[solved] pfsense as IEEE802.1X client (radius)



  • pfsense version 2.1.3

    I have a linux box, where I have freeradius running. This is working fine, and I can from the LAN (same segment as the LAN/WLAN on the pfsense box) access the freeradius server, and radtests are OK from other clients.

    Now I want to authenticate WLAN users to this freeradius server, through pfsense.
    The WLAN and LAN on the pfsende box are bridged.

    For the WLAN interface the following is set (among others)..

    • WPA (with a password)

    • Enable IEEE802.1X Authentication

    • 802.1X Authentication Server IP Address (IP of the linux box running freeradius).

    • 802.1X Authentication Server Shared Secret (secret on the configured client, on freeradius)

    But when I try to connect a wireless client, nothing happens. I cannot even see the attemp on the freeradius server running in debug mode, so no traffic is sent to freeradius, I asume.

    Any ideas? Am I missing something?



  • The default RADIUS ports are 1812, 1813; you may have specified custom ones.

    Check the “Status–System Logs–Firewall” (you can then filter by one of the RADIUS destination ports) and see if your firewall is blocking them.
    If it is, you need to add a firewall rule, to allow UDP traffic from the net where you want authentication (source) to the RADIUS server (destination) on the RADIUS destination ports.

    I am not familiar with pfSense bridges, you may need to add similar rules to allow traffic to flow between parts of the bridge; I have read that this is/was required for DHCP to propagate through the bridge; so the same should be true for RADIUS.

    HTH



  • @lbm_:

    • WPA (with a password)

    Should this one be "WPA2-EAP" or "WPA-EAP" instead?



  • @G.D.:

    The default RADIUS ports are 1812, 1813; you may have specified custom ones.

    Check the “Status–System Logs–Firewall” (you can then filter by one of the RADIUS destination ports) and see if your firewall is blocking them.
    If it is, you need to add a firewall rule, to allow UDP traffic from the net where you want authentication (source) to the RADIUS server (destination) on the RADIUS destination ports.

    I am not familiar with pfSense bridges, you may need to add similar rules to allow traffic to flow between parts of the bridge; I have read that this is/was required for DHCP to propagate through the bridge; so the same should be true for RADIUS.

    HTH

    There are no firewall rules configured between the bridge, and I cannot see any traffic what so ever in the firewall log on pfsense for port 1812/1813. Default ports are not changed for freeradius.

    @G.D.:

    @lbm_:

    • WPA (with a password)

    Should this one be "WPA2-EAP" or "WPA-EAP" instead?

    I am running WPA2, but "Enable IEEE802.1X Authentication" requires WPA checked according to the description. (If this is not checked, it apperently becomes and open WIFI).



  • I've tried as a quick test, to add the radius server to pfsense "User Authentication Servers", and this is working, and I can authenticate the users. But still no joy from WIFI users.



  • Here is a thread discussing problems with DHCP over bridged interfaces:
    https://forum.pfsense.org/index.php?topic=13351.0
    You could be having similar issues, as RADIUS, like DHCP also communicates via UDP.

    Sorry, I do not know what else it could be. Just the other week, I was fixing a RADIUS issue with an authenticator running on a Linux box. It turned out that the particular distribution of Linux came with a light version of the authentication package that included only consumer modes. I had to uninstall the package, install the full version, and enterprise authentication started working.

    pfSense runs on FreeBSD not Linux, I am just giving an example of a RADIUS issue I had to solve recently.



  • Hi,

    Thanks for replying. I do not think this is it. DHCP is working fine on the bringed interfaces.
    I know you are using this as an example, but I am unable to see traffic anywhere. It seems to be it is not "applied" or the traffic is lost somehow between pfsense and the linux box.

    I just did a radtest on a wireless device (connected through pfsense with the bridged WAN/LAN interfaces), and I am unable to auth via radtest to the radius server here as well.



  • Do you see the correct [EAP] authentication method advertised with the SSID, when you scan the WiFi band?



  • Further to G.D.'s comment on traffic between bridged interfaces, it might be worth temporarily adding an allow all rule from WLAN to LAN and conversely from LAN to WLAN for testing purposes (if one doesn't already exist).

    Worthwhile to eliminate a potential hidden variable….



  • @G.D.:

    Do you see the correct [EAP] authentication method advertised with the SSID, when you scan the WiFi band?

    How can I check this? As I remember it, I cannot see these details from the WLAN clients?

    @divsys:

    Further to G.D.'s comment on traffic between bridged interfaces, it might be worth temporarily adding an allow all rule from WLAN to LAN and conversely from LAN to WLAN for testing purposes (if one doesn't already exist).

    Worthwhile to eliminate a potential hidden variable….

    I will try this later. But hornestly I could not image it would make any difference.

    It seems to be that it only recognizes the WPA/WPA2 PSK which is set, and is not trying to negotiate the radius authentications..



  • Oh well.. Found a bunch of other posts with same/related issues.

    https://forum.pfsense.org/index.php?topic=69312.0
    https://forum.pfsense.org/index.php?topic=72483.0

    And kinda interessting.
    https://redmine.pfsense.org/issues/3562



  • I've tried to create firewall rules with no luck.

    LAN: ŚRC LAN, DST WLAN PERMIT ANY
    WLAN: ŚRC WLAN, DST LAN PERMIT ANY

    tried to set both primary and secondary, still the same, not working.



  • Solved!  :-[ :-[

    Gotta be kinda stupid.. (BLIND)  :)

    WPA Key Management Mode must be set to Extensible Authentiocation Protocol.. Was set to PSK.



  • @lbm_:

    @G.D.:

    Do you see the correct [EAP] authentication method advertised with the SSID, when you scan the WiFi band?

    How can I check this? As I remember it, I cannot see these details from the WLAN clients?

    Any kind of half-good WiFi scanner should be able to display that. I use the free WiFi Analyzer by Kevin Yuan, for example.

    I am glad you got the issue solved.


Log in to reply