Freeradius and dd-wrt

chembro84

Hi guys, got pfsense setup and it works great.  Today i saw there was a freeradius package for pfsense so I installed it.  I would like to use a wrt54g (flashed to dd-wrt micro) and authenticate to the freeradius server.  So far I have tried the obvious settings but windows reports (when trying to connect to the ap) that there is an error and it couldn't get the certificate.  Ideally I would like to authenticate with a webpage with a use list set up on the pfsense box.  Does anyone have any idea if this is possible with my setup?  Anyone have any documentation that they know of that can help me achieve this goal?  Thanks

blak111

If you want to use a webpage to authenticate you should use the captive portal option in pfSense; however, this doesn't really offer any type of encryption on the wireless traffic. If you use the freeradius server and setup the access point to authenticate with the pfSense user list in freeradius, it will offer encryption and authentication.
From the sound of it, you need to disable certificate verification on the client you are connecting to the access point list.
If you are in Windows, you can go to the properties for your wireless network and go to the authentication tab. Then you can change it to Protected EAP and click on properties to disable Validate server certificate. Then click on configure for Secured password and clear the checkbox to automatically use your windows logon. After you do that, it should prompt you for a username and password when you connect to the network.

David_W

As blak111 says, authenticating users via PEAP is your best option, as you can then encrypt the wireless traffic using WPA2-Enterprise on the wireless side (don't forget to tell the wireless access point the IP address of the RADIUS server, and set a suitably obscure shared secret on both ends).

Captive portal type authentication (the web page you describe) doesn't give you wireless encryption unless you supply that 'on top' using something like WPA2-PSK. WPA2-Enterprise is greatly preferred, not least for ease of management.

The certificate of the FreeRADIUS server won't be signed by any CA trusted by Windows - so, as blak111 says, you have to disable server certificate validation. The other alternative is to import the CA that FreeRADIUS on pfSense is using into Windows as a trusted CA, but that is far from straightforward.

There are known problems with PEAP on Windows XP Service Pack 2 - there's a hotfix floating around somewhere, or install Service Pack 3.

chembro84

Maybe I won't be able to do what I need to then.  I am dealing with guests of our department who cannot handle putting a wireless key into whatever operating system they are using (mainly Windows and Mac).  The thinking is that the concept of a username and password is not as foreign to these people and it may prevent some problems.  As of now the higher ups have decided that we should leave the access points completely open.  Any kind of access control is better than that.

David_W

PEAP doesn't need any sort of key - FreeRADIUS generates the keys.

With PEAP you put a user name and password in, and (in Windows at least) you must select the option to disable server certificate validation (unless you're prepared to deploy the CA certificate that signed the server certificate as a trusted CA). Apart from upgrading Windows XP machines to Service Pack 3 (or installing the PEAP hotfix) if you hit problems, that should be all that's needed. The APs will be running in WPA2-Enterprise.

Guest

I'm trying to do something similar, using dd-wrt+chillispot:

wan1–+--Pfsense(web+freeradius)---+--DD-WRT1(WiFi/chillispot)-----SUBNET1
wan2--+                                        +--DD-WRT2(WiFi/chillispot)-----SUBNET2
                                                    +--DD-WRT3(WiFi/chillispot)-----SUBNET3
                                                    +--DD-WRT4(WiFi/chillispot)-----SUBNET4

I setup the dd-wrt chillispot service, pointing to Pfsense radius and web to https://pfsense:1254/hotspotlogin.php, it work's,  ask for login but never get the an aswer from freeradius. For this configuration I can't use the captive portal, because users behind dd-wrt (SUBNET1 T SUBNET4) wifi AP must be isolated, so all users IN SUBNETx share the same MAC, so captive portal can't distinguish them, besides captive portal don't support multiwan.

Do you think is possible this configuration?.

Thanks for your comments

blak111

Make sure that the pre-shared keys are the same on both sides for each device that you want freeradius to work with.
They don't have to be the same for all of the access points; however the key needs to match on both sides or the radius server will appear to time out.

Guest

Thanks for your answer, I made the test with only one AP, and use the same shared key. Do you have any experience with a configuration like this?

First I try with hotspotlogin.cgi, but it show a 500 internal server error, so I tried with hotspotlogin.php, it seems to be working, but after some time, it shows the login screen again, and didn't pass the authorization to the AP.

My knowledge of pfesense and dd-wrt is not to much, so I'm stuck on this and don't see any solution for this configuration, any help or hint is wellcome.

Thanks