Freeradius: the simple noob questions :-)



  • G'day all lovers of the best firewall in the world  :P

    I want to setup Freeradius, but it appears every documentation I find (I've been googling for hours, have also read the pfSense wiki, etc) already assumes background knowledge of the RADIUS concepts. As I am only a simple person, if I don't have the concepts first, I can't understand what I am doing / supposed to be doing in the first place  :-[

    Would somebody perhaps please help me out of my misery? ( ;D)

    [b]What I want
    Given the hardware in my sig, adding that I also have 2 Ubiquity wireless access points (WAP), I want to leave these access points on 24/7. I do not want somebody to 'hack my WiFi waves' and be able to mess around on my LAN. So my reasoning is: if I use Radius with public/private keys, the bad hacker can 'hack my wireless waves' all he wants, but he can't do anything else, as pfSense will simply deny access.

    So, I am imagining: Wife switches on her mobile phone (Android), this finds my wireless network. I connects to that, the phone is asked for a public/private key, this is validated, and wife gets in. The neighbor doesn't have such a key, so he can't come in. Never.

    My questions
    1. After a couple of hours, I am guessing that a 'NAS' is the same as 'client' in pfSense, and it is the physical appliance from where authentication requests come. So given I have a HP switch in which all machines are plugged in, this switch is the 'client'= NAS, right?
    2. I'm having troubles understanding the communication between the WAP and the switch. In the switch config I can tell that pfSense is the Radius server. So if I connect a laptop to the switch, the switch will ask pfSense if the laptop is allowed to connect. However, for the WAP: the WAP is plugged into the switch, and both the WAP and the switch have a setting to tell them that they should ask pfSense if the connection is allowed. So: I connect wireless to the WAP, which connects to the switch, which connects to pfSense. Who is doing the Radius lookup here, the WAP, or the switch? (Do I enable the forward for authentification in both the WAP and the switch, or only in the switch?)
    3. If you tell the switch to forward all connections for authentification, you will need to do this for all computers in the LAN I guess (I don't see any setting in the switch to restrict the authentication to just a couple of connection ports). This will be troublesome, as I think my HTPC (openelec) will be hard to configure to use radius. Am I correct that the only way around that is to only have the WAP's authenticate directly against pfSense (so, don't enable Radius in the switch, only in the WAP)?
    5. What is the purpose of the 'shared secret', the text password you have to enter? I thought this is notoriously insecure, and for that reason you want to use certificates? So why the textual 'shared secret'?
    6. What are 'users' in Radius terms? Really like 'wife' is a user and 'me' is a user, or is a user a LAN-machine, so for example laptop is a user, and smartphone is another?

    I know this is not my brightest question post I ever asked, which is caused by the confusion (many technical documents are, so it seems to me as a noob, written for technical people who probably don't need the documentation in the first place at all  ;D).

    I would like to thank you in advance for clearing up the fog very much,

    Bye ;D



  • Hi,

    there are often threads and posts which are talking about freeradius clients/nas. That's why the package cqalls Client/NAS one option because some people call it client and some call it NAS. And some understand "client" as NAS and some understand it as a computer or als "wife" ;-)

    So the RADIUS concept in general looks like this:

    RADIUS (freeradius on pfsense) –- Clien/NAS (WAP, Switch,) ---- Users/MACs (Laptops, Smartphones, "wife", "me")

    The process of authentication works like this:
    A notebook connects to a switch (NAS/Client) via ethernet. The switch blocks the connection to the network and ask - depending on its configuration - for username/password or certificate or MAC address. The user of the notebook needs to enter this.

    Then the switch (NAS/Client) sends these credentials to its known RADIUS server. This communication is encrypted with the shared secret. The RADIUS server checks its database and sends and "Access-Accept" or "Access-Reject" back to the switch (NAS/Client).

    Depending on the result the switch (NAS/Client) allows or rejects access to the notebook.

    If the communication between NAS/Client and the notebook is secure depends on the mechanisms you are using.

    Switches which do RADIUS authentication sometimes do have a setting to set one port to "Always authenticated" or "Force authentication" which means that you do not have to autheticate on this port. You should configure the switch ports this way and connect the WAPs to these ports. Then enable RADIUS authentication on the WAPs.

    If this is not possible then only enable authentcation on the WAPs and not on the switch. If you enable it on the switch only and not WAP then it depends of the switch how many different authentications can be made on one single port. It is not always possible to allow some authentications on one port and disallow others on the same port.

