Enabling 802.1x authentication makes WLAN stop working
-
@ermal:
Well it would be good to share you configuration.
I can only guess which configuration details are important. That's why I give the 802.1x relevant parts only:
WPA Mode: Checked
WPA Key Management Mode: Extensible Authentication Protocol
Authentication: Open System Authentication
WPA Pairwise: AES (recommended)
Key Rotation: 60
Master Key Regeneration: 3600
Enable IEEE802.1X Authentication: Checked
802.1X Authentication Server IP Address: <my_radius_server_ip>802.1X Authentication Server Shared Secret: <my_shared_secret>@ermal:Also having filesystem full message is not a good thing and you should consider to solve those.
Well, just to make things clear: I am running a NanoBSD version pfSense. The filesystem full message disappears as soon as I have disabled 802.1x authentication.
@ermal:
802.1X is not doing much apart contacting a radius server so you should check how you are configuring it.
I generally aggree with you. But I am just using the same configuration that is working fine now for two years with pfSense 2.0.1, 2.0.2 and 2.0.3.
My WLAN card is cloned, e.g. interface "WLAN" is "ath0" and "WLAN2" is "ath0_wlan1". "WLAN" should use 802.1x authentication while "WLAN2" authenticates against a captive portal.
Please let me know, if you need further information.
Regards,
PeterEDIT: Just a shot in the dark: My RADIUS server is addressed by an IPv4 address. As enabling 8021.x authentication and RDD errors are somehow correlated: Might this be a source of an error? Might pfSense expect an IPv6 address instead in the field "802.1X Authentication Server IP Address:"?</my_shared_secret></my_radius_server_ip>
-
https://github.com/pfsense/pfsense/pull/912
Does not help your actual problem though :-\But it's good to know that 2.1.1 has one more solved issue :)
Regards,
Peter -
What would help in this case is the system log and a ls -lh of the full filesystem.
To know what is making it full.
Also ls /var/etc or ls /tmp and post the config files related to the wireless configuration.(hostapd and wpa_supplicant).
-
@ermal:
What would help in this case is the system log and a ls -lh of the full filesystem.
To know what is making it full.
Also ls /var/etc or ls /tmp and post the config files related to the wireless configuration.(hostapd and wpa_supplicant).
Well, for unknown reason, the "file system full" and the "rrdtool" errors are not reproducable today :) The only change since last occurence is a flashed Alix BIOS, which was neccessary because I couldn't change the baudrate. Nevertheless, all other issues are reproducable. In particular my WLAN card is not fully working, "ath0" aka "WLAN" appears as "open" in spite of enabled 802.1x authentication.
Here is my full boot log:
