NEW Package: freeRADIUS 2.x

gionag

hello,
I wanted to understand how to implement freeradius2 of a system that works with version 1.

Uninstalled the previous version and then installed version 2 the applications that worked now no longer work. Specifically, the authentication for openvpn road warriors no longer works. A log level I do not see things very useful. Just somthing about "0 packets in queue".

What are the steps to authenticate freeradius2 of openvpn? I have to do something different?

Summing up I set like this:

Services -> "freeradius"

User: test pass: test
NAS: 192.168.1.1 (ip of the router), ShortNome: pfSense, secret: testing

under "users" -> "server"
RADIUS: 192.168.1.1
Secret: test
description : Local Radius Server

under "openvpn"
Selected > Local Radius server

I've done something wrong?

thanks

(pfsense 2.0)

Nachtfalke

Hi,

I do not know, how to use OpenVPN RoadWarrior with RADIUS. Is there any tutorial ?
Generally I didn't change much in the background.

In the users tab I didn't change anything
The settings tab is the same as before just some different syntax for logging and some additional parameters but they are all at default.
In the client tab I had to change the syntax of the clients.conf to new freeradius2 version but the parameters are still the same.

Where I did many changes is the "interfaces" tab.
If you have one Interface (LAN) which should do authentication and accounting than you need two entries:

Interface IP: 192.168.100.1
Port: 1812
type: auth

Interface IP: 192.168.100.1
Port: 1813
type: acct

If radius should listen on any interface than you can use a  *  instead of the IP.
Not sure if  *  is listening on 127.0.0.1

PS: Further it would/could help if you delete all freeradius entries from your config.xml

/conf/config.xml

and reboot and reconfigure freeradius2.

Your old settings from freeradius1 are NOT compatible with freeradius2

gionag

also installed in a fresh installed system…
same problem

used * insted of the real ip...

Still testing

Nachtfalke

Hi,

I read short through this:
http://doc.pfsense.org/index.php/Using_OpenVPN_With_FreeRADIUS
This needs PAM authentication as far as I understand this.

I took a look at

/usr/local/pkg/freeradius.inc

And changed line 432:

#pam

to this line:

pam

Save the file and then go to the freeRADIUS GUI -> Settings -> Save and try again.

Nachtfalke

Hi,

I tested the freeRADIUS2 package with this tool:
http://www.novell.com/coolsolutions/tools/14377.html

The problem is the freeRADIUS. I think there are some bigger changes in module handling in the new radiusd.conf. We need to enable/link to the modules listed in the /usr/local/etc/raddb/sites-enabled/ directory.
In the old freeRADIUS 1.x configuration the modules were configured only in radiud.conf.
FreeRADIUS is starting and listening on requests but there seems to be no "Auth-type" selected so that the request could not be used with and authorization module.

If someone could/would fix that - don't hesitate. I will try as far as I found time. Next week I am on vacation and I think I will find some time to work on this problem and hopefully fix it.

Nachtfalke

@gionag
I could reproduce this error.
There was a bug in creating the "users" file. I think I fixed this so it should now authenticate fine.

Additional changes pkg v1.1.0 Beta:

• Added some code which prevents that freeradius service isn't starting if interface typ is "detail"

• Swaped authorize, authenticate, … sections from radiusd.conf to the correct place (/usr/local/etc/raddb/sites-enabled/default && /usr/local/etc/raddb/sites-enabled/inner-tunnel)

Nachtfalke

Updates: pkg v1.1.1:

• disabled virtual-server "control-socket" which is experimental and if misconfigured a security issue

• disabled module proxy because in most environments we do not need to proxy requests to another RADIUS PROXY server

Nachtfalke

Updates: pkg v1.2.0

• Added GUI to configure eap.conf (EAP, EAP-TLS, EAP-TLS with OCSP support, EAP-TTLS, EAP-PEAP with MSCHAPv2

The GUI contains the by default "uncommented" options in the eap.conf

This authentication methods were tested and work:

• PAP

• CHAP

• MSCHAP

• EAP-MD5

Added "CDATA" for all <description>parts in .XML files.</description>

Nachtfalke

Updates: pkg v1.3.0

• Added GUI to configure sql.conf

• Just some small typo/cosmetic GUI fixes

–- edit ---
The GUI is working but I found out that the precompiled freeradius-2.1.12 package is not compiled with MySQL, PostgreSQL.
So there are modules (rlm_sql) missing. We need to build a package from source with additional build_options to support these features.
Help would be appreciated!

Further I would like to have LDAP and KERBEROS support so that we can build a GUI for connecting to LDAP and/or AD.

Nachtfalke

Updates: pkg v1.3.1

• Some small fixes with empty variables after installation

Thank you marcelloc for your help!

