommented if we enable/disable it on LDAP GUI (authorization).
in authenticate section:
- add or uncomment
Auth-Type PAP { pap }
This is default. If we do not need LDAP in authentication than we can enable/disable this from LDAP GUI. PAP is there by default.
in preacct section:
- uncomment ntdomain line
I did that in the past and it is default after package installation.
post-auth section:
- comment ldap section
Is by default commented. We do not have any option to change that from GUI.
===========================
in radiusd.conf add in the end of file:
$INCLUDE policy.conf
$INCLUDE sites-enabled/This is by default.
modules/ldap looks like this:
ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "server.p.t" identity = "cn=freeradiususer,cn=Users,dc=p,dc=t" password = ppp123PPP basedn = "cn=Users,dc=p,dc=t" filter = "(sAMAccountName=%{mschap:User-Name})" #base_filter = "(objectclass=radiusprofile)"
I added the commented lines to the GUI. So they are now UNcommented. Not sure if the default entries are ok or not.
But I think we can change this when we need to. When you telling me this :DI think that's it.
Now I'm trying to understand what we need to get MSCHAP working!
Great! :-)
-
What's the advantage of enabling SQL server? Because I don't see it on pfSense documentation.
-
Hi Nachtfalke,
I just tested with Captive Portal + FreeRadius + MySQL for a Hotspot site.
Basically it's now working here, I can login through CP and see the login information in MySQL.
There are still two options that I can't work it around.
1. per-user bandwidth restriction
This option is available in CP. But it's a global setting which means it will effect all clients with same setting.
I think there should have the same settings according to account? Does FreeRadius support it yet?2. RADIUS MAC authentication
I tested this function, it doesn't work. I always get the login page even I added the MAC in FreeRadius.
With the same setting, pass-through MACs in CP does work properly. Once I add the MAC, it works immediately.Thanks for your patient.
-
What's the advantage of enabling SQL server? Because I don't see it on pfSense documentation.
The advantage of a SQL database is if you have many many users. If you add many users to the freeradius users file - I would say 500+ - than your response time can be slow because the freeradius server has to go through the list from top to down until finding the user or not. So you should check the documentation about "Status server updates". There you will get information about how your RADIUS server performs and if the server can handle the requests. If you use a database the requests can be processes faster if you have many users because of the structur. This are the performance advantages.
For accounting there are better possibilities to do SELECTs on the database but you have to configure the sqlcounter module that it works for you.
An other point could be that you create a web GUI for your SQL database so that people could add new users to the database but should not have access to pfsense or freeradius. This could be useful in a hotel - you setup the freeradius and the connection to the database and the rest will be done from a separate web GUI from the hotel people.
That's my opinion. Perhaps I will add this to the pfsense docs ;)
@zlyzwy
Can you write down the steps you did for creating the database, importing the tables (names of tables) and how you configured freeradius SQL ?1.) I will add this in the next days so we have the possibility to set separate Download und upload bandwidth for users (overwriting the settings from CP which are for ALL users). I have coded this but it is on my HDD at home ;o)
Or do you meand volume of traffic like 500MB in max per week ? This is supported from freeradius and CP but with some disadvantages which I wrote down in the docs.2.) I will try to test this at home with CP if I found some time. Sending the "Calling-Station-ID" (MAC) is working but I didn't test it with CP.
-
Hi Guys,
i have decided to see if I can replace another solution we using with a Pfsense Captive portal and a Psfense Radius solution. But, I follow the instructions on the Radius documentation, but the first hiccup I have is that i dont have the option to even install the package.
In pfsense 2.x go to System => Packages => Available Packages and click on the + behind freeradius2.
After Installation go to Services => FreeRADIUSAm I blind or is the package option just not on the 2.0.1 menu? :)
Regards,
Gigg
-
@zlyzwy
Can you write down the steps you did for creating the database, importing the tables (names of tables) and how you configured freeradius SQL ?Sure:)
In general, I used PhpMyAdmin to manage MySQL database, you can use any other tools as you like.
All the following .SQL files can be found in latest FreeRadius package.(http://freeradius.org/download.html)MYSQL
1. Create the database named radius from PhpMyAdminCREATE DATABASE `radius` ;
2. Import the table 'admin'. Please change 'localhost' to your Pfsense name or just changed it to '%' which means from any client can connect to MySQL. Of course you can also change the default password('radpass') here.