    Further I assume that unwanted computers will connect through WAP and probably not through wire within your house ;)

    PS: I would suggest to use PEAP which is easiest to configure and is really secure and only minimal less secure than server + client certificate because you have to copy certificates to all clients and if you have guests it is much easier to just add a new user to RADIUS than creating and transferring a client certificate to users device.

    I am sure you read this but just want to mention it here again:
    https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package



  • Thank you very much for responding, Nachtfalke  ;D

    Thanks to your explanation and some post I found I finally understand a little better what I am doing.

    These are the two other posts, by the way for all future 'victims' that don't have a clue :-):

    http://networklessons.com/wireless/peap-and-eap-tls-on-server-2008-and-cisco-wlc/
    http://networklessons.com/wireless/eap-tls-certificates-for-wireless-on-android/

    My current status is: it worked, and then it didn't  :-X

    What worked
    I started with a simple setup; I setup my Ubiquity WAP to check with freeRadius. Created a simple user (phone1) with a password. That worked. Of course, next I wanted to use certificates. I do understand your recommendation about using PEAP, but I'd like to do it fancy so I have something to brag about in our next monthly accounting meeting ( ;D).

    What didn't work
    Certificates  :-[

    There are two problems that probably are related. Something goes wrong when I am exporting certificates, because Android 4.2 (I have a HTC One SV smartphone) doesn't like the *.p12-stuff. So the CA import works, but the client certificate import doesn't; it keeps on asking for a password, although I didn't enter any password anywhere.

    This has happened to others also, given this thread:

    http://forum.pfsense.org/index.php?topic=52573.0

    Unfortunately, the suggestion of jimp, to use the 'inline configuration export' in OpenVPN I don't quite understand. I don't have OpenVPN (couldn't get it to work), and when I look in the client export utility I don't see it having my certificates from the certificate manager neither, so I don't know how I would use this work around to get it to work.

    There are, by the way, other threads dealing with this problem also, and they've gone way back:
    https://code.google.com/p/android/issues/detail?id=7752
    https://code.google.com/p/android/issues/detail?id=48602

    So, then I tried to use the first two buttons, 'export cert' and 'export key'. In Android, it happily pretends to import the *.cert, however, when I try to connect to my wifi, in the connection details I enter TLS and MSCHAPv2 (as it is in freeRadius), I can select the CA-cert, but it doesn't allow me to select the client-cert. Hence my 'it happily pretends to import', because obviously it didn't.

    I also tried to 'go via Windows 7', e.g. import certificates into W7 first, and then export them. But that doesn't work, and given the second link in the networklessons.com post above, where the author describes setting up Android, I have another screen when exporting from Windows; when he exports he can select 'export private key also' (which is greyed out for me), and his 'export file format' is button 4 (which also is greyed out for me), whereas my 'export file format' can be one of the first three buttons (which are greyed out in his screen). So no luck here either, and I have no clue why.

    I also regenerating the certificates, making sure they were 2048/SHA256, as I read somewhere 4096 could be a problem.

    So I think I am stuck. freeRadius with user + password works, but something goes wrong when using certs. I have googled for hours again, but I haven't found a solution yet  :'(

    Would you happen to know of a solution?

    Also, I am not quite sure what it is I did that made freeRadius change from using passwords to using certificates; how does freeRadius determine what it should use? For example also: EAP-TLS or PEAP-?

    [b]EDIT (for the 15th time  ;D): could I ask another question?

    Enable Plain MAC Auth
    

    If I read the wiki correctly, this is not a secondary security check, right? So it is not that freeRadius first checks the MAC of a user (and perhaps also the client) before continuing the other authentication checks, right? It is 'or/or' not 'and/and'?) Because some of the text in the wiki makes me believe it is, whereas other parts then make me believe it is not(?)

    Thank you once again for your help; I am in your debt very much  ;D



  • Hmmm, it appears the password can not contain any strange characters (I used PEAP now for testing). This will not have the HTC One SV Android 4.2 connect:

    
    h\~p];6xh'?}.L#1:\O<
    
    

    (It was a hell to type that in on the small smartphone key board  ;D ;D ;D).

    However, this will:

    
    test1234
    
    


  • In general the communication between the switch and the RADIUS sends a username and a password. Unfortunately some switches just send the MAC address because they cannot handle username/passwords but only MAC addresses.

    Then RADIUS must know that the switch only sends a MAC address and not username/password.
    Then you enable this option "Plain MAC" and store all MAC addresses in the "MACs" tab of freeradius.

    Unfortunately the freeradius2 package cannot be configured to disable PEAP but allow EAP-TLS. This must be dony within the freeradius.inc file and in the part where the function writes the server-default/default file. There you need to comment the lines you do not want.

