I started having a problem since 23.1.8 (That i noticed it, believe it was working in 23.1.7), where RADIUS server are trying to authenticate using PAP instead of MS-CHAPv2, so my IKE mobile VPNs will no longer authenticate.
I can't seem to find any documentation on forcing the authentication method like you can in PFSense for RADIUS servers. Can someone point me int he right direction here?
I've tried removing and re-adding the RADIUS servers, but they continue to all try PAP. Not sure if it matters or not but my RADIUS servers are Windows AD NPS. Previously working, now not. Other appliances I use RADIUS on are all still working fine, but not OPN since i believe 23.1.8.
Please help!
opnsense-revert -r 23.1.7 freeradius3
Via CLI, does this fix it?
Thanks, but
root@firewall:~ # opnsense-revert -r 23.1.7 freeradius3
Package 'freeradius3' is not installed
Is the result. Do i need to install freeradius now for some reason?
Anybody else have any ideas here? This is a major problem for me, I use similar setups in many locations, and I now cannot upgrade any until I have a fix for this.
I'm not using Freeradius package as I am not using OPNsense as a radius server, simply as a client against an active directory NPS radius server.
Otherwise, in the mean time, is there a simple way to revert the entire release back to 23.1.7? or is this a backup and reinstall?
Thank you for any and all assistance!
I think there was a Patch added recently.
Can you revert to opnsense 23.1.7, the revert line but opnsense instead of freeradius3
Are you saying I should attempt an update for a new patch, and if that doesn't help, revert?
When reverting, do I need to just revert opnsense, or the kernel as well?
Thanks!
I wouldn't try patching now as it requires a new package dependency. Wait for 23.1.10 to come out first...
Cheers,
Franco
I'll try to wait, but in the meantime, can anyone tell me how to edit the authentication "Servers" list via CLI, or what package manages these? I can't seem to find any info on how this works.
Thanks!
There's no CLI handling of server settings itself. There's also no direct way to influence the system's authentication server being used... however, the console password recovery script resets the list to local authentication in case of a lockout.
Long story short I don't think you will find what you seek. Another way is to edit the /conf/config.xml file directly.
Cheers,
Franco
Of course, you are correct. I tried adding:
<radius_protocol>MSCHAPv2</radius_protocol>
to the authserver block, taken from a PFSense config, but seems OPN doesn't use/respect this line.
I really hope a fix is incoming for this soon!
It has been committed only 3 days ago. We need to respect the process a little here. ;)
https://github.com/opnsense/core/commit/58b1ec1ea6
The development version of tomorrow's 23.1.10 has this included (the "development" type, not "community").
Cheers,
Franco
Oh i understand, and am very much OK with waiting as long as I know things are in the works. I'm also glad I discovered this where I did before updating other production systems!
Thanks for all your help!
https://github.com/opnsense/core/commit/f1305748eecb5f1 will be in 23.1.11 tomorrow.
Cheers,
Franco
Thats great news! Looking forward to upgrading and getting fixed up.
Thanks!
23.1.11 with this option did indeed fix me up. Very happy camper here. Thanks for your help!
Nice, thanks for the feedback. :)