# # Create default administrator for RADIUS # CREATE USER 'radius'@'localhost'; SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('radpass'); # The server can read any table in SQL GRANT SELECT ON radius.* TO 'radius'@'localhost'; # The server can write to the accounting and post-auth logging table. # # i.e. GRANT ALL on radius.radacct TO 'radius'@'localhost'; GRANT ALL on radius.radpostauth TO 'radius'@'localhost';
3. Import the table 'schema'. I don't change anything and it works fine.
########################################################################### # $Id$ # # # # schema.sql rlm_sql - FreeRADIUS SQL Module # # # # Database schema for MySQL rlm_sql module # # # # To load: # # mysql -uroot -prootpass radius < schema.sql # # # # Mike Machado <mike@innercite.com># ########################################################################### # # Table structure for table 'radacct' # CREATE TABLE radacct ( radacctid bigint(21) NOT NULL auto_increment, acctsessionid varchar(64) NOT NULL default '', acctuniqueid varchar(32) NOT NULL default '', username varchar(64) NOT NULL default '', groupname varchar(64) NOT NULL default '', realm varchar(64) default '', nasipaddress varchar(15) NOT NULL default '', nasportid varchar(15) default NULL, nasporttype varchar(32) default NULL, acctstarttime datetime NULL default NULL, acctstoptime datetime NULL default NULL, acctsessiontime int(12) default NULL, acctauthentic varchar(32) default NULL, connectinfo_start varchar(50) default NULL, connectinfo_stop varchar(50) default NULL, acctinputoctets bigint(20) default NULL, acctoutputoctets bigint(20) default NULL, calledstationid varchar(50) NOT NULL default '', callingstationid varchar(50) NOT NULL default '', acctterminatecause varchar(32) NOT NULL default '', servicetype varchar(32) default NULL, framedprotocol varchar(32) default NULL, framedipaddress varchar(15) NOT NULL default '', acctstartdelay int(12) default NULL, acctstopdelay int(12) default NULL, xascendsessionsvrkey varchar(10) default NULL, PRIMARY KEY (radacctid), KEY username (username), KEY framedipaddress (framedipaddress), KEY acctsessionid (acctsessionid), KEY acctsessiontime (acctsessiontime), KEY acctuniqueid (acctuniqueid), KEY acctstarttime (acctstarttime), KEY acctstoptime (acctstoptime), KEY nasipaddress (nasipaddress) ) ; # # Table structure for table 'radcheck' # CREATE TABLE radcheck ( id int(11) unsigned NOT NULL auto_increment, username varchar(64) NOT NULL default '', attribute varchar(64) NOT NULL default '', op char(2) NOT NULL DEFAULT '==', value varchar(253) NOT NULL default '', PRIMARY KEY (id), KEY username (username(32)) ) ; # # Table structure for table 'radgroupcheck' # CREATE TABLE radgroupcheck ( id int(11) unsigned NOT NULL auto_increment, groupname varchar(64) NOT NULL default '', attribute varchar(64) NOT NULL default '', op char(2) NOT NULL DEFAULT '==', value varchar(253) NOT NULL default '', PRIMARY KEY (id), KEY groupname (groupname(32)) ) ; # # Table structure for table 'radgroupreply' # CREATE TABLE radgroupreply ( id int(11) unsigned NOT NULL auto_increment, groupname varchar(64) NOT NULL default '', attribute varchar(64) NOT NULL default '', op char(2) NOT NULL DEFAULT '=', value varchar(253) NOT NULL default '', PRIMARY KEY (id), KEY groupname (groupname(32)) ) ; # # Table structure for table 'radreply' # CREATE TABLE radreply ( id int(11) unsigned NOT NULL auto_increment, username varchar(64) NOT NULL default '', attribute varchar(64) NOT NULL default '', op char(2) NOT NULL DEFAULT '=', value varchar(253) NOT NULL default '', PRIMARY KEY (id), KEY username (username(32)) ) ; # # Table structure for table 'radusergroup' # CREATE TABLE radusergroup ( username varchar(64) NOT NULL default '', groupname varchar(64) NOT NULL default '', priority int(11) NOT NULL default '1', KEY username (username(32)) ) ; # # Table structure for table 'radpostauth' # CREATE TABLE radpostauth ( id int(11) NOT NULL auto_increment, username varchar(64) NOT NULL default '', pass varchar(64) NOT NULL default '', reply varchar(32) NOT NULL default '', authdate timestamp NOT NULL, PRIMARY KEY (id) ) ;</mike@innercite.com>
