Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Freeradius and dd-wrt

    Scheduled Pinned Locked Moved pfSense Packages
    8 Posts 4 Posters 15.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chembro84
      last edited by

      Hi guys, got pfsense setup and it works great.  Today i saw there was a freeradius package for pfsense so I installed it.  I would like to use a wrt54g (flashed to dd-wrt micro) and authenticate to the freeradius server.  So far I have tried the obvious settings but windows reports (when trying to connect to the ap) that there is an error and it couldn't get the certificate.  Ideally I would like to authenticate with a webpage with a use list set up on the pfsense box.  Does anyone have any idea if this is possible with my setup?  Anyone have any documentation that they know of that can help me achieve this goal?  Thanks

      1 Reply Last reply Reply Quote 0
      • B
        blak111
        last edited by

        If you want to use a webpage to authenticate you should use the captive portal option in pfSense; however, this doesn't really offer any type of encryption on the wireless traffic. If you use the freeradius server and setup the access point to authenticate with the pfSense user list in freeradius, it will offer encryption and authentication.
        From the sound of it, you need to disable certificate verification on the client you are connecting to the access point list.
        If you are in Windows, you can go to the properties for your wireless network and go to the authentication tab. Then you can change it to Protected EAP and click on properties to disable Validate server certificate. Then click on configure for Secured password and clear the checkbox to automatically use your windows logon. After you do that, it should prompt you for a username and password when you connect to the network.

        1 Reply Last reply Reply Quote 0
        • D
          David_W
          last edited by

          As blak111 says, authenticating users via PEAP is your best option, as you can then encrypt the wireless traffic using WPA2-Enterprise on the wireless side (don't forget to tell the wireless access point the IP address of the RADIUS server, and set a suitably obscure shared secret on both ends).

          Captive portal type authentication (the web page you describe) doesn't give you wireless encryption unless you supply that 'on top' using something like WPA2-PSK. WPA2-Enterprise is greatly preferred, not least for ease of management.

          The certificate of the FreeRADIUS server won't be signed by any CA trusted by Windows - so, as blak111 says, you have to disable server certificate validation. The other alternative is to import the CA that FreeRADIUS on pfSense is using into Windows as a trusted CA, but that is far from straightforward.

          There are known problems with PEAP on Windows XP Service Pack 2 - there's a hotfix floating around somewhere, or install Service Pack 3.

          1 Reply Last reply Reply Quote 0
          • C
            chembro84
            last edited by

            Maybe I won't be able to do what I need to then.  I am dealing with guests of our department who cannot handle putting a wireless key into whatever operating system they are using (mainly Windows and Mac).  The thinking is that the concept of a username and password is not as foreign to these people and it may prevent some problems.  As of now the higher ups have decided that we should leave the access points completely open.  Any kind of access control is better than that.

            1 Reply Last reply Reply Quote 0
            • D
              David_W
              last edited by

              PEAP doesn't need any sort of key - FreeRADIUS generates the keys.

              With PEAP you put a user name and password in, and (in Windows at least) you must select the option to disable server certificate validation (unless you're prepared to deploy the CA certificate that signed the server certificate as a trusted CA). Apart from upgrading Windows XP machines to Service Pack 3 (or installing the PEAP hotfix) if you hit problems, that should be all that's needed. The APs will be running in WPA2-Enterprise.

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by

                I'm trying to do something similar, using dd-wrt+chillispot:

                wan1–+--Pfsense(web+freeradius)---+--DD-WRT1(WiFi/chillispot)-----SUBNET1
                wan2--+                                        +--DD-WRT2(WiFi/chillispot)-----SUBNET2
                                                                    +--DD-WRT3(WiFi/chillispot)-----SUBNET3
                                                                    +--DD-WRT4(WiFi/chillispot)-----SUBNET4

                I setup the dd-wrt chillispot service, pointing to Pfsense radius and web to https://pfsense:1254/hotspotlogin.php, it work's,  ask for login but never get the an aswer from freeradius. For this configuration I can't use the captive portal, because users behind dd-wrt (SUBNET1 T SUBNET4) wifi AP must be isolated, so all users IN SUBNETx share the same MAC, so captive portal can't distinguish them, besides captive portal don't support multiwan.

                Do you think is possible this configuration?.

                Thanks for your comments

                1 Reply Last reply Reply Quote 0
                • B
                  blak111
                  last edited by

                  Make sure that the pre-shared keys are the same on both sides for each device that you want freeradius to work with.
                  They don't have to be the same for all of the access points; however the key needs to match on both sides or the radius server will appear to time out.

                  1 Reply Last reply Reply Quote 0
                  • ?
                    Guest
                    last edited by

                    Thanks for your answer, I made the test with only one AP, and use the same shared key. Do you have any experience with a configuration like this?

                    First I try with hotspotlogin.cgi, but it show a 500 internal server error, so I tried with hotspotlogin.php, it seems to be working, but after some time, it shows the login screen again, and didn't pass the authorization to the AP.

                    My knowledge of pfesense and dd-wrt is not to much, so I'm stuck on this and don't see any solution for this configuration, any help or hint is wellcome.

                    Thanks

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.