Nachtfalke

Updates: pkg v1.3.2

• Check and only enable virtual-server "coa" if there is a need from interface-type "coa"

• Put virtual-server "default" into .inc file. We need this in future for LDAP, SQL and other modules

Nachtfalke

Updates: pkg v1.3.3

• Adding tab to view config files.

@marcelloc: Thank you for that!

Nachtfalke

Updates: pkg v1.3.4

• freeradius2 is working on pfsense 2.0.1 (i386 and amd64)

• added GUI to create certificates (CA, Server, Client) for EAP-TLS

• extended "view config" tab to view certificate files

Nachtfalke

Updates: pkg 1.3.5

• Added some info about dis-/advantages of pfsense cert-manager compared to freeradius-cert editor. pfsense cert-manager should be the first manager to use!

• freeradius server is starting with certs and keys (different typs) from pfsense built-in manager but this needs more testing with clients and real NAS

• Some small typo fixes in freeradiuseapconf.xml with double entry

• Added some checks and renamings on client cert building script (Thanks to marcelloc)

Nachtfalke

Updates: pkg v1.3.6

• Added ability to choose between the freeradius cert manager or the pfsense built-in cert manager. (Thank you very much jimp and sullrich)

Nachtfalke

Updates: pkg v1.3.7

• Corrected starting parameters of variables for "Settings"

• Enabled logging and logging to syslog is now default

• DH and RANDOM file will be created new when changing to "pfsense cert-manager". So not everybody will use the same files delivered with the freeradius package.

• Adding Custom-Options on TOP and BOTTOM of all other user options

• New variables and structur of the "users"-file creation. It was neccessary to add additional custom options on TOP and BOTTOM. User entries from older freeradius2 versions are NOT compatible. You need to add them again. Sorry.

• Username can now contain whitespaces

• Added Copyright

• Added new features to dis-/enable SQL (Instantiate, authorize, accounting, session, post-auth) - we still need to build freeradius2 package with additional modules.

Nachtfalke

Updates: pkg v1.3.8

• fixed empty password after installation in default cert (eap)

• fixed typo in description (eap)

• small change in <custom_php_install_commands>order in freeradius.xml</custom_php_install_commands>

• Added radiusd.conf to "view config" tab

• fixed "include sql.conf" in (sql/radiusd)

• Added some comments in freeradius.inc

sandern

If its not much work to implement, beside user authentication, it would be nice to also support mac authentication. (http://wiki.freeradius.org/Mac-Auth)

Nice work so far!

Nachtfalke

@sandern:

If its not much work to implement, beside user authentication, it would be nice to also support mac authentication. (http://wiki.freeradius.org/Mac-Auth)

Nice work so far!

This should work by default as far as I know for now. The CISCO SG300-28 switch for example is sending the MAC address in username and password, all small letters without whitespace.
So you take a look on the user's guide and check the format the MAC address is sent.

If the PCs MAC address is for example:
00:11:AA:BC:DE:FF

Than the username and password in freeradius users should be:
0011aabcdeff

The users file should look like this afterwards:

"0011aabcdeff" Cleartext-Password := "0011aabcdeff"
                       Simultaneous-Use := 1

Please post back if you could try this and if it is working or not.
I am on vacation until 09 january 2012 and do not have the chance to test this all on a real switch and environment.
This is on my "todo" list - to check all features I added just from How-To's in real ;-)

–-- edit ----
This is from the CISCO users guide:

The authentication methods can be:
• 802.1x—The switch supports the authentication mechanism as described in
the standard to authenticate and authorize 802.1x supplicants.

• MAC-based—The switch can be configured to use this mode to
authenticate and authorized devices that do not support 802.1x. The switch
emulates the supplicant role on behalf of the non 802.1x capable devices,
and uses the MAC address of the devices as the username and password
when communicating with the RADIUS servers. MAC addresses for
username and password must be entered in lower case and with no
delimiting characters (for example: aaccbb55ccff). To use MAC-based
authentication at a port:

Nachtfalke

Updates: pkg v1.3.9

• small changes in if/else syntax (freeradius.inc)

• deleted uneccessary <custom_php_resync_config_command>entries (freeradiuscerts.xml)</custom_php_resync_config_command>

• fixed some typos in description and titel (eap, view config)

• cosmetic fix: changed order of columns (users)

• added XMLRPC Sync for syncing "users" and "NAS / clients" with other hosts. No other parts of freeradius2 config will be synced. The XMLRPC code I use isn't optimized for syncing so much parts like I use them in my package. Syncing more parts will increase the reload time after any change because there are so much dependencies and reloads neccessary.

Special thanks goes to: marcelloc :D
Thank you for allowing me to use the pfblocker-xmlrpc code :)