4. Import the rest of tables one by one.
# # Table structure for table 'cui' # CREATE TABLE `cui` ( `clientipaddress` varchar(15) NOT NULL default '', `callingstationid` varchar(50) NOT NULL default '', `username` varchar(64) NOT NULL default '', `cui` varchar(32) NOT NULL default '', `creationdate` timestamp NOT NULL default CURRENT_TIMESTAMP, `lastaccounting` timestamp NOT NULL default '0000-00-00 00:00:00', PRIMARY KEY (`username`,`clientipaddress`,`callingstationid`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
# # Table structure for table 'radippool' # CREATE TABLE radippool ( id int(11) unsigned NOT NULL auto_increment, pool_name varchar(30) NOT NULL, framedipaddress varchar(15) NOT NULL default '', nasipaddress varchar(15) NOT NULL default '', calledstationid VARCHAR(30) NOT NULL, callingstationid VARCHAR(30) NOT NULL, expiry_time DATETIME NULL default NULL, username varchar(64) NOT NULL default '', pool_key varchar(30) NOT NULL, PRIMARY KEY (id), KEY radippool_poolname_expire (pool_name, expiry_time), KEY framedipaddress (framedipaddress), KEY radippool_nasip_poolkey_ipaddress (nasipaddress, pool_key, framedipaddress) ) ENGINE=InnoDB;
# # Table structure for table 'nas' # CREATE TABLE nas ( id int(10) NOT NULL auto_increment, nasname varchar(128) NOT NULL, shortname varchar(32), type varchar(30) DEFAULT 'other', ports int(5), secret varchar(60) DEFAULT 'secret' NOT NULL, server varchar(64), community varchar(50), description varchar(200) DEFAULT 'RADIUS Client', PRIMARY KEY (id), KEY nasname (nasname) );
# # WiMAX Table structure for table 'wimax', # which replaces the "radpostauth" table. # CREATE TABLE wimax ( id int(11) NOT NULL auto_increment, username varchar(64) NOT NULL default '', authdate timestamp NOT NULL, spi varchar(16) NOT NULL default '', mipkey varchar(400) NOT NULL default '', lifetime int(12) default NULL, PRIMARY KEY (id), KEY username (username), KEY spi (spi) ) ;
FreeRadius
After that, go back to your FreeRadius web interface, In SQL tab, enable the SQL support and change the following items.
Enable SQL Support –> Check
Enable SQL Authorization --> Enable
Enable SQL Accounting --> Enable
Enable SQL Session --> Enable
Enable SQL Post-Auth --> Enable
Server IP Address --> A.B.C.D
Database Password --> PASSWORDTEST
To test Freeradius work or not, follow the step in Freeradius doc (http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package)
Once you receiving the following msgrad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=1, length=20
Check the 'radpostauth' table, if you find the record like this:
15 test test Access-Accept 2012-01-17 20:21:04
All right, your FreeRadius is now connecting to MySQL.
:) -
Hi Guys,
i have decided to see if I can replace another solution we using with a Pfsense Captive portal and a Psfense Radius solution. But, I follow the instructions on the Radius documentation, but the first hiccup I have is that i dont have the option to even install the package.
In pfsense 2.x go to System => Packages => Available Packages and click on the + behind freeradius2.
After Installation go to Services => FreeRADIUSAm I blind or is the package option just not on the 2.0.1 menu? :)
Regards,
Gigg
Hi Gigg,
freeradius2 package is available for i386 and amd64, pfsense 2.0 and 2.0.1. I could just try on server with a HDD. I used the .iso images and installed pfsense.
Not sure if this package is available (by default) for nanobsd and other system.@zlyzwy
Great to hear and to read this :D
I would like to implement this how-to (copy and paste) to my pfsense documentation - makeing a copyright to your name and linking to this post. Is that ok ? It is a very detailed how-to and I think it is exactly what we need :)Further I tested with Plain-MAC-Auth an CP. At first: It is working as it should and you have different possibilities:
1.) If you want to use Plain-MAC-Auth from pfSense GUI then you should do the following:
- Go to CP and enable "Enable RADIUS MAC authentication"
- Enter any shared secret you like in the field below. This is NOT the shared secret which is used for the communication between NAS(CP) and freeRADIUS.