PC Engines ALIX.2 v0.99l 640 KB Base Memory 261120 KB Extended Memory 01F0 Master 044A TS4GCF150 Phys C/H/S 7769/16/63 Log C/H/S 971/128/63 1 pfSense 2 pfSense F6 PXE Boot: 1 /boot/config: -h Consoles: serial port BIOS drive C: is disk0 BIOS 640kB/261120kB available memory FreeBSD/x86 bootstrap loader, Revision 1.1 (root@snapshots-8_3-i386.builders.pfsense.org, Fri Feb 7 12:55:31 EST 2014) Loading /boot/defaults/loader.conf /boot/kernel/kernel data=0x91a11c data=0x51da54+0x9e0c4 syms=[0x4+0x9af30+0x4+0x d59c8] | Hit [Enter] to boot immediately, or any other key for command prompt. Booting [/boot/kernel/kernel]... Copyright (c) 1992-2012 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 8.3-RELEASE-p14 #0: Fri Feb 7 13:13:29 EST 2014 root@snapshots-8_3-i386.builders.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc /src/sys/pfSense_wrap.8.i386 i386 Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Geode(TM) Integrated Processor by AMD PCS (498.05-MHz 586-class CPU) Origin = "AuthenticAMD" Id = 0x5a2 Family = 5 Model = a Stepping = 2 Features=0x88a93d<fpu,de,pse,tsc,msr,cx8,sep,pge,cmov,clflush,mmx>AMD Features=0xc0400000<mmx+,3dnow!+,3dnow!>real memory = 268435456 (256 MB) avail memory = 239239168 (228 MB) pnpbios: Bad PnP BIOS data checksum ipw_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/. ipw_bss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /bo ot/loader.conf. module_register_init: MOD_LOAD (ipw_bss_fw, 0xc0737500, 0) error 1 ipw_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/. ipw_ibss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /b oot/loader.conf. module_register_init: MOD_LOAD (ipw_ibss_fw, 0xc07375a0, 0) error 1 ipw_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw /. ipw_monitor: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf. module_register_init: MOD_LOAD (ipw_monitor_fw, 0xc0737640, 0) error 1 wlan: mac acl policy registered K6-family MTRR support enabled (2 registers) ACPI Error: A valid RSDP was not found (20101013/tbxfroot-309) ACPI: Table initialisation failed: AE_NOT_FOUND ACPI: Try disabling either ACPI or apic support. cryptosoft0: <software crypto="">on motherboard padlock0: No ACE support. pcib0: <host to="" pci="" bridge="">pcibus 0 on motherboard pci0: <pci bus="">on pcib0 Geode LX: PC Engines ALIX.2 v0.99l tinyBIOS V1.4a (C)1997-2007 pci0: <encrypt decrypt,="" entertainment="" crypto="">at device 1.2 (no driver attached) vr0: <via 10="" vt6105m="" rhine="" iii="" 100basetx="">port 0x1000-0x10ff mem 0xe0000000-0xe0 0000ff irq 10 at device 9.0 on pci0 vr0: Quirks: 0x2 vr0: Revision: 0x96 miibus0: <mii bus="">on vr0 ukphy0: <generic ieee="" 802.3u="" media="" interface="">PHY 1 on miibus0 ukphy0: none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow vr0: [ITHREAD] vr1: <via 10="" vt6105m="" rhine="" iii="" 100basetx="">port 0x1400-0x14ff mem 0xe0040000-0xe0 0400ff irq 11 at device 10.0 on pci0 vr1: Quirks: 0x2 vr1: Revision: 0x96 miibus1: <mii bus="">on vr1 ukphy1: <generic ieee="" 802.3u="" media="" interface="">PHY 1 on miibus1 ukphy1: none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow vr1: [ITHREAD] vr2: <via 10="" vt6105m="" rhine="" iii="" 100basetx="">port 0x1800-0x18ff mem 0xe0080000-0xe0 0800ff irq 15 at device 11.0 on pci0 vr2: Quirks: 0x2 vr2: Revision: 0x96 miibus2: <mii bus="">on vr2 ukphy2: <generic ieee="" 