PFSense as WPA Enterprise Client



  • Hiya.

    I know this has been on topic a few years ago but it ended nowhere really:
    http://forum.pfsense.org/index.php/topic,4297.0.html

    I'll spare you guys the story behind the situation.

    Problem is as follows:

    • Workplace (a school) use Wireless network with WPA (2?) Enterpise / RADUIS (tied to AD accounts)
    • I need to connect to it on the WAN side with a Wireless card.

    GUI does provide a whole bunch of options connecting to 802.1X wireless networks but I'm at a loss.

    Connecting via shell works like a charm using a custom wpa_supplicant.conf looking like this:

    ctrl_interface=/var/run/wpa_supplicant
    ctrl_interface_group=0
    ap_scan=1
    network={
            ssid="FOOBAR"
            key_mgmt=WPA-EAP
            eap=PEAP
            identity="DOMAINNAME\USERNAME"
            password="My ActiveDirectory Password"
            phase1="peaplabel=0"
            phase2="auth=MSCHAPV2"
    }
    

    After a second or two I can receive my IP by

    dhclient wpi0_wlan1
    

    Is there anyone able to maybe do a few changes to the GUI to make this work GUI wise or anyone who's got an idea how I get this working by scripting it?

    I need this to survive reboots, temporary auth failures, loss of DHCP lease (and to request a new one) etc.

    Thanks a bunch guys!



  • @Mattofsweden:

    Is there anyone able to maybe do a few changes to the GUI to make this work GUI wise or anyone who's got an idea how I get this working by scripting it?

    What changes to the GUI do you think are required and why?



  • @wallabybob:

    What changes to the GUI do you think are required and why?

    Well, changes might be the wrong word, rather additions to the GUI. The ability to GUI wise add identity & password as well as the "phase" types. I'm yet to understand all these different wireless authentication types, but it seems that is what I need currently. Or a way around it that works until a release that might have it comes along.

    Thanks



  • I think a good modification to the GUI would be to allow for the hiding of non-applicable options.

    For example, instead of showing all the options for the wifi at once, have the user first select a mode: either AP or Client.
    Then, if AP is selected, either grey out or hide all the settings that are client specific, and vice versa.

    Likewise when selecting encryption.  When WPA is selected there should be no reason for WEP keys to be entered, so either hide or grey those options.



  • Nobody got any idea on how to make this work in a simple administrative manner?  :(



  • It looks to me that the GUI doesn't provide for configuration of a wireless client connecting to an AP which uses RADIUS authentication. In particular, there doesn't seem to be a way to input the RADIUS username (identity) and password. There doesn't seem to be a HOWTO for this type of configuration and it doesn't seem to be discussed in the pfSense book. It would probably be worth submitting a bug report on http://redmine.pfsense.org

    In the meantime you could probably edit (saving a copy of the original file first) the pfSense file /etc/inc/interfaces.inc in the region of```
            /* generate wpa_supplicant/hostap config if wpa is enabled */
            conf_mount_rw();

    switch ($wlcfg['mode']) {
                    case 'bss':
                            if (isset($wlcfg['wpa']['enable'])) {
                                    $wpa .= <<<eod<br>ctrl_interface={$g['varrun_path']}/wpa_supplicant
    ctrl_interface_group=0
    ap_scan=1
    #fast_reauth=1
    network={
    ssid="{$wlcfg['ssid']}"
    scan_ssid=1
    priority=5
    key_mgmt={$wlcfg['wpa']['wpa_key_mgmt']}
    psk="{$wlcfg['wpa']['passphrase']}"
    pairwise={$wlcfg['wpa']['wpa_pairwise']}
    group={$wlcfg['wpa']['wpa_pairwise']}
    }
    EOD;</eod<br>

            conf_mount_rw();
    
            switch ($wlcfg['mode']) {
                    case 'bss':
                            if (isset($wlcfg['wpa']['enable'])) {
                                    $wpa .= <<<eod<br>ctrl_interface={$g['varrun_path']}/wpa_supplicant
    ctrl_interface_group=0
    ap_scan=1
    #fast_reauth=1
    network={
    ssid="{$wlcfg['ssid']}"
    scan_ssid=1
    priority=5
    key_mgmt={$wlcfg['wpa']['wpa_key_mgmt']}
    psk="{$wlcfg['wpa']['passphrase']}"
    pairwise={$wlcfg['wpa']['wpa_pairwise']}
    group={$wlcfg['wpa']['wpa_pairwise']}
    }
    EOD;
    
    If that works it could be fragile with respect to wireless configuration changes.</eod<br></eod>


  • @wallabybob:

    It looks to me that the GUI doesn't provide for configuration of a wireless client connecting to an AP which uses RADIUS authentication. In particular, there doesn't seem to be a way to input the RADIUS username (identity) and password. There doesn't seem to be a HOWTO for this type of configuration and it doesn't seem to be discussed in the pfSense book. It would probably be worth submitting a bug report on http://redmine.pfsense.org

    Better late than never ;)

    It works, but as you said, a bit fragile. Thank you.

    Issue submitted:
    http://redmine.pfsense.org/issues/2400


Log in to reply