NEW Package: freeRADIUS 2.x
-
Hi again,
if you add a user in GUI then this user is placed in the plain "users" file in /usr/local/etc/raddb/users
all check and reply attributes you can add from GUI will go int users file. The same is with limitations and restrictions.
Most of the features from this package aim to the "users" file.If you are using LDAP or mysql it is up to you to configure this, add users and limitations.
This needs to be done vi console/ssh and via config files:
You can find them - depending on your database - in this folder:/usr/local/etc/raddb/sql/So there it is up to you to create your "SELECTs" and "QUERY". The very best place too find help - depending on this is probably the freeradius mailing list and their homepage.
Limiting bandwidth is a reply attribute - you/freeradius is telling the NAS to limit the bandwidth.
a check attribute is for example "simultaneous-use" or "expiration" - the user wnats to login and the NAS needs to check if there are limitations for this user and needs to check this.
In the GUI there are many attributes implemented - just add them and take a look at the users file to see if they are check or reply attributes.
the check attributes are on the same line as the username.
reply attributes are listed below.attributes:
There are "unlimited" attributes. It always depends on what you NAS understands. Most NAS do have a dictionary of attributes and freeradius knows and understand these attributes. You can find them here - or you create a new one:/usr/local/share/freeradius/dictionary.*If you have ideas to improve the wiki - please feel free to do so. If you wrote some text - I can add this for you to the wiki. :-)
-
Okay, well, there is now no way apparently to get FreeRadius 2.x installed on the latest builds, so I figured I'd try FreeRADIUS 1.x. I cannot, for the life of me, figure out how to get all the certificates and everything to make WPA2-Enterprise. On FreeRADIUS2, once I finally got it to start, everything "just worked" - am I missing something or is FreeRADIUX 1.x not capable of doing WPA2-Enterprise. Desperately need a solution here to get the staff network up at this campground back up and online in the latest builds.
-
Okay, well, there is now no way apparently to get FreeRadius 2.x installed on the latest builds, so I figured I'd try FreeRADIUS 1.x. I cannot, for the life of me, figure out how to get all the certificates and everything to make WPA2-Enterprise. On FreeRADIUS2, once I finally got it to start, everything "just worked" - am I missing something or is FreeRADIUX 1.x not capable of doing WPA2-Enterprise. Desperately need a solution here to get the staff network up at this campground back up and online in the latest builds.
I am not 100% sure how it works in freeradius1 but you have to place your certificates in /usr/local/etc/raddb/certs/ folder. Then you need to edit the "eap.conf" file to point to the correct certificates. Perhaps you have to enable "eap" in radiusd.conf.
But you are right - in freeradius1 there is no GUI for that. The certificates need to be in .pem format if I remember correct. So probably best way would be to copy these certificates created on a pfsense 2.0.1 version to pfsense 2.1.I am not sure if freeradius2 package is visible on package manager on pfsese 2.1 but if it is try to install the package - it will install the GUI but breaks because of the missing packages which are not available in .pbi format.
The go to console and add the freeradius2 package from freebsd server with:
pkg_add -r http://www.bla-bla/freeradius2.tbzThen it "should" work with the basic features.
-
Yeah, I had it working that way before, it worked great, but I updated my snapshot and they removed all the non-PBI packages now. So I have no way to install the GUI since it can't manually be installed. Ugh…
-
This is the install link in the package manager of pfsense 2.0.1
Perhaps login on your pfsense and type in this URL. This should work… -
Thanks I'll give that a try tomorrow, I can't honestly see how it would work if the underlying reference to it in the list of available packages is gone, but anything's worth a try :)
-
Working perfectly, I guess the underlying reference to the package isn't gone. Running today's snapshot, where it'll probably stay for quite some time (maybe until release if it proves stable) since everything I need up here is now working well (content filtering, traffic shaping, a VLAN with priority, and WPA2-Enterprise)! Thanks a ton!
-
That was quick! I see there's now a PBI for freeRADIUS 2.x… Not gonna give it a shot yet I have everything working on the system and not gonna take it down on a client right now, I'll test next week and make sure the PBI "just works" by doing an update probably next Thursday
-
That was quick! I see there's now a PBI for freeRADIUS 2.x… Not gonna give it a shot yet I have everything working on the system and not gonna take it down on a client right now, I'll test next week and make sure the PBI "just works" by doing an update probably next Thursday
Don't do that!
We are trying to build the correct .PBIs and the correct dependency .PBIs for freeradius. At the moment there are not all .PBIs on the server. Hopefully the .PBI builder is doing its job.
On the Packages or the 2.1 forum there is a thread where peaople post which packages work for pfsense 2.1. You should have a look there and first install / change packages in production if they were tested.Just remember - pfsense 2.1 is still development and not ready ;-)
-
Just remember - pfsense 2.1 is still development and not ready ;-)
Something I know all too well, but at least I'm getting to test it in the real world. I built a new system for a client, and didn't realize I couldn't use a Realtek 8111e on-board NIC with pfSense 2.0. Thankfully, all is working now knock on wood - if it seems stable, I might not touch it until the final comes out :D
-
All of the PBI bits should be there now, and the other bits as well, on files.pfsense.org.
https://github.com/bsdperimeter/pfsense-packages/commit/465839eb99cd094d6d7e5b7d76e82c432165a82b
Give things another test, see how they go.
-
Installation error
-
Odd for whatever reason amd64 picked up postgresql 9.x and i386 got 8.x.
Should be OK shortly. Give it ~20 min and reinstall.
-
Does PF 2.1 count or send the correct traffic data when using freeradius2 and captive portal ?
I would like to run a daily and or a monthly usage cap for users, with mac auth. -
Does PF 2.1 count or send the correct traffic data when using freeradius2 and captive portal ?
I would like to run a daily and or a monthly usage cap for users, with mac auth.Anyone testing the traffic limits?
-
Does PF 2.1 count or send the correct traffic data when using freeradius2 and captive portal ?
I would like to run a daily and or a monthly usage cap for users, with mac auth.Anyone testing the traffic limits?
Probably not because there was just the .PBI fpr pfsense 2.1 but not the GUI ready for that.
I made some changes on the freeradius.inc to make the package work for 2.1. There are probably some fixes to make but at first it should work and we can test if all the neccessary dependencies are available and working or not.Give the server some minutes to sync the code.
-
FYI- a new PBI for FreeRADIUS2 just uploaded also, it should have the proper build options now. Due to a bug in the PBI build script it was missing the options for things like LDAP and such.
EDIT: i386 is up… amd64 is still building, I thought they had both finished.
-
FYI- a new PBI for FreeRADIUS2 just uploaded also, it should have the proper build options now. Due to a bug in the PBI build script it was missing the options for things like LDAP and such.
EDIT: i386 is up… amd64 is still building, I thought they had both finished.
Thanks for feedback. Cannot test from home because of a very bad and slow WLAn connectiong. Perhaps someone else can do this or I will try to find some time tomorrow.
Another question:
freeradius2 package contains a "mobile-one-time-password" feature. The script which realizes that is written in "bash". In the past I downloaded the bash package from the freebsd ftp server if someone wants to use mOTP. I would like to shrink the freeradius.inc so that I do not have to download bash because pfsense does not has bash by default - but pfsense can talk "shell" ;-)So if someone would like to help to improve this package - please feel free to translate the following script from "bash" to "shell":
#!/bin/bash # # Mobile One Time Passwords (Mobile-OTP) for Java 2 Micro Edition, J2ME # written by Matthias Straub, Heilbronn, Germany, 2003 # (c) 2003 by Matthias Straub # Modified 2012 by Alexander Wilke <nachtfalkeaw@web.de> # # Version 1.05a # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU Library General Public # License as published by the Free Software Foundation; either # version 2 of the License, or (at your option) any later version. # # This software is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Library General Public License for more details. # # arguments: \$1 \$2 \$3 \$4 \$5 # \$1 - username # \$2 - one-time-password that is to be checked # \$3 - init-secred from token (to init token: #**#) # \$4 - user PIN # \$5 - time difference between token and server in 10s of seconds (360 = 1 hour) # # one-time-password must match md5(EPOCHTIME+SECRET+PIN) # # # otpverify.sh version 1.04b, Feb. 2003 # otpverify.sh version 1.04c, Nov. 2008 # changed line 1 to ksh because of problems with todays bash an sh # otpverify.sh version 1.05a, Jan. 2011 # changed back to bash and added in shopts line to ensure aliases handled # correctly (bash is always available on any modern *nix unlike ksh) # PATH=\$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin alias checksum=$varsettingsmotpchecksumtype have_md5="true" # ensure aliases are expanded by bash shopt -s expand_aliases function chop { num=`echo -n "\$1" | wc -c | sed 's/ //g' ` nummin1=`expr \$num "-" 1` echo -n "\$1" | cut -b 1-\$nummin1 } if [ ! \$# -eq 5 ] ; then echo "USAGE: otpverify.sh Username, OTP, Init-Secret, PIN, Offset" logger -f /var/log/system.log "FreeRADIUS: Mobile-One-Time-Password - wrong syntax - USAGE: otpverify.sh Username, OTP, Init-Secret, PIN, Offset"; exit 14 fi mkdir /var/log/motp 2>/dev/null mkdir /var/log/motp/cache 2>/dev/null mkdir /var/log/motp/users 2>/dev/null chmod og-rxw /var/log/motp 2>/dev/null || { echo "FAIL! Need write-access to /var/log/motp";logger -f /var/log/system.log "FreeRADIUS: Mobile-One-Time-Password - need write-access to /var/log/motp"; exit 17; } chmod og-rxw /var/log/motp/cache chmod og-rxw /var/log/motp/users USERNAME=`echo -n "\$1" | sed 's/[^0-9a-zA-Z._-]/X/g' ` PASSWD=`echo -n "\$2" | sed 's/[^0-9a-f]/0/g' ` SECRET=`echo -n "\$3" | sed 's/[^0-9a-f]/0/g' ` PIN=`echo -n "\$4" | sed 's/[^0-9]/0/g' ` OFFSET=`echo -n "\$5" | sed 's/[^0-9]/0/g' ` EPOCHTIME=`date +%s` ; EPOCHTIME=`chop \$EPOCHTIME` # delete old logins find /var/log/motp/cache -type f -cmin +$varsettingsmotpdeleteoldpasswords | xargs rm 2>/dev/null if [ -e "/var/log/motp/cache/\$PASSWD" ]; then echo "FAIL" logger -f /var/log/system.log "FreeRADIUS: Authentication failed! Mobile-One-Time-Password \$PASSWD is already used!" exit 15 fi # account locked? if [ "`cat /var/log/motp/users/\$USERNAME 2>/dev/null`" == "$varsettingsmotppasswordattempts" ]; then echo "FAIL" logger -f /var/log/system.log "FreeRADIUS: Authentication failed! Too many wrong password attempts. User is locked! To unlock delete /var/log/motp/users/\$USERNAME" exit 13 fi I=0 EPOCHTIME=`expr \$EPOCHTIME - $varsettingsmotptimespan` EPOCHTIME=`expr \$EPOCHTIME + \$OFFSET` while [ \$I -lt $varsettingsmotptimespanbeforeafter ] ; do # `$varsettingsmotptimespan * 10` seconds before and after OTP=`printf \$EPOCHTIME\$SECRET\$PIN|checksum|cut -b $varsettingsmotptokenlength` if [ "\$OTP" = "\$PASSWD" ] ; then touch /var/log/motp/cache/\$OTP || { echo "FAIL! Need write-access to /var/log/motp";logger -f /var/log/system.log "FreeRADIUS: Mobile-One-Time-Password - need write-access to /var/log/motp/cache"; exit 17; } echo "ACCEPT" logger -f /var/log/system.log "FreeRADIUS: Authentication success! Mobile-One-Time-Password \$PASSWD for user \$USERNAME is correct!" rm "/var/log/motp/users/\$USERNAME" 2>/dev/null exit 0 fi I=`expr \$I + 1` EPOCHTIME=`expr \$EPOCHTIME + 1` done echo "FAIL" NUMFAILS=`cat "/var/log/motp/users/\$USERNAME" 2>/dev/null` if [ "\$NUMFAILS" = "" ]; then NUMFAILS=0 fi NUMFAILS=`expr \$NUMFAILS + 1` echo \$NUMFAILS > "/var/log/motp/users/\$USERNAME" NUMFAILSLEFT=`expr $varsettingsmotppasswordattempts - \$NUMFAILS` logger -f /var/log/system.log "FreeRADIUS: Authentication failed! Mobile-One-Time-Password incorrect. \$NUMFAILSLEFT attempts left. " exit 11</nachtfalkeaw@web.de> -
For now if you want to, just add a build_port_path for shells/bash and then eventually when the PBI pops out it can be included.
If someone can rewrite that to a basic shell script then we can eventually remove that dependency.
-
It has changed on pbis, but still have something to do:
previous version was using cyrrus-sasl, did you compiled with krb5 on this version?
libkrb5.so is missing for rlm_krb5 but not for libgssapi_krb5.so/usr/pbi/freeradius-amd64/lib/freeradius-2.1.12/rlm_krb5.so:
libfreeradius-radius-2.1.12.so => /usr/pbi/freeradius-amd64/lib/freeradius-2.1.12/libfreeradius-radius-2.1.12.so (0x800c00000)
libkrb5.so => not found (0x0)
libcom_err.so => /usr/lib/libcom_err.so (0x800d21000)
libk5crypto.so => not found (0x0)
libthr.so.3 => /lib/libthr.so.3 (0x800e23000)
libc.so.7 => /lib/libc.so.7 (0x800646000)/usr/pbi/freeradius-amd64/lib/libgssapi_krb5.so:
libkrb5.so => /usr/pbi/freeradius-amd64/lib/libkrb5.so (0x800c00000)
libk5crypto.so => /usr/pbi/freeradius-amd64/lib/libk5crypto.so (0x800dce000)
libcom_err.so => /usr/lib/libcom_err.so (0x800ef8000)
libkrb5support.so => /usr/pbi/freeradius-amd64/lib/libkrb5support.so (0x800ffa000)
libc.so.7 => /lib/libc.so.7 (0x800646000)Is that the very latest PBI from a couple hours ago?
It should be compiled with whatever options were set in build_options - if those aren't right, feel free to adjust them.
That Kerberos library file is in the base system but it can also come from the krb5 port or the heimdal port.
If needed I can get the libraries and put them in a tgz on files.pfsense.org but I'd really like to avoid that if possible, these kinds of things should (in theory anyhow) be handled by port dependencies…
