NEW Package: freeRADIUS 2.x
-
I updated freeradius2 from 0.3 ALPHA up to 1.0 BETA.
The freeradius2 package should now have all the features that freeradius has and some improvements.
New freeradius2 features:
-
IPv6 for clients and listening interfaces
-
select different interfaces for different tasks (auth, acct, proxy, status, detail, CoA)
-
additional parameters added in settings
-
enable server to run in threaded mode
-
-
hello,
I wanted to understand how to implement freeradius2 of a system that works with version 1.Uninstalled the previous version and then installed version 2 the applications that worked now no longer work. Specifically, the authentication for openvpn road warriors no longer works. A log level I do not see things very useful. Just somthing about "0 packets in queue".
What are the steps to authenticate freeradius2 of openvpn? I have to do something different?
Summing up I set like this:
Services -> "freeradius"
User: test pass: test
NAS: 192.168.1.1 (ip of the router), ShortNome: pfSense, secret: testingunder "users" -> "server"
RADIUS: 192.168.1.1
Secret: test
description : Local Radius Serverunder "openvpn"
Selected > Local Radius serverI've done something wrong?
thanks
(pfsense 2.0)
-
Hi,
I do not know, how to use OpenVPN RoadWarrior with RADIUS. Is there any tutorial ?
Generally I didn't change much in the background.In the users tab I didn't change anything
The settings tab is the same as before just some different syntax for logging and some additional parameters but they are all at default.
In the client tab I had to change the syntax of the clients.conf to new freeradius2 version but the parameters are still the same.Where I did many changes is the "interfaces" tab.
If you have one Interface (LAN) which should do authentication and accounting than you need two entries:Interface IP: 192.168.100.1
Port: 1812
type: authInterface IP: 192.168.100.1
Port: 1813
type: acctIf radius should listen on any interface than you can use a * instead of the IP.
Not sure if * is listening on 127.0.0.1PS: Further it would/could help if you delete all freeradius entries from your config.xml
/conf/config.xml
and reboot and reconfigure freeradius2.
Your old settings from freeradius1 are NOT compatible with freeradius2
-
also installed in a fresh installed system…
same problemused * insted of the real ip...
Still testing
-
Hi,
I read short through this:
http://doc.pfsense.org/index.php/Using_OpenVPN_With_FreeRADIUS
This needs PAM authentication as far as I understand this.I took a look at
/usr/local/pkg/freeradius.inc
And changed line 432:
#pam
to this line:
pam
Save the file and then go to the freeRADIUS GUI -> Settings -> Save and try again.
-
Hi,
I tested the freeRADIUS2 package with this tool:
http://www.novell.com/coolsolutions/tools/14377.htmlThe problem is the freeRADIUS. I think there are some bigger changes in module handling in the new radiusd.conf. We need to enable/link to the modules listed in the /usr/local/etc/raddb/sites-enabled/ directory.
In the old freeRADIUS 1.x configuration the modules were configured only in radiud.conf.
FreeRADIUS is starting and listening on requests but there seems to be no "Auth-type" selected so that the request could not be used with and authorization module.If someone could/would fix that - don't hesitate. I will try as far as I found time. Next week I am on vacation and I think I will find some time to work on this problem and hopefully fix it.
-
@gionag
I could reproduce this error.
There was a bug in creating the "users" file. I think I fixed this so it should now authenticate fine.Additional changes pkg v1.1.0 Beta:
-
Added some code which prevents that freeradius service isn't starting if interface typ is "detail"
-
Swaped authorize, authenticate, … sections from radiusd.conf to the correct place (/usr/local/etc/raddb/sites-enabled/default && /usr/local/etc/raddb/sites-enabled/inner-tunnel)
-
-
Updates: pkg v1.1.1:
-
disabled virtual-server "control-socket" which is experimental and if misconfigured a security issue
-
disabled module proxy because in most environments we do not need to proxy requests to another RADIUS PROXY server
-
-
Updates: pkg v1.2.0
- Added GUI to configure eap.conf (EAP, EAP-TLS, EAP-TLS with OCSP support, EAP-TTLS, EAP-PEAP with MSCHAPv2
The GUI contains the by default "uncommented" options in the eap.conf
This authentication methods were tested and work:
-
PAP
-
CHAP
-
MSCHAP
-
EAP-MD5
Added "CDATA" for all <description>parts in .XML files.</description>
-
Updates: pkg v1.3.0
-
Added GUI to configure sql.conf
-
Just some small typo/cosmetic GUI fixes
–- edit ---
The GUI is working but I found out that the precompiled freeradius-2.1.12 package is not compiled with MySQL, PostgreSQL.