    So if you have a user in freeradius (user: test  password: pass) and you do not disable PAP then it would be possible for someone to authenticate successfully with these credentials even if you intention is to only allow EAP-TLS.

    So if you use EAP-TLS then you should not configure any users on freeradius.
    If you configure users then use PEAP.

    To export certificates - you can try using the command shell.
    And you can try the "Certificates" tab on freeradius2 - which should not be the goal but perhaps could be a solution.
    But first try to make a windows 7 or windows XP machine to work with EAP-TLS befor going on with android or iOS to make sure your basic configuration works.



  • @Nachtfalke:

    In general the communication between the switch and the RADIUS sends a username and a password. Unfortunately some switches just send the MAC address because they cannot handle username/passwords but only MAC addresses.

    Then RADIUS must know that the switch only sends a MAC address and not username/password.
    Then you enable this option "Plain MAC" and store all MAC addresses in the "MACs" tab of freeradius.

    Unfortunately the freeradius2 package cannot be configured to disable PEAP but allow EAP-TLS. This must be dony within the freeradius.inc file and in the part where the function writes the server-default/default file. There you need to comment the lines you do not want.

    So if you have a user in freeradius (user: test  password: pass) and you do not disable PAP then it would be possible for someone to authenticate successfully with these credentials even if you intention is to only allow EAP-TLS.

    So if you use EAP-TLS then you should not configure any users on freeradius.
    If you configure users then use PEAP.

    To export certificates - you can try using the command shell.
    And you can try the "Certificates" tab on freeradius2 - which should not be the goal but perhaps could be a solution.
    But first try to make a windows 7 or windows XP machine to work with EAP-TLS befor going on with android or iOS to make sure your basic configuration works.

    Thanks again very much, Nachtfalke  ;D

    **And: I got it to work (yippie, took me almost eight hours of searching and trying  :-[).[/b]

    So, for future generations, here is what worked:
    1. The problem indeed was the export of non-passworded *.p12 files for Android.
    2. Windows 7 had no problem connecting (see the above linked posts from networklessons).
    3. Jimp wrote somewhere that in Android you simply had to put in a single space in the password field, but this did not work.
    4. But, what works is: import the *.p12 and the CA that pfSense created into the Firefox certificate manager (Tools/options/advanced/certificates; import them into Authorities and Your Certificates), and then export Your Certificate again given it a simple password.
    5. Et voila, this certificate I could import into Android 4.2, and use for EAP-TLS. I checked that it actually uses it by deleting the user/password I used previously, and: yes it works  :P ;D :-X

    (Me happy now  ;D).

    By the way, Nachtfalke, the fact that you say that you can use user/password on the one hand, and certificates on the other hand, at the same time, offers something useful for me; I can use EAP-TLS for myself, and can give guests PEAP, especially since freeRadius then can also send them to an isolated VLAN. The best of both worlds.

    I love my pfSense  :P

    Thanks again for your help, Nachtfalke  ;D**



  • Although I do have it working now (yes, still very extremely happy, I can sleep safely now  ;D), on celebrating the victory I came up with two more questions:

    • Since I'm working with certificates now in EAP-TLS, this does mean that whomever gets his hands on my smartphone / laptop gets access to my LAN. Of course, suppose you'd know about that you may easily revoke the certificate, but suppose you don't know you lost your phone, you're wet (stupid Dutch expression  ;D). To mitigate, you'd perhaps would want a combination of certificates and a password (I do recall my client probably uses something like this; when I am working at their site I get a small PIN-generator which generates a number I need to enter in my connection in order to get access to their network). Is this, certificates and password at the same time, also a possibility in freeRadius?

    • I noticed that if you use users/PEAP, you can send somebody to a separate VLAN. But if you use EAP-TLS, you can not assign a VLAN. But it makes sense to want it then also. For example: the logistics department is not allowed on the accounting VLAN, and for security you will want them to use certificates. How should one do something like this, then?

    Or am I asking stupid questions now?

    (Probably  ;D).

    Thank you & bye,



  • @Hollander:

    • Since I'm working with certificates now in EAP-TLS, this does mean that whomever gets his hands on my smartphone / laptop gets access to my LAN. Of course, suppose you'd know about that you may easily revoke the certificate, but suppose you don't know you lost your phone, you're wet (stupid Dutch expression  ;D). To mitigate, you'd perhaps would want a combination of certificates and a password (I do recall my client probably uses something like this; when I am working at their site I get a small PIN-generator which generates a number I need to enter in my connection in order to get access to their network). Is this, certificates and password at the same time, also a possibility in freeRadius?

    Or am I asking stupid questions now?

