FreeRADIUS and EAP-TLS only (security relevant pitfall)
I have just set up FreeRADIUS with EAP-TLS on my pfSense installation and rolled out x509 certificates to my clients. This works great so far.
Unfortunately I realized that if a user is configured and the user's machine has no certificate installed he is granted access to the WIFI as well! This is due FreeRADIUS switching back to EAP-PEAP or EAP-TTLS according to the provided EAP configuration (eap.conf)
To prevent this I have commented all non-EAP-TLS relevant sections in /usr/local/etc/raddb/eap.conf. So far so good.
But if I change anything EAP-TLS relevant within the GUI and click save the other fields (PEAP, TTLS, …) get written back to eap.conf and therfor re-enabling this authentication methods.
Is there a way to prevent this? If not I would suggest to extend the GUI to reflect this.
Yes, that is unfortunately a problem with freeradius2. You can use the one or the other security mode but if you are using both together then it could make problems because it could switch to an unwanted method.
This is because when configuring freeradius2 by hand you would create different virtual servers, every server with different configuration. (…/sites-enabled/...) but on pfsense freeradius2 uses just one server called defauolt (.../sites-enabled/...).
So if you would like to do what you described in you post you need to modify the /usr/local/pkg/freeradius.inc file.
There you find somewhere the eap.conf part and there just comment the line you do not need, save and then you can use the GUI to do any other changes with getting the eap.conf overwritten with "wrong" code.