- the "MAC address format" you do not need to change. The "correct" setting would be "11-22-33-44-55-66" but this is not important because freeradius converts all MAC addresses formats to this format.
- enter the mac address in freeradius "MACs" in this format: 11-22-33-aa-bb-33
Thats all. Browse the web and you will be connected. System Log and Portal Auth show this:
Systemlog:radiusd[33247]: Login OK: [00-04-23-5c-9d-19/blaaa] (from client pfsense port 2 cli 00-04-23-5c-9d-19)
Portal Auth:
logportalauth[14855]: MACHINE LOGIN: 00-04-23-5c-9d-19, 00:04:23:5c:9d:19, 192.168.0.88
2.) If you do NOT want to use Plain-MAC-Auth from pfsense GUI you can disable that.
- Go to pfsense GUI "Users" and add a user with username "00-04-23-5c-9d-19" - that is the MAC-address and as password choose the password from the CP (schared secret). In my case it was "blaaa".
CP is converting the MAC to the username field and adds the "shared secret" as the password field.
I will try to explain it a little bit more in detail and post it in my documentation - but now I will go out to dinner - it's my brothers birthday today :)
-
Updates pkg v1.5.3;
-
Added: Limit Bandwidth (WISPr-Bandwidth-Max-Down/WISPr-Bandwidth-Max-Up)
-
Modified: Rearranged options GUI for "users" a little bit
-
Fixed: Simultenous-Use isn't a "requiered" field anymore. If set to 1 and in CP "reauthenticate every minute" was checked it leads to a "multiconnect"/discoonect. Further if CP gets restarted and user wasn't disconnected before there is as well a "multiconnect"
-
Fixed: CP does not know ChilliSpot attribute so I choose "Acct-x-octets" in "reply-name"
-
Added: There are now the same CHECK-ITEMS and REPLY-ITEMS available for Plain-MAC-Auth as for 802.1X auth (users/macs)
-
Updated: pfsense documentation (Plain-MAC-Auth and Plain-MAC-Auth as 802.1X request with Captive Portal) and (Limit Bandwidth)
-
-
@zlyzwy
Great to hear and to read this
I would like to implement this how-to (copy and paste) to my pfsense documentation - makeing a copyright to your name and linking to this post. Is that ok ? It is a very detailed how-to and I think it is exactly what we needNo problem at all. I am glad it's helpful..:)
1.) If you want to use Plain-MAC-Auth from pfSense GUI then you should do the following:
- Go to CP and enable "Enable RADIUS MAC authentication"
- Enter any shared secret you like in the field below. This is NOT the shared secret which is used for the communication between NAS(CP) and freeRADIUS.
- the "MAC address format" you do not need to change. The "correct" setting would be "11-22-33-44-55-66" but this is not important because freeradius converts all MAC addresses formats to this format.
- enter the mac address in freeradius "MACs" in this format: 11-22-33-aa-bb-33
Thanks for your explanation.
I've got a bit confused about 'shared secret', as your explained there should have two 'shared secret'. The first one is for communication with client and CP. But what's the purpose for second one? Can I fill the same value as the first one? In fact I was thinking they should be same.
The MAC format I used is '00:11:22:33:44:55', but you mentioned it's not important then it should not be the problem.Anyway, I will give a try again with your procedures.
BTW: I can't see the v1.5.3 update pkg in 'installed packages'.
Update:
Now I can see the v1.5.3 pkg and it's great…I just tested with latest pkg,here comes some new questions>>
1. Plain-MAC-Auth
I followed your procedures, it doesn't work proerly. The error log isJan 18 19:59:40 radiusd[36524]: Login incorrect: [00-02-a5-4e-df-67] (from client CP port 210 cli 00-02-a5-4e-df-67)
I enable the PLAIN MAC AUTHORIZATION (FreeRadius–>Setting Tab), and it does solve the problem.