    (Probably  ;D).

    Thank you & bye,

    Well, my fellow Hollander, yes. Sort of stupid question.

    You might look at Mobile One Time Passwords. I even found a link for you: http://www.theninjageek.co.za/the-pfsense-walkthrough-part-8-freeradius-and-one-time-passwords/

    ( ;D)



  • @Hollander:

    @Hollander:

    • Since I'm working with certificates now in EAP-TLS, this does mean that whomever gets his hands on my smartphone / laptop gets access to my LAN. Of course, suppose you'd know about that you may easily revoke the certificate, but suppose you don't know you lost your phone, you're wet (stupid Dutch expression  ;D). To mitigate, you'd perhaps would want a combination of certificates and a password (I do recall my client probably uses something like this; when I am working at their site I get a small PIN-generator which generates a number I need to enter in my connection in order to get access to their network). Is this, certificates and password at the same time, also a possibility in freeRadius?

    Or am I asking stupid questions now?

    (Probably  ;D).

    Thank you & bye,

    Well, my fellow Hollander, yes. Sort of stupid question.

    You might look at Mobile One Time Passwords. I even found a link for you: http://www.theninjageek.co.za/the-pfsense-walkthrough-part-8-freeradius-and-one-time-passwords/

    ( ;D)

    That might be so, my dear fellow Dutch Hollander, but I will have to counter you: if they have your mobile, they also have access to the mobile app in that article you are linking to.

    Ping? Pong.

    ( ;D)



  • But without the joking: Nachtfalke, could I ask, in that Ninjageek-thread I posted, you will see that:

    • In CLIENTS he is entering the IP of the Pfsense box itself (not of a switch or WAP);

    • Under System/User Manager/Servers he is setting up a User Server.

    Why is he doing this? I didn't need to do that(?)



  • Hi,

    for mobile one time password take a look here:
    https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Enable_Mobile-One-Time-Password_.28OTP.29_support

    It's all implemented into the pfsense freeradius2 package.
    Mobile TAN generator is on the mobile phone like the certificates, that is correct but you need a PIN for the OTP generator to generate the correct password for you. The PIN is hopefully not on the smartphone ;-)

    Further I don't know how to use EAP-TLS with VLAN assignment. Probably you need to add something server-default/server or somewhere else which adds a Reply-Item if the EAP-TLS check is successfully. Probably not possible using the GUI.

    The pfsense doc says:

    mOTP will probably not work with EAP, CHAP, MSCHAP. If it does - tell me how :-)
    

    Having a quick look at the tutorial you posted shows me that the author is adding pfsense itself als a NAS/client. This is important on sections like OpenVPN. OpenVPN itself cannot be a NAS/Client in pfsense environment directly so you use a BACKEND for OpenVPN which is pfsense itself and acts like NAS/client. This must be configured on System –> Users --> Servers. Then pfsense itself is a NAS/Client and can be selected on OpenVPN.

    So every service/hardware which cannot directly connected to freeradius can be perhaps connected to the "BACKEND" created under System --> Users --> Server and this will send requests to RADIUS.



  • I totally overlooked that you had replied, Nachfalke, my sincere apologies: sorry  :-[ :'(

    And thank you for the explanation, I will digest it thoroughly  ;D

    Currently I am looking at another problem: [b]synchronizing certificates between two machines.

    I have my main pfSense (NR1) and a backup/fall back pfSense, the Dell R200 (NR2). It is off line, so if NR1 goes down I will have to manually switch cables, power on the Dell, etc. This is currently more convenient for me than CARP.

    On NR1 I have Radius with WPA-enterprise (the certificate thing). My laptops and smartphones have the certificates installed that NR1 generated. My problem is: I can't seem to find out how to import these certificates that are generated by NR1 into NR2.

    Of course I would want that: if NR1 goes down I don't want my laptop to have to reinstall a different certificate, generated by NR2, in order to be able to connect. That is cumbersome. The goal of the fall back is simply switch cables, and we're up and running again.

    I can't seem to find a setting in the GUI to import the CA from NR1 into NR2. Isn't this possible? Or should I copy them via SCP to a certain directory or something?

    Thank you in advance for any help  ;D

    Bye,



  • Hi,

    I think you can export and import certificates and the CA from SYSTEM –> Cert Manager.
    Exporting Cert and Key and importing on the other pfsense machine.

    Or just make a backup of the running pfsense config and import this backup into the other pfsense. Perhaps you have the possibility to just import certificates and not all the other config.

    Unfortunately I cannot help you any further since I do not have any access to a pfsense machine anymore. My new company does not use pfsense .... :(


Log in to reply