Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NEW Package: freeRADIUS 2.x

    Scheduled Pinned Locked Moved pfSense Packages
    628 Posts 80 Posters 744.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Nachtfalke
      last edited by

      I updated freeradius2 from 0.3 ALPHA up to 1.0 BETA.

      The freeradius2 package should now have all the features that freeradius has and some improvements.

      New freeradius2 features:

      • IPv6 for clients and listening interfaces

      • select different interfaces for different tasks (auth, acct, proxy, status, detail, CoA)

      • additional parameters added in settings

      • enable server to run in threaded mode

      1 Reply Last reply Reply Quote 0
      • G
        gionag
        last edited by

        hello,
        I wanted to understand how to implement freeradius2 of a system that works with version 1.

        Uninstalled the previous version and then installed version 2 the applications that worked now no longer work. Specifically, the authentication for openvpn road warriors no longer works. A log level I do not see things very useful. Just somthing about "0 packets in queue".

        What are the steps to authenticate freeradius2 of openvpn? I have to do something different?

        Summing up I set like this:

        Services -> "freeradius"

        User: test pass: test
        NAS: 192.168.1.1 (ip of the router), ShortNome: pfSense, secret: testing

        under "users" -> "server"
        RADIUS: 192.168.1.1
        Secret: test
        description : Local Radius Server

        under "openvpn"
        Selected > Local Radius server

        I've done something wrong?

        thanks

        (pfsense 2.0)

        1 Reply Last reply Reply Quote 0
        • N
          Nachtfalke
          last edited by

          Hi,

          I do not know, how to use OpenVPN RoadWarrior with RADIUS. Is there any tutorial ?
          Generally I didn't change much in the background.

          In the users tab I didn't change anything
          The settings tab is the same as before just some different syntax for logging and some additional parameters but they are all at default.
          In the client tab I had to change the syntax of the clients.conf to new freeradius2 version but the parameters are still the same.

          Where I did many changes is the "interfaces" tab.
          If you have one Interface (LAN) which should do authentication and accounting than you need two entries:

          Interface IP: 192.168.100.1
          Port: 1812
          type: auth

          Interface IP: 192.168.100.1
          Port: 1813
          type: acct

          If radius should listen on any interface than you can use a  *  instead of the IP.
          Not sure if  *  is listening on 127.0.0.1

          PS: Further it would/could help if you delete all freeradius entries from your config.xml

          /conf/config.xml
          

          and reboot and reconfigure freeradius2.

          Your old settings from freeradius1 are NOT compatible with freeradius2

          1 Reply Last reply Reply Quote 0
          • G
            gionag
            last edited by

            also installed in a fresh installed system…
            same problem

            used * insted of the real ip...

            Still testing

            1 Reply Last reply Reply Quote 0
            • N
              Nachtfalke
              last edited by

              Hi,

              I read short through this:
              http://doc.pfsense.org/index.php/Using_OpenVPN_With_FreeRADIUS
              This needs PAM authentication as far as I understand this.

              I took a look at

              /usr/local/pkg/freeradius.inc
              

              And changed line 432:

              #pam
              

              to this line:

              pam
              

              Save the file and then go to the freeRADIUS GUI -> Settings -> Save and try again.

              1 Reply Last reply Reply Quote 0
              • N
                Nachtfalke
                last edited by

                Hi,

                I tested the freeRADIUS2 package with this tool:
                http://www.novell.com/coolsolutions/tools/14377.html

                The problem is the freeRADIUS. I think there are some bigger changes in module handling in the new radiusd.conf. We need to enable/link to the modules listed in the /usr/local/etc/raddb/sites-enabled/ directory.
                In the old freeRADIUS 1.x configuration the modules were configured only in radiud.conf.
                FreeRADIUS is starting and listening on requests but there seems to be no "Auth-type" selected so that the request could not be used with and authorization module.

                If someone could/would fix that - don't hesitate. I will try as far as I found time. Next week I am on vacation and I think I will find some time to work on this problem and hopefully fix it.

                1 Reply Last reply Reply Quote 0
                • N
                  Nachtfalke
                  last edited by

                  @gionag
                  I could reproduce this error.
                  There was a bug in creating the "users" file. I think I fixed this so it should now authenticate fine.

                  Additional changes pkg v1.1.0 Beta:

                  • Added some code which prevents that freeradius service isn't starting if interface typ is "detail"

                  • Swaped authorize, authenticate, … sections from radiusd.conf to the correct place (/usr/local/etc/raddb/sites-enabled/default && /usr/local/etc/raddb/sites-enabled/inner-tunnel)

                  1 Reply Last reply Reply Quote 0
                  • N
                    Nachtfalke
                    last edited by

                    Updates: pkg v1.1.1:

                    • disabled virtual-server "control-socket" which is experimental and if misconfigured a security issue

                    • disabled module proxy because in most environments we do not need to proxy requests to another RADIUS PROXY server

                    1 Reply Last reply Reply Quote 0
                    • N
                      Nachtfalke
                      last edited by

                      Updates: pkg v1.2.0

                      • Added GUI to configure eap.conf (EAP, EAP-TLS, EAP-TLS with OCSP support, EAP-TTLS, EAP-PEAP with MSCHAPv2

                      The GUI contains the by default "uncommented" options in the eap.conf

                      This authentication methods were tested and work:

                      • PAP

                      • CHAP

                      • MSCHAP

                      • EAP-MD5

                      Added "CDATA" for all <description>parts in .XML files.</description>

                      1 Reply Last reply Reply Quote 0
                      • N
                        Nachtfalke
                        last edited by

                        Updates: pkg v1.3.0

                        • Added GUI to configure sql.conf

                        • Just some small typo/cosmetic GUI fixes

                        –- edit ---
                        The GUI is working but I found out that the precompiled freeradius-2.1.12 package is not compiled with MySQL, PostgreSQL.
                        So there are modules (rlm_sql) missing. We need to build a package from source with additional build_options to support these features.
                        Help would be appreciated!

                        Further I would like to have LDAP and KERBEROS support so that we can build a GUI for connecting to LDAP and/or AD.

                        1 Reply Last reply Reply Quote 0
                        • N
                          Nachtfalke
                          last edited by

                          Updates: pkg v1.3.1

                          • Some small fixes with empty variables after installation

                          Thank you marcelloc for your help!

                          1 Reply Last reply Reply Quote 0
                          • N
                            Nachtfalke
                            last edited by

                            Updates: pkg v1.3.2

                            • Check and only enable virtual-server "coa" if there is a need from interface-type "coa"

                            • Put virtual-server "default" into .inc file. We need this in future for LDAP, SQL and other modules

                            1 Reply Last reply Reply Quote 0
                            • N
                              Nachtfalke
                              last edited by

                              Updates: pkg v1.3.3

                              • Adding tab to view config files.

                              @marcelloc: Thank you for that!

                              1 Reply Last reply Reply Quote 0
                              • N
                                Nachtfalke
                                last edited by

                                Updates: pkg v1.3.4

                                • freeradius2 is working on pfsense 2.0.1 (i386 and amd64)

                                • added GUI to create certificates (CA, Server, Client) for EAP-TLS

                                • extended "view config" tab to view certificate files

                                1 Reply Last reply Reply Quote 0
                                • N
                                  Nachtfalke
                                  last edited by

                                  Updates: pkg 1.3.5

                                  • Added some info about dis-/advantages of pfsense cert-manager compared to freeradius-cert editor. pfsense cert-manager should be the first manager to use!

                                  • freeradius server is starting with certs and keys (different typs) from pfsense built-in manager but this needs more testing with clients and real NAS

                                  • Some small typo fixes in freeradiuseapconf.xml with double entry

                                  • Added some checks and renamings on client cert building script (Thanks to marcelloc)

                                  1 Reply Last reply Reply Quote 0
                                  • N
                                    Nachtfalke
                                    last edited by

                                    Updates: pkg v1.3.6

                                    • Added ability to choose between the freeradius cert manager or the pfsense built-in cert manager. (Thank you very much jimp and sullrich)
                                    1 Reply Last reply Reply Quote 0
                                    • N
                                      Nachtfalke
                                      last edited by

                                      Updates: pkg v1.3.7

                                      • Corrected starting parameters of variables for "Settings"

                                      • Enabled logging and logging to syslog is now default

                                      • DH and RANDOM file will be created new when changing to "pfsense cert-manager". So not everybody will use the same files delivered with the freeradius package.

                                      • Adding Custom-Options on TOP and BOTTOM of all other user options

                                      • New variables and structur of the "users"-file creation. It was neccessary to add additional custom options on TOP and BOTTOM. User entries from older freeradius2 versions are NOT compatible. You need to add them again. Sorry.

                                      • Username can now contain whitespaces

                                      • Added Copyright

                                      • Added new features to dis-/enable SQL (Instantiate, authorize, accounting, session, post-auth) - we still need to build freeradius2 package with additional modules.

                                      1 Reply Last reply Reply Quote 0
                                      • N
                                        Nachtfalke
                                        last edited by

                                        Updates: pkg v1.3.8

                                        • fixed empty password after installation in default cert (eap)

                                        • fixed typo in description (eap)

                                        • small change in <custom_php_install_commands>order in freeradius.xml</custom_php_install_commands>

                                        • Added radiusd.conf to "view config" tab

                                        • fixed "include sql.conf" in (sql/radiusd)

                                        • Added some comments in freeradius.inc

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          sandern
                                          last edited by

                                          If its not much work to implement, beside user authentication, it would be nice to also support mac authentication. (http://wiki.freeradius.org/Mac-Auth)

                                          Nice work so far!

                                          1 Reply Last reply Reply Quote 0
                                          • N
                                            Nachtfalke
                                            last edited by

                                            @sandern:

                                            If its not much work to implement, beside user authentication, it would be nice to also support mac authentication. (http://wiki.freeradius.org/Mac-Auth)

                                            Nice work so far!

                                            This should work by default as far as I know for now. The CISCO SG300-28 switch for example is sending the MAC address in username and password, all small letters without whitespace.
                                            So you take a look on the user's guide and check the format the MAC address is sent.

                                            If the PCs MAC address is for example:
                                            00:11:AA:BC:DE:FF

                                            Than the username and password in freeradius users should be:
                                            0011aabcdeff

                                            The users file should look like this afterwards:

                                            
                                            "0011aabcdeff" Cleartext-Password := "0011aabcdeff"
                                                                   Simultaneous-Use := 1
                                            
                                            

                                            Please post back if you could try this and if it is working or not.
                                            I am on vacation until 09 january 2012 and do not have the chance to test this all on a real switch and environment.
                                            This is on my "todo" list - to check all features I added just from How-To's in real ;-)

                                            –-- edit ----
                                            This is from the CISCO users guide:

                                            The authentication methods can be:
                                            • 802.1x—The switch supports the authentication mechanism as described in
                                            the standard to authenticate and authorize 802.1x supplicants.

                                            • MAC-based—The switch can be configured to use this mode to
                                            authenticate and authorized devices that do not support 802.1x. The switch
                                            emulates the supplicant role on behalf of the non 802.1x capable devices,
                                            and uses the MAC address of the devices as the username and password
                                            when communicating with the RADIUS servers. MAC addresses for
                                            username and password must be entered in lower case and with no
                                            delimiting characters (for example: aaccbb55ccff). To use MAC-based
                                            authentication at a port:

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.