So there are modules (rlm_sql) missing. We need to build a package from source with additional build_options to support these features.
Help would be appreciated!Further I would like to have LDAP and KERBEROS support so that we can build a GUI for connecting to LDAP and/or AD.
-
-
Updates: pkg v1.3.1
- Some small fixes with empty variables after installation
Thank you marcelloc for your help!
-
Updates: pkg v1.3.2
-
Check and only enable virtual-server "coa" if there is a need from interface-type "coa"
-
Put virtual-server "default" into .inc file. We need this in future for LDAP, SQL and other modules
-
-
-
Updates: pkg v1.3.4
-
freeradius2 is working on pfsense 2.0.1 (i386 and amd64)
-
added GUI to create certificates (CA, Server, Client) for EAP-TLS
-
extended "view config" tab to view certificate files
-
-
Updates: pkg 1.3.5
-
Added some info about dis-/advantages of pfsense cert-manager compared to freeradius-cert editor. pfsense cert-manager should be the first manager to use!
-
freeradius server is starting with certs and keys (different typs) from pfsense built-in manager but this needs more testing with clients and real NAS
-
Some small typo fixes in freeradiuseapconf.xml with double entry
-
Added some checks and renamings on client cert building script (Thanks to marcelloc)
-
-
Updates: pkg v1.3.6
- Added ability to choose between the freeradius cert manager or the pfsense built-in cert manager. (Thank you very much jimp and sullrich)
-
Updates: pkg v1.3.7
-
Corrected starting parameters of variables for "Settings"
-
Enabled logging and logging to syslog is now default
-
DH and RANDOM file will be created new when changing to "pfsense cert-manager". So not everybody will use the same files delivered with the freeradius package.
-
Adding Custom-Options on TOP and BOTTOM of all other user options
-
New variables and structur of the "users"-file creation. It was neccessary to add additional custom options on TOP and BOTTOM. User entries from older freeradius2 versions are NOT compatible. You need to add them again. Sorry.
-
Username can now contain whitespaces
-
Added Copyright
-
Added new features to dis-/enable SQL (Instantiate, authorize, accounting, session, post-auth) - we still need to build freeradius2 package with additional modules.
-
-
Updates: pkg v1.3.8
-
fixed empty password after installation in default cert (eap)
-
fixed typo in description (eap)
-
small change in <custom_php_install_commands>order in freeradius.xml</custom_php_install_commands>
-
Added radiusd.conf to "view config" tab
-
fixed "include sql.conf" in (sql/radiusd)
-
Added some comments in freeradius.inc
-
-
If its not much work to implement, beside user authentication, it would be nice to also support mac authentication. (http://wiki.freeradius.org/Mac-Auth)
Nice work so far!
-
If its not much work to implement, beside user authentication, it would be nice to also support mac authentication. (http://wiki.freeradius.org/Mac-Auth)
Nice work so far!
This should work by default as far as I know for now. The CISCO SG300-28 switch for example is sending the MAC address in username and password, all small letters without whitespace.
So you take a look on the user's guide and check the format the MAC address is sent.If the PCs MAC address is for example:
00:11:AA:BC:DE:FFThan the username and password in freeradius users should be:
0011aabcdeffThe users file should look like this afterwards:
"0011aabcdeff" Cleartext-Password := "0011aabcdeff" Simultaneous-Use := 1
Please post back if you could try this and if it is working or not.
I am on vacation until 09 january 2012 and do not have the chance to test this all on a real switch and environment.
This is on my "todo" list - to check all features I added just from How-To's in real ;-)–-- edit ----
This is from the CISCO users guide:The authentication methods can be:
• 802.1x—The switch supports the authentication mechanism as described in
the standard to authenticate and authorize 802.1x supplicants.• MAC-based—The switch can be configured to use this mode to
authenticate and authorized devices that do not support 802.1x. The switch
emulates the supplicant role on behalf of the non 802.1x capable devices,
and uses the MAC address of the devices as the username and password
when communicating with the RADIUS servers. MAC addresses for
username and password must be entered in lower case and with no
delimiting characters (for example: aaccbb55ccff). To use MAC-based
authentication at a port: