NEW Package: freeRADIUS 2.x

jimp

FYI- a new PBI for FreeRADIUS2 just uploaded also, it should have the proper build options now. Due to a bug in the PBI build script it was missing the options for things like LDAP and such.

EDIT: i386 is up… amd64 is still building, I thought they had both finished.

Nachtfalke

@jimp:

FYI- a new PBI for FreeRADIUS2 just uploaded also, it should have the proper build options now. Due to a bug in the PBI build script it was missing the options for things like LDAP and such.

EDIT: i386 is up… amd64 is still building, I thought they had both finished.

Thanks for feedback. Cannot test from home because of a very bad and slow WLAn connectiong. Perhaps someone else can do this or I will try to find some time tomorrow.

Another question:
freeradius2 package contains a "mobile-one-time-password" feature. The script which realizes that is written in "bash". In the past I downloaded the bash package from the freebsd ftp server if someone wants to use mOTP. I would like to shrink the freeradius.inc so that I do not have to download bash because pfsense does not has bash by default - but pfsense can talk "shell" ;-)

So if someone would like to help to improve this package - please feel free to translate the following script from "bash" to "shell":

#!/bin/bash
#
# Mobile One Time Passwords (Mobile-OTP) for Java 2 Micro Edition, J2ME
# written by Matthias Straub, Heilbronn, Germany, 2003
# (c) 2003 by Matthias Straub
# Modified 2012 by Alexander Wilke <nachtfalkeaw@web.de>
#
# Version 1.05a
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU Library General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
# 
# This software is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Library General Public License for more details.
#
# arguments:  \$1 \$2 \$3 \$4 \$5
# \$1 - username
# \$2 - one-time-password that is to be checked 
# \$3 - init-secred from token (to init token: #**#)
# \$4 - user PIN
# \$5 - time difference between token and server in 10s of seconds (360 = 1 hour)
#
# one-time-password must match md5(EPOCHTIME+SECRET+PIN)
# 
#
# otpverify.sh version 1.04b, Feb. 2003
# otpverify.sh version 1.04c, Nov. 2008
#  changed line 1 to ksh because of problems with todays bash an sh
# otpverify.sh version 1.05a, Jan. 2011
#  changed back to bash and added in shopts line to ensure aliases handled
#  correctly (bash is always available on any modern *nix unlike ksh)
#

PATH=\$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

    alias checksum=$varsettingsmotpchecksumtype
    have_md5="true"

# ensure aliases are expanded by bash
shopt -s expand_aliases

function chop
{
	num=`echo -n "\$1" | wc -c | sed 's/ //g' `
	nummin1=`expr \$num "-" 1`
	echo -n "\$1" | cut -b 1-\$nummin1 
}

if [ ! \$# -eq 5 ] ; then
echo "USAGE: otpverify.sh Username, OTP, Init-Secret, PIN, Offset"
logger -f /var/log/system.log "FreeRADIUS: Mobile-One-Time-Password - wrong syntax - USAGE: otpverify.sh Username, OTP, Init-Secret, PIN, Offset";
exit 14
fi

mkdir /var/log/motp 2>/dev/null
mkdir /var/log/motp/cache 2>/dev/null
mkdir /var/log/motp/users 2>/dev/null
chmod og-rxw /var/log/motp 2>/dev/null || { echo "FAIL! Need write-access to /var/log/motp";logger -f /var/log/system.log "FreeRADIUS: Mobile-One-Time-Password - need write-access to /var/log/motp"; exit 17; }
chmod og-rxw /var/log/motp/cache
chmod og-rxw /var/log/motp/users

USERNAME=`echo -n "\$1" | sed 's/[^0-9a-zA-Z._-]/X/g' `
PASSWD=`echo -n "\$2" | sed 's/[^0-9a-f]/0/g' `
SECRET=`echo -n "\$3" | sed 's/[^0-9a-f]/0/g' `
PIN=`echo -n "\$4" | sed 's/[^0-9]/0/g' `
OFFSET=`echo -n "\$5" | sed 's/[^0-9]/0/g' `
EPOCHTIME=`date +%s` ; EPOCHTIME=`chop \$EPOCHTIME`

# delete old logins
find /var/log/motp/cache -type f -cmin +$varsettingsmotpdeleteoldpasswords | xargs rm 2>/dev/null

if [ -e "/var/log/motp/cache/\$PASSWD" ]; then
	echo "FAIL"
	logger -f /var/log/system.log "FreeRADIUS: Authentication failed! Mobile-One-Time-Password \$PASSWD is already used!"
	exit 15
fi

# account locked?
if [ "`cat /var/log/motp/users/\$USERNAME 2>/dev/null`" == "$varsettingsmotppasswordattempts" ]; then
	echo "FAIL"
	logger -f /var/log/system.log "FreeRADIUS: Authentication failed! Too many wrong password attempts. User is locked! To unlock delete /var/log/motp/users/\$USERNAME"
	exit 13
fi

I=0
EPOCHTIME=`expr \$EPOCHTIME - $varsettingsmotptimespan`
EPOCHTIME=`expr \$EPOCHTIME + \$OFFSET`
while [ \$I -lt $varsettingsmotptimespanbeforeafter ] ; do # `$varsettingsmotptimespan * 10` seconds before and after
	OTP=`printf \$EPOCHTIME\$SECRET\$PIN|checksum|cut -b $varsettingsmotptokenlength`
	if [ "\$OTP" = "\$PASSWD" ] ; then
		touch /var/log/motp/cache/\$OTP || { echo "FAIL! Need write-access to /var/log/motp";logger -f /var/log/system.log "FreeRADIUS: Mobile-One-Time-Password - need write-access to /var/log/motp/cache"; exit 17; }
		echo "ACCEPT"
		logger -f /var/log/system.log "FreeRADIUS: Authentication success! Mobile-One-Time-Password \$PASSWD for user \$USERNAME is correct!"
		rm "/var/log/motp/users/\$USERNAME" 2>/dev/null
		exit 0
	fi
	I=`expr \$I + 1`
	EPOCHTIME=`expr \$EPOCHTIME + 1`
done

echo "FAIL"
NUMFAILS=`cat "/var/log/motp/users/\$USERNAME" 2>/dev/null`
if [ "\$NUMFAILS" = "" ]; then
	NUMFAILS=0
fi
NUMFAILS=`expr \$NUMFAILS + 1`
echo \$NUMFAILS > "/var/log/motp/users/\$USERNAME"
NUMFAILSLEFT=`expr $varsettingsmotppasswordattempts - \$NUMFAILS`
logger -f /var/log/system.log "FreeRADIUS: Authentication failed! Mobile-One-Time-Password incorrect. \$NUMFAILSLEFT attempts left. "
exit 11</nachtfalkeaw@web.de>

jimp

For now if you want to, just add a build_port_path for shells/bash and then eventually when the PBI pops out it can be included.

If someone can rewrite that to a basic shell script then we can eventually remove that dependency.

jimp

It has changed on pbis, but still have something to do:
previous version was using cyrrus-sasl, did you compiled with krb5 on this version?
libkrb5.so is missing for rlm_krb5 but not for libgssapi_krb5.so

/usr/pbi/freeradius-amd64/lib/freeradius-2.1.12/rlm_krb5.so:
libfreeradius-radius-2.1.12.so => /usr/pbi/freeradius-amd64/lib/freeradius-2.1.12/libfreeradius-radius-2.1.12.so (0x800c00000)
libkrb5.so => not found (0x0)
libcom_err.so => /usr/lib/libcom_err.so (0x800d21000)
libk5crypto.so => not found (0x0)
libthr.so.3 => /lib/libthr.so.3 (0x800e23000)
libc.so.7 => /lib/libc.so.7 (0x800646000)

/usr/pbi/freeradius-amd64/lib/libgssapi_krb5.so:
libkrb5.so => /usr/pbi/freeradius-amd64/lib/libkrb5.so (0x800c00000)
libk5crypto.so => /usr/pbi/freeradius-amd64/lib/libk5crypto.so (0x800dce000)
libcom_err.so => /usr/lib/libcom_err.so (0x800ef8000)
libkrb5support.so => /usr/pbi/freeradius-amd64/lib/libkrb5support.so (0x800ffa000)
libc.so.7 => /lib/libc.so.7 (0x800646000)

Is that the very latest PBI from a couple hours ago?

It should be compiled with whatever options were set in build_options - if those aren't right, feel free to adjust them.

That Kerberos library file is in the base system but it can also come from the krb5 port or the heimdal port.

If needed I can get the libraries and put them in a tgz on files.pfsense.org but I'd really like to avoid that if possible, these kinds of things should (in theory anyhow) be handled by port dependencies…

Nachtfalke

hmpf :(

I have a problem with my constant…it's not working.

define('USRLOCAL', '/usr/local');

USRLOCAL is not resolved in the rest of the config files (radiusd.conf, radiusd.sh)

Could there be only one constant in a php file !?
Or should the maintainer just improve his php skills ;)

marcelloc

@jimp:

It should be compiled with whatever options were set in build_options - if those aren't right, feel free to adjust them.
That Kerberos library file is in the base system but it can also come from the krb5 port or the heimdal port.

That's the point. On November 01, 2011 while I was trying to compile postfix to use sasl, I thought it was a compile arg missing but ermal replied this:

@ermal:

That's missing dependency of the package i think or missing libraries in base of pfSense.
It is not a missing compile flag of the package itself.

Just general comment here while i saw this though.

After this, I've copied missing libs for saslpasswd2 from freebsd base system and it started working.

jimp

That makes me wonder if I might need to expose a couple more PBI build options. See there are two things you can do with a PBI besides the main package build that are better for dependencies, you can set a port to build before the main build or a port to build after.

So maybe if I add krb5 to the "before" list it might work. I'll do some experiments and see what happens, assuming I get time today.

marcelloc

@jimp:

So maybe if I add krb5 to the "before" list it might work. I'll do some experiments and see what happens, assuming I get time today.

Thank's for your help Jimp. :)

krb5 has a lot of dependencies while heimdal is almost native for freebsd, maybe changing it to heimdal could result in a smaller pbi.

jimp

Might be a better way, that's what I'll try first.

Sneaking WITHOUT_X11 into the PBI config also saves a bit. The PBI for mtr went from 60MB to 44K in a test build :-) (doesn't apply to all ports though, of course…)

FYI- check my reply in the 2.1 package testing thread for info about Dansguardian

jimp

For an update on the library issue, see my post here: http://forum.pfsense.org/index.php/topic,50603.0.html

Nachtfalke

Ok, as far as I can say that at the moment:
freeradius2 should work with basic authentication methods on pfsense 2.1 and 2.0.x
But probably it is best to test on a test machine and make sure that all features will work. what you need to test is mysql, postgresql and LDAP functionality. Because of the new package dependencies in the new .PBI packages there could be some files missing. I do not have any possibility to check with SQL or LDAP.

So please do not update at the moment if you have a running freeradius2 package on any pfsense 2.0.x machine. There are no new features or bugfixes. The changes we made are only for compatibility with pfsense 2.1.

Thanks for your feedback!

Als

Error in otpverify.sh script:

In code :
OTP=printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 6

Should be:
OTP=printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 1-6

Nachtfalke

@Als:

Error in otpverify.sh script:

In code :
OTP=printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 6

Should be:
OTP=printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 1-6

I think you mean line 3925 here:
https://github.com/bsdperimeter/pfsense-packages/blob/master/config/freeradius2/freeradius.inc

The GUI says it with an example: You have to enter the range like:
1-6
3-9
3-5
7-10

If you just enter one number it will not work - of course.

Hi,

First post here but I've been using Pfsense for some time (I love it ;D).

I've tried Freeradius 1 some time ago and and didn't manged to get it to work. This time with Freeradius 2 and the interface in Pfsense I've managed to get it working without much trouble. I able to log into my wireless using TTLS or PEAP and a test user I created in the Freeradius2 config (from the web interface).
I also managed to connect to my wireless using TLS, however it doesn't work as expected.

I am using Pfsense built-in certificate manager as recommended In the cert manager I created a new CA (Radius Wireless CA) specifically for using with Freeradius as well as some client certificate signed by this new CA. In my certificate manager I also have a separate CA for openvpn with some client certificates.

I configured my Freeradius EAP option as follow:
"Choose Cert-Manager": Checked (to use the Firewall Cert-Manager)
SSL CA Certificate: Radius Wireless CA cert
SSL Server Certificate: Radius server cert (certificate signed by the CA)

I was expecting to able to only use a client certificate signed by the Radius Wireless CA cert. As a test I tried using a client certificate signed by the CA I created for Openvpn and it worked. Freeradius accepted it !! :o

I don't believe this is the expected behavior… I am wondering if it is checking the certificate at all !!? :o

Actually I just created a new (test) CA with a client certificate. Exported it and deleted the CA from Pfsense. And I can connect with this client certificate as well.

Can somebody confirm the problem? Is it just me that made some strange configuration (I don't thing so though). BTW I was trying to see if I could use certificate revocation when I found the issue.

EDIT: I might have jumped to conclusion too quickly. I use the same computer (running xubuntu 12.4 with network manager) when testing certificate. After rebooting I wasn't able to login with the invalid certificate anymore. I guess there is something about reconnecting shortly after with other certificate... maybe it's the way Radius / EAP-TLS works or maybe it is network manager ? I still think this is strange.

Nachtfalke

Hi,

if you select the CA and server cert on freeradius2 GUI -> EAP and the click save then the CA and server certifficate will be placed here:

/usr/local/etc/raddb/certs/

So if you just delete the CA and/or server cert on the pfsense built-in cert manager this does NOT mean it will be deleted in freeradius2 folder.
I know this is not an elegant solution but till now and until someone adds some more code this will not change.

After deleting the CA and/or the cert in the built-in manager you have to go to freeradius2 GUI -> EAP and and chose the new CA. The problem is - if you are not using any CA and server cert - freeradius2 will not start. (That is the reason why by default the not recommended freeradius2 cert manager is enabled).

The same is with the Certificate revocation List. The CRL on the pfsense built-in cert-manager will not be recognized by freeradius2 at the moment. This feature needs some more code.

When using only TLS then you should set the option "disable weak EAP types" on freeradius2 GUI -> EAP.
Further you can try to use "Check Cert Issuer"

Check this for more information:
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#EAP-TLS

I was editing my reply when you posted :)

Thanks for the information. I didn't actually actually try to remove the CA but that's definitely good to known. I'll have a look at the certificate in /usr/local/etc/raddb/certs/ out of curiosity.

I did disable weak EAP types. I still not sure about the difference between PEAP and TTLS. It seems PEAP also uses some kind of TLS tunnel.

I've head about MS-CHAP v2 being vulnerable (https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/). With "disable weak EAP types" checked, Freeradius doesn't allow plain ms-chap-v2 right? Only in a TLS tunnel if I understood correctly ?

It would be great to be able to use Certificate revocation List. I guess there has to be some way to manually create a Certificate revocation List for Freeradius? Any pointer is welcome.
That would certainly be better than nothing if I were to misplace one of my certificate/device. Having to start a fresh CA would take some time, even if it's only for my home network.

Ok I figured out how to use crl… it's manual and clearly a hack but it does work. :)
This for when using Freeradius with the Pfsense cert manager.
EDIT: Actually it doesn't work properly... it actually reject all connection.

1. Go to the Pfsense Cert manager and create en internal Certificate Revocation List for the CA used for Freeradius2. (if not already created)

2. Edit the Certificate Revocation List and revoke a certificate.

#Because Freeradius has no idea about this Certificate Revocation List you will still be able to use the certificate a this point.

3. Export the Certificate Revocation List.

4. Edit /usr/local/etc/raddb/certs/ca_cert.pem and append the Certificate revocation list at the end.

5. Edit /usr/local/etc/raddb/eap.conf and uncomment the line "check_crl = yes"

6. Restart the Freeradius2 server (There is probably a better way to reload the configuration file but I simply stoped it and restarted it from the Pfsense web interface)

Now try to connect with the revoked certificate. You shouldn't be able to connect. Look at /var/log/radius.log for more info.

You should have something like this:

Error: --> verify error:num=12:CRL has expired
....
Auth: Login incorrect (CRL has expired)

IMPORTANT: By going to the Freeradius2 eap preference page and clicking on save, the package will generate a new eap.conf with the crl line commented out! Have to be careful !

If someone knows of a better way to edit the default configuration, I'll be interested.

Nachtfalke

@arekkusu:

Ok I figured out how to use crl… it's manual and clearly a hack but it does work. :)
This for when using Freeradius with the Pfsense cert manager.

1. Go to the Pfsense Cert manager and create en internal Certificate Revocation List for the CA used for Freeradius2. (if not already created)

2. Edit the Certificate Revocation List and revoke a certificate.

#Because Freeradius has no idea about this Certificate Revocation List you will still be able to use the certificate a this point.

3. Export the Certificate Revocation List.

4. Edit /usr/local/etc/raddb/certs/ca_cert.pem and append the Certificate revocation list at the end.

5. Edit /usr/local/etc/raddb/eap.conf and uncomment the line "check_crl = yes"

6. Restart the Freeradius2 server (There is probably a better way to reload the configuration file but I simply stoped it and restarted it from the Pfsense web interface)

Now try to connect with the revoked certificate. You shouldn't be able to connect. Look at /var/log/radius.log for more info.

You should have something like this:

Error: --> verify error:num=12:CRL has expired
....
Auth: Login incorrect (CRL has expired)

IMPORTANT: By going to the Freeradius2 eap preference page and clicking on save, the package will generate a new eap.conf with the crl line commented out! Have to be careful !

If someone knows of a better way to edit the default configuration, I'll be interested.

Hi arekkusu,

you can edit the "freeradius.inc" in /usr/local/pkg/freeradius.inc on line 1022. This will make the changes permanent even if you click "save" on freeradius -> EAP GUI.
What I would prefer is if there is a way to select the CRL on the freeradius GUI like it is possible with the CA and the other certificates but I do not have the php skills to solve this :-(

So my intention is that the user generates all CAs, certificates and CRLs on pfsense cert-manager, then go to freeradius and just select them. If something on the CRL has changed the user just has to go to the freeradius GUI and re-save the EAP part to generate the new CRL for freeradius.

The check_crl part on eap.conf - I will try to add this as an option to the GUI. But this will not avoid to do your steps 1 - 4
Can you please explain me a little bit more in detail what you did on step 4 and where you found the description for that on the internet ?

Thank you for your help!

My how-to actually doesn't work. I though it was working but I latter realized it wasn't accepting any connection. It seem the "(CRL has expired)" in the logs is Freeradius not being happy abou the CRL / not finding it.

About step4, I did read this somewhere on the Internet, I just can't find the link. I actually seem that putting it in a separate "crl.pem" might be the standard way though. ???

I've found some interesting information here: http://www.breezy.ca/?q=node/223

I've tried to add the crl_file = ${raddbdir}/certs/crl.pem in eap.conf and createated crl.pem but it still won't use the certificate revocation list (it reject everything). I know little about openssl so I am not sure if the crl is in the good format.

Altercation

The freeradius2 wiki page is one of the better doc pages I've read for pfsense. I wanted to point out a minor error (or rather a possible point of confusion) in the wiki page:

Where the initial localhost radtest is performed, the sample command includes "username password" and, while this should be clear enough to anyone setting up RADIUS, the command should be correct from:

radtest username password 127.0.0.1:1812 0 testing123

to:

radtest testuser testpassword 127.0.0.1:1812 0 testing123