Freeradius WPA-Enterprise and Windows 10 Update 1511
-
For those of us, who are having problems with WPA-Enterprise since applying Microsoft's latest update:
https://support.microsoft.com/en-us/kb/2977292
https://technet.microsoft.com/library/security/2977292Is this an issue of Freeradius or Windows, that TLS1.2 handshakes will fail in the first place?
-
It's an issue mainly with FreeRADIUS and MPPE keys being incorrectly calculated with TLS v1.2 which has been recently updated on Windows as well as many other platforms. This has already been fixed in the FreeRADIUS project, the issue is the pfSense package is not the most current version…
FreeRADIUS in pfSense is on version 2.x which is EOL (End Of Life) as of 2.2.9, once the package is updated to v3 the issue should be resolved...
This issue is happening with the latest release of Android as well as my laptop running Arch GNU/Linux updated recently (~5 days ago), I don't have references for my previous research unfortunately, there are far too many links to go through...
If you have a look here: http://freeradius.org/version3.html you will notice under "Bug Fixes" that the issue has been resolved: "Update EAP-TTLS so that MPPE keys are correctly calculated with TLSv1.2."
I'm about to report the issue to the package maintainer and see if he/she can update to FreeRADIUS v3 within the pfSense package system, and if not I'll try and work on updating it myself as our business uses FreeRADIUS with pfSense and I'd rather not implement a different solution.
I hope this helps,
-Matt -
Upgrading the pfSense package to FreeRADIUS 2.2.9 will fix this issue, as the MPPE on TLS 1.2 fix did make it into 2.2.9. Unless I've missed something, the pfSense package is still back on FreeRADIUS 2.2.6.
Upgrading to FreeRADIUS 3 is rather more work, due to significant underlying changes in the FreeRADIUS configuration files.
At this point, only modest upgrades to pfSense 2.2 packages are being accepted, as pfSense 2.2.6 is likely to be the last pfSense 2.2 release and pfSense 2.3 is not far from reaching beta. pfSense 2.3 dumps PBI in favour of the (now FreeBSD standard) pkg packaging system (hooray!), also it has a new Bootstrap based GUI. This means existing pfSense packages require a fair amount of updating for pfSense 2.3.
In my opinion, the pfSense 2.2 FreeRADIUS package should be upgraded to 2.2.9 and development work on a pfSense 2.3 FreeRADIUS package should be based on FreeRADIUS 3. I don't know what development work is ongoing, if any, but I'm not in a position to work on this myself.
-
In my opinion, the pfSense 2.2 FreeRADIUS package should be upgraded to 2.2.9 and development work on a pfSense 2.3 FreeRADIUS package should be based on FreeRADIUS 3.
I am of the same opinion. I am inclined to believe between Freeradius 2.2.6 (pfSense current version) and 2.2.9 there are no changes in the format of configuration files, and therefore the pfSense GUI wouldn't need updating either, basically only the binary/libraries should need to be swapped.
I am more than willing to take on the task of updating the package with the newer 2.2.9 version of Freeradius, however as I've been looking through the pfSense package's git page, I cannot seem to find where it pulls the actual package from… it seems to only have the pfSense GUI setup and that type of thing...
If anyone can point me in the direction of where to look to change the source of the actual Freeradius package that is being used, I would be more than happy to update the pfSense package. It would simplify my life greatly, I currently have to run a separate Freeradius VM for our company's wireless clients to authenticate to and I would much rather have pfSense handle that.
-
The version seems to be specified at https://github.com/pfsense/FreeBSD-ports/blob/3faff56ee509fbcfc167c7c6d41f810239cd4e4f/net/freeradius2/Makefile#L5.
The master (and 2016Q1) branch already contains the 2.2.9 version (commit), so I guess, this will be fixed in the next release.
-
The problem with fixing this issue on pfSense 2.2.x is not with the actual change to the net/freeradius2 port - that is already available in the FreeBSD ports tree.
The problem is with pfSense 2.2's troublesome PBI packaging system, as Jim has already described elsewhere in the forum. It sounds as if, currently, ESF cannot easily rebuild the existing FreeRADIUS 2 package because of other changes to the ports tree in the intervening period, let alone build a FreeRADIUS 2.2.9 based version. Thankfully, pfSense 2.3 has moved to the pkg packaging system.
-
David_W is correct, trying to fix package binaries on 2.2.x currently is a losing proposition. If you need the latest FreeRADIUS right this moment, your best bet is to use pfSense 2.3 either on your firewall or as a second system to run FreeRADIUS (because everyone should be testing 2.3 to make sure it works for their setups, right? :-)
2.3 is quite stable and in many regards, more stable than 2.2.x. The number of bugs is shrinking daily, and the only real major problem area that is a regression is wireless.