802.3u="" media="" interface="">PHY 1 on miibus2 ukphy2: none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow vr2: [ITHREAD] ath0: <atheros 5212="">mem 0xe00c0000-0xe00cffff irq 9 at device 12.0 on pci0 ath0: [ITHREAD] ath0: AR5212 mac 5.9 RF5112 phy 4.3 isab0: <pci-isa bridge="">port 0x6000-0x6007,0x6100-0x61ff,0x6200-0x623f,0x9d00-0x 9d7f,0x9c00-0x9c3f at device 15.0 on pci0 isa0: <isa bus="">on isab0 atapci0: <amd cs5536="" udma100="" controller="">port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x37 6,0xff00-0xff0f at device 15.2 on pci0 ata0: <ata channel="">at channel 0 on atapci0 ata0: [ITHREAD] ata1: <ata channel="">at channel 1 on atapci0 ata1: [ITHREAD] ohci0: <ohci (generic)="" usb="" controller="">mem 0xefffe000-0xefffefff irq 12 at devic e 15.4 on pci0 ohci0: [ITHREAD] usbus0: <ohci (generic)="" usb="" controller="">on ohci0 ehci0: <amd cs5536="" (geode)="" usb="" 2.0="" controller="">mem 0xefffd000-0xefffdfff irq 12 at device 15.5 on pci0 ehci0: [ITHREAD] usbus1: EHCI version 1.0 usbus1: <amd cs5536="" (geode)="" usb="" 2.0="" controller="">on ehci0 cpu0 on motherboard orm0: <isa option="" rom="">at iomem 0xe0000-0xea7ff pnpid ORM0000 on isa0 atrtc0: <at real="" time="" clock="">at port 0x70 irq 8 on isa0 ppc0: parallel port not found. uart0: <16550 or compatible> at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 uart0: [FILTER] uart0: console (9600,n,8,1) uart1: <16550 or compatible> at port 0x2f8-0x2ff irq 3 on isa0 uart1: [FILTER] Timecounter "TSC" frequency 498052848 Hz quality 800 Timecounters tick every 10.000 msec IPsec: Initialized Security Association Processing. usbus0: 12Mbps Full Speed USB v1.0 usbus1: 480Mbps High Speed USB v2.0 ugen0.1: <amd>at usbus0 uhub0: <amd 1="" 9="" ohci="" root="" hub,="" class="" 0,="" rev="" 1.00="" 1.00,="" addr="">on usbus0 ugen1.1: <amd>at usbus1 uhub1: <amd 1="" 9="" ehci="" root="" hub,="" class="" 0,="" rev="" 2.00="" 1.00,="" addr="">on usbus1 ad0: 3823MB <ts4gcf150 20111006="">at ata0-master PIO4 Root mount waiting for: usbus1 usbus0 uhub0: 4 ports with 4 removable, self powered Root mount waiting for: usbus1 uhub1: 4 ports with 4 removable, self powered Trying to mount root from ufs:/dev/ufs/pfsense0 Configuring crash dumps... Mounting filesystems... Setting up memory disks... done. Disabling APM on /dev/ad0 ___ ___/ f \ / p \___/ Sense \___/ \ \___/ Welcome to pfSense 2.1.1-PRERELEASE ... Creating symlinks......done. >>> Under 512 megabytes of ram detected. Not enabling APC. External config loader 1.0 is now starting... Launching the init system... done. Initializing............................. done. Starting device manager (devd)...done. Loading configuration......done. Updating configuration...done. Cleaning backup cache.....done. Setting up extended sysctls...done. Setting timezone...done. Configuring loopback interface...done. Starting syslog...done. Starting Secure Shell Services...done. Setting up polling defaults...done. Setting up interfaces microcode...done. Configuring loopback interface...done. Creating wireless clone