Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TLS + radius.conf

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ? Offline
      A Former User
      last edited by

      Hi,

      Where does the cert manager store the cacert.pem that I have uploaded via the GUI?

      Where can I find and edit radius.conf?  The GUI does not seem to have an option to set "start_tls = yes"

      I have tested using ldapsearch at the command prompt, and it is complaining about a self-signed certificate in the chain.  Is that because it cannot locate the correct TLS_CACERT path?

      Regards,
      Rob.

      1 Reply Last reply Reply Quote 0
      • ? Offline
        A Former User
        last edited by

        Solved.

        Quick answer: Edit the file /usr/local/pkg/freeradius.inc to comment out the below settings lines, and reboot:

        (found in the freeradius_modulesldap_resync section)

        
		cacertdir = {$raddb}/certs/
		certfile = {$raddb}/certs/radius_ldap1_cert.crt
		keyfile = {$raddb}/certs/radius_ldap1_cert.key

        –

        Explanation:

        Testing the ldaps connection via ldapsearch always failed due to the "self-signed certificate in chain" error.  When I tested the certificate with "openssl s_client -connect server:636", I got the same error.

        I then added the option "-CAfile /usr/local/etc/raddb/certs/ca_ldap1_cert.pem" in, and it tested fine (for this to work, you must at some point have set the CA cert in the GUI under the LDAP->TLS options to the relevent cert in the Cert Manager; otherwise the .inc script will not have copied the contents to this cert file).

        I realised that the radius.conf include file for the LDAP settings (located at: /usr/local/etc/raddb/modules/ldap) was ignoring the line for the cacertfile.  Some digging around online suggested that the other "CA*" options can interfere with the setup when performing TLS over ldap:/// connections.

        So I commented them out, and behold, it worked.  Upon reboot, the comments were removed, so you actually have to edit the freeradius.inc file to ensure the comments get re-applied each time.

        Clearly the author had some notion of this, as he has notes on the GUI saying to leave the options at "None", however the freeradius.inc script still includes the above lines in the .conf output whether you have set them to "None" or not.  This is probably a bug.

        --

        In answer to the start_tls question, the freeradius.inc file does indeed correlate the tick box in the GUI to that option, so I am now using port 389 as expected.

        And in answer to the ldap.conf issue, the ldap tools on pfSense have no default configuration setup in the .conf file.

        Regards,
        Rob.

        1 Reply Last reply Reply Quote 0
        • X Offline
          xoxys
          last edited by

          @peridian:

          So I commented them out, and behold, it worked.  Upon reboot, the comments were removed, so you actually have to edit the freeradius.inc file to ensure the comments get re-applied each time.

          Clearly the author had some notion of this, as he has notes on the GUI saying to leave the options at "None", however the freeradius.inc script still includes the above lines in the .conf output whether you have set them to "None" or not.  This is probably a bug.

          Sorry for revive this thread but this bug already exist… Any chance to get a fix?

          Thanks for your work.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.