Jan 18 20:46:45 radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67)
I don't know why but it's working anyway:)
2. Virtual machine in VMware MAC Auth
I have a small server running VMware workstation. The host computer is a windows 2003 server. It's running well until I enable the CP, I add the server's MAC to pass list and the server works as it should be,but not for the virtual server inside VM. I tired to put the VM's MAC to pass list. it's not working. I am receiving the following error from system log:Jan 18 20:46:45 radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67) Jan 18 20:46:45 radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67) Jan 18 20:46:45 radiusd[63046]: rlm_radutmp: Login entry for NAS CP port 45 wrong order Jan 18 20:46:45 radiusd[63046]: rlm_radutmp: Login entry for NAS CP port 45 wrong order
00-02-a5-4e-df-67 –> Host Computer
There is one strange thing, usually if my virtual server ask the outgoing traffic, there should have the log with MAC. So I can add that MAC to pass list. But I didn't see any log with that MAC.
I also tried to set "Number of simultaneous connections" to 10, no luck...BTW: there are two virtual servers running in VMwork, one is Debian and another is PFsense itself. I am not sure if it's the reason for this issue. I think this picture will show you my network better than words.
(http://www.gliffy.com/pubdoc/2737259/L.png)3. Maximum Download Bandwidth/Maximum Upload Bandwidth
I have a 20m/s ADSL at home. I tested with 800 bit/s and 800000bit/s. There should have a obvious difference. However they give the similar result here(around 20m/s).I am afraid I may put too many requests here.
Many thanks for your help! -
The shared secret you enter on CaptivePortal in section "Primary RADIUS server" is the password which is for communication between CP as NAS and the freeRADIUS server. This shared secret you have to enter and match the shared secret you enter in FreeRADIUS -> NAS/Clients
The shared secret you have to enter on chapter "RADIUS MAC authentication" is the user password. This is a little bit unclear on Captive Portal. This shared secret you have to enter in FreeRADIUS -> Users
pkg v.1.5.3 should be available now. When I am updating this post I pushed the changes on github but then we need to wait until some of the core teams is merging it. In general this takes not much time :-)
-
The shared secret you have to enter on chapter "RADIUS MAC authentication" is the user password. This is a little bit unclear on Captive Portal. This shared secret you have to enter in FreeRADIUS -> Users
I am sorry I can't understand this part. If it's really as you said, then all the users must use one password since there is only one shared secret in CP? Or we can only create one user?
-
The shared secret you have to enter on chapter "RADIUS MAC authentication" is the user password. This is a little bit unclear on Captive Portal. This shared secret you have to enter in FreeRADIUS -> Users
I am sorry I can't understand this part. If it's really as you said, then all the users must use one password since there is only one shared secret in CP? Or we can only create one user?
That's correct. All Users have the same password (shared secret).
But that's no problem. Think about that: The host should be authorized by its MAC address. Now we can only send the Calling-Station-ID to freeRADIUS server and then freeRADIUS must be able to handle ONLY Calling-Station-ID and authorize or block the user. But before I enabled Plain-MAC-Auth ability on freeRADIUS the RADIUS server only accepted 802.1X (username + password).
That's the reason why we are able to configure captive portal to send the MAC address as username and a password - that's our shared secret.So username(mac address) is different but password(shared secret) is always the same.
If you have questions, just ask. Perhaps I am just not able to explain it in a way to make it clear :D
-
Hi Guyd,
Can you tell me what version of pfsense you using. Mine does not have a packages option under systems and I cant load the radius option.
Thx
-
Hi Guyd,
Can you tell me what version of pfsense you using. Mine does not have a packages option under systems and I cant load the radius option.
Thx
pfsense 2.0.1 full install x64
pfsense 2.0.1 full install i386 -
Shared secret is used between radius server and device, which is using radius server. it's another layer of security. This has nothing todo with user passwords
-
Updates pkg v1.5.4:
-
Added: Checks if a function or a part of it needs to be run (when disabled from GUI). This should speed up the starting process of freeradius after reboot.
-
Fixed: Accidentally deleted certs in ../raddb/certs/ folder after reboot when using pfSense Cert-Manager - this break freeRADIUS start until clicking save in EAP again.
=== edit ===
- Fixed: call some functions after installation to initialize configuration files.
Shared secret is used between radius server and device, which is using radius server. it's another layer of security. This has nothing todo with user passwords
What you say is absolutly correct - in general.
Captive Portal is using the name "shared secret" on two places. In Primary RADIUS server it is used in the correct context.
In RADIUS MAC authentication it is not the correct context I would say. This is explained one line below:If this option is enabled, the captive portal will try to authenticate users by sending their MAC address as the username and the password entered below to the RADIUS server.
-