interfaces...done. Configuring LAGG interfaces...done. Configuring VLAN interfaces...done. Configuring QinQ interfaces...done. Configuring WAN interface...starting pppoe0 link...done. Configuring LAN interface...done. Configuring WLAN interface...done. Configuring DMZ interface...done. Configuring WLAN2 interface...done. Configuring MOD interface...done. Configuring WLAN_EXT interface...done. Configuring WLAN_EXT_2 interface...done. Syncing OpenVPN settings...done. Configuring firewall......done. Starting PFLOG...done. Setting up gateway monitors...done. Synchronizing user settings...done. Starting webConfigurator...done. Configuring CRON...done. Starting DNS forwarder...done. Starting NTP time client...done. Starting DHCP service...done. Configuring firewall......done. Starting captive portal(cpzone)... ipfw2 (+ipv6) initialized, divert loadable, n at loadable, rule-based forwarding enabled, default to accept, logging disabled DUMMYNET 0 with IPv6 initialized (100409) load_dn_sched dn_sched FIFO loaded load_dn_sched dn_sched QFQ loaded load_dn_sched dn_sched RR loaded load_dn_sched dn_sched WF2Q+ loaded load_dn_sched dn_sched PRIO loaded Warning: mkdir(): File exists in /etc/inc/system.inc on line 878 done Generating RRD graphs...done. Starting syslog...done. Starting CRON... done. Bootup complete FreeBSD/i386 (alix2d13.drpetervoigt.private) (console) login:</ts4gcf150></amd></amd></amd></amd></at></isa></amd></amd></ohci></ohci></ata></ata></amd></isa></pci-isa></atheros></generic></mii></via></generic></mii></via></generic></mii></via></encrypt></pci></host></software></mmx+,3dnow!+,3dnow!></fpu,de,pse,tsc,msr,cx8,sep,pge,cmov,clflush,mmx>
This is my filesystem status:
[2.1.1-PRERELEASE][admin@alix2d13.drpetervoigt.private]/root(2): df -lh Filesystem Size Used Avail Capacity Mounted on /dev/ufs/pfsense0 907M 171M 664M 21% / devfs 1.0k 1.0k 0B 100% /dev /dev/ufs/cf 49M 1.9M 43M 4% /cf /dev/md0 38M 204k 35M 1% /tmp /dev/md1 57M 22M 30M 42% /var devfs 1.0k 1.0k 0B 100% /var/dhcpd/dev
And here is the listing of /tmp and /var:
[2.1.1-PRERELEASE][admin@alix2d13.drpetervoigt.private]/root(1): ls -al /var/ /t mp/ /tmp/: total 203 drwxrwxrwt 7 root wheel 1024 Mar 25 21:22 . drwxr-xr-x 24 root wheel 512 Mar 25 21:19 .. drwxrwxr-x 2 root operator 512 Mar 25 21:19 .snap -rw-rw-rw- 1 root wheel 0 Mar 25 21:20 DDNS.lock -rw-r--r-- 1 root wheel 265 Mar 25 21:20 PHP_errors.log -rw-r--r-- 1 root wheel 17 Mar 25 21:19 ath0_wlan0_oldmac -rw-r--r-- 1 root wheel 247 Mar 25 21:19 ath0_wlan0_setup.sh -rw-r--r-- 1 root wheel 17 Mar 25 21:19 ath0_wlan1_oldmac -rw-r--r-- 1 root wheel 52 Mar 25 21:19 ath0_wlan1_setup.sh dr-xr-xr-x 2 root wheel 512 Mar 25 21:20 captiveportal -rw-rw-rw- 1 root wheel 0 Mar 25 21:20 captiveportalcpzone.lock -rw-rw-rw- 1 root wheel 0 Mar 25 21:22 captiveportalradiuscpzone.loc k -rw-r--r-- 1 root wheel 115286 Mar 25 21:21 config.cache -rw-rw-rw- 1 root wheel 0 Mar 25 21:22 config.lock -rw-r--r-- 1 root wheel 511 Mar 25 21:20 dhcpd.sh -rw-rw-rw- 1 root wheel 0 Mar 25 21:20 filter.lock -rw-r--r-- 1 root wheel 1361 Mar 25 