My radius is still working with this AP, i dont see where to set this option in opnsense. Any ideas?
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Error: Please set "require_message_authenticator = true" for client AP1
Error: It looks like the client has been updated to protect from the BlastRADIUS attack.
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Error: Setting "require_message_authenticator = true" for client AP1
Error: BlastRADIUS check: Received packet with Message-Authenticator.
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I'm receiving the same error in freeradius. How can we set this option? Why are there are no advanced options in the opnsense freeradius package?
Because general development policy is not to offer free form text fields for advanced options but to integrate each necessary option individually. Pull requests welcome ;)
I'll probably look into it later today although I do not have a test environment - so your help in review of the patch would be needed.
Sure, let me know how I can help. FWIW, this option is a dropdown box (not a free form text field) in the pfsense freeradius package.
Do you know how to manually apply patches? Please evaluate these:
https://github.com/punktDeForks/opnsense-plugins/commit/56cc9312f184a60e8b0916cffc1e204f3dd225f3
Thanks!
Patrick
I don't. Is there an official guide for manually applying patches that I can follow?
Is this the correct command?
opnsense-patch -a punktDeForks -c plugins a1f6543
EDIT: Looks like it's downloading from the incorrect URL:
root@OPNsense:~ # opnsense-patch -a punktDeForks -c plugins a1f6543
fetch: https://github.com/punktDeForks/plugins/commit/a1f6543.patch: Not Found
How do I change the path to "opnsense-plugins" instead?
Sorry, I don't know that one with the plugin repo for sure. The repo is used to build the plugins, I doubt you can live patch a running installation with opnsense-patch directly from it.
With "manual" I meant download the diffs and apply them locally. But to make this easier:
cp /usr/local/opnsense/service/templates/OPNsense/Freeradius/clients.conf /usr/local/opnsense/service/templates/OPNsense/Freeradius/clients.conf.bak
fetch -o /usr/local/opnsense/service/templates/OPNsense/Freeradius/clients.conf https://raw.githubusercontent.com/punktDeForks/opnsense-plugins/56cc9312f184a60e8b0916cffc1e204f3dd225f3/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf
cp /usr/local/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml /usr/local/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml.bak
fetch -o /usr/local/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml https://raw.githubusercontent.com/punktDeForks/opnsense-plugins/56cc9312f184a60e8b0916cffc1e204f3dd225f3/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml
cp /usr/local/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml /usr/local/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml.bak
fetch -o /usr/local/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml https://raw.githubusercontent.com/punktDeForks/opnsense-plugins/56cc9312f184a60e8b0916cffc1e204f3dd225f3/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml
@franco could you help, please? Can one apply this set of patches with opnsense-patch? If yes, how exactly?
https://github.com/punktDeForks/opnsense-plugins/commit/56cc9312f184a60e8b0916cffc1e204f3dd225f3
Ok, I just applied the patch manually and ticked the require message authenticator box for my AP clients. Let me monitor the freeradius logs and get back to you.
@kevindd992002 - so? :)
Looks good. Although, I noticed that the opnsense firewall itself is not "upgraded" as a radius client:
Quote2024-10-18T15:31:25 Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
2024-10-18T15:31:25 Error: Once the client is upgraded, set "require_message_authenticator = true" for client OPNsense
2024-10-18T15:31:25 Error: UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK.
2024-10-18T15:31:25 Error: The packet does not contain Message-Authenticator, which is a security issue.
2024-10-18T15:31:25 Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
2024-10-18T15:31:25 Error: Setting "limit_proxy_state = true" for client OPNsense
2024-10