21:20 ipfw_cpzone.cp.rules drwxr-xr-x 2 root wheel 512 Mar 25 21:20 lighttpdcompress drwxr-xr-x 3 root wheel 512 Mar 25 21:19 mnt -rw-r--r-- 1 root wheel 14 Mar 25 21:20 ovpns1_router -rw-r--r-- 1 root wheel 0 Mar 25 21:20 ovpns1up -rw-r--r-- 1 root wheel 1776 Mar 25 21:22 pfctl_si_out -rw-r--r-- 1 root wheel 2397 Mar 25 21:22 pfctl_ss_out srwxr-xr-x 1 root wheel 0 Mar 25 21:20 php-fastcgi-cpzone.socket-0 srwxr-xr-x 1 root wheel 0 Mar 25 21:20 php-fastcgi-cpzone.socket-1 srwxr-xr-x 1 root wheel 0 Mar 25 21:20 php-fastcgi-cpzone.socket-2 srwxr-xr-x 1 root wheel 0 Mar 25 21:20 php-fastcgi-cpzone.socket-3 srwxr-xr-x 1 root wheel 0 Mar 25 21:20 php-fastcgi.socket-0 srwxr-xr-x 1 root wheel 0 Mar 25 21:20 php-fastcgi.socket-1 -rw-r--r-- 1 root wheel 0 Mar 25 21:19 php_errors.txt -rw-r--r-- 1 root wheel 0 Mar 25 21:20 pppoe0_defaultgw -rw-r--r-- 1 root wheel 0 Mar 25 21:20 pppoe0_defaultgwv6 -rw-rw-rw- 1 root wheel 0 Mar 25 21:20 resolvconf.lock -rw-r--r-- 1 root wheel 26495 Mar 25 21:20 rules.debug -rw-r--r-- 1 root wheel 26495 Mar 25 21:20 rules.debug.old -rw-r--r-- 1 root wheel 144 Mar 25 21:20 rules.limits -rw-rw-rw- 1 root wheel 0 Mar 25 21:21 shm1000.lock drwxrwxrwx 2 root wheel 512 Mar 25 21:19 uploadbar /var/: total 25 drwxr-xr-x 13 root wheel 512 Mar 25 21:21 . drwxr-xr-x 24 root wheel 512 Mar 25 21:19 .. drwxrwxr-x 2 root operator 512 Mar 25 21:19 .snap drwxr-xr-x 3 root wheel 512 Mar 25 21:19 at drwx------ 3 root wheel 512 Mar 25 21:22 cron drwxr-xr-x 5 root wheel 512 Mar 25 21:22 db drwxr-xr-x 8 root wheel 512 Mar 25 21:20 dhcpd drwxr-xr-x 2 root wheel 512 Mar 25 21:19 empty drwxr-xr-x 5 root wheel 1024 Mar 25 21:21 etc drwxr-xr-x 3 root wheel 512 Mar 25 21:20 log drwxr-xr-x 2 root wheel 1024 Mar 25 21:21 run drwxr-xr-x 3 root wheel 512 Mar 25 21:19 spool drwxr-xr-x 2 root wheel 512 Mar 25 21:22 tmp
And finally here is my wireless configuration:
[2.1.1-PRERELEASE][admin@alix2d13.drpetervoigt.private]/root(1): cat /var/etc/ho stapd_ath0_wlan0.conf interface=ath0_wlan0 driver=bsd logger_syslog=-1 logger_syslog_level=0 logger_stdout=-1 logger_stdout_level=0 dump_file=/tmp/hostapd_ath0_wlan0.dump ctrl_interface=/var/run/hostapd ctrl_interface_group=wheel #accept_mac_file=/tmp/hostapd_ath0_wlan0.accept #deny_mac_file=/tmp/hostapd_ath0_wlan0.deny #macaddr_acl= ssid=pvoigt_wlan debug= auth_algs=1 wpa=2 wpa_key_mgmt=WPA-EAP wpa_pairwise=CCMP wpa_group_rekey=60 wpa_gmk_rekey=3600 wpa_strict_rekey= ieee8021x=1 auth_server_addr=192.168.1.86 auth_server_port=1812 auth_server_shared_secret=secret auth_server_addr= auth_server_port=1812 auth_server_shared_secret=
I do not know where to find what you call "wpa_supplicant".
Hope this information helps.
Regards,
Peter -
Show the contents of these files
-rw-r–r-- 1 root wheel 17 Mar 25 21:19 ath0_wlan0_oldmac
-rw-r--r-- 1 root wheel 247 Mar 25 21:19 ath0_wlan0_setup.sh
-rw-r--r-- 1 root wheel 17 Mar 25 21:19 ath0_wlan1_oldmac
-rw-r--r-- 1 root wheel 52 Mar 25 21:19 ath0_wlan1_setup.shand try to run them manually by hand and see what errors you get.
Also are you running Captive Portal?
If yes if you disable it does the 802.1x work? -
@ermal:
Show the contents of these files
-rw-r–r-- 1 root wheel 17 Mar 25 21:19 ath0_wlan0_oldmac
-rw-r--r-- 1 root wheel 247 Mar 25 21:19 ath0_wlan0_setup.sh
-rw-r--r-- 1 root wheel 17 Mar 25 21:19 ath0_wlan1_oldmac
-rw-r--r-- 1 root wheel 52 Mar 25 21:19 ath0_wlan1_setup.shand try to run them manually by hand and see what errors you get.
Also are you running Captive Portal?
If yes if you disable it does the 802.1x work?Here is the disired output of the files:
[2.1.1-PRERELEASE][admin@alix2d13.drpetervoigt.private]/root(18): cat /tmp/ath0_ wlan0_oldmac a8:54:b2:92:fc:ca
[2.1.1-PRERELEASE][admin@alix2d13.drpetervoigt.private]/root(19): cat /tmp/ath0_ wlan0_setup.sh #!/bin/sh # pfSense wireless configuration script. /sbin/ifconfig 'ath0_wlan0' link 'a8:54:b2:92:fc:ca' /usr/sbin/hostapd -B -P /var/run/hostapd_ath0_wlan0.pid /var/etc/hostapd_ath0_wl an0.conf /sbin/ifconfig 'ath0_wlan0' link 'a8:54:b2:92:fc:ca'
[2.1.1-PRERELEASE][admin@alix2d13.drpetervoigt.private]/root(21): cat /tmp/ath0_ wlan1_oldmac ae:54:b2:92:fc:ca
[2.1.1-PRERELEASE][admin@alix2d13.drpetervoigt.private]/root(24): cat /tmp/ath0_ wlan1_setup.sh #!/bin/sh # pfSense wireless configuration script.
And this happens when I manually execute the scripts:
[2.1.1-PRERELEASE][admin@alix2d13.drpetervoigt.private]/tmp(27): sh ath0_wlan0_s etup.sh Configuration file: /var/etc/hostapd_ath0_wlan0.conf Line 28: invalid IP address '' Line 30: empty shared secret is not allowed. 2 errors found in configuration file '/var/etc/hostapd_ath0_wlan0.conf'
[2.1.1-PRERELEASE][admin@alix2d13.drpetervoigt.private]/tmp(28): sh ath0_wlan1_s etup.sh
Yes I am running a captive portal for "ath0_wlan1" aka "WLAN2".
Disabling it does not bring me back a fully working "ath0_wlan0"
aka "WLAN".Regards,
Peter -
Can you try to merge this https://github.com/pfsense/pfsense/commit/26ea40b7f1b0718415247c47077ee8e665888819 or upgrade to a latest snapshot from tomorrow.
I already fixed this today because i had a clue this was happening.
Also a quick test to see if it fixes the error is by filling both configurations for radius config with the same info.
Thanks for the help on troubleshooting this.
-
@ermal:
Can you try to merge this https://github.com/pfsense/pfsense/commit/26ea40b7f1b0718415247c47077ee8e665888819 or upgrade to a latest snapshot from tomorrow.
I already fixed this today because i had a clue this was happening.
Also a quick test to see if it fixes the error is by filling both configurations for radius config with the same info.
Thanks for the help on troubleshooting this.
Thanks for this good news. I have pointed my firmware update URL to http://snapshots.pfsense.org/FreeBSD_RELENG_8_3/i386/pfSense_RELENG_2_1/.updaters/. Latest snapshot updates are from 2014-02-20. Do these snapshots already contain your patch or do I have to wait for newer snapshots?
I prefer using the pfSense updater as I am not that familar with pulling in from git. In particular, I do not know, if I can still use the updater after a git pull.
Regards,
Peter -
Yeah the latest snapshots have it.
-
I have just updated to the latest snapshot and done a quick check: Both WLANs are up and running for the first time with pfSense 2.1.x! Thanks so far. Now I can go into more testing details.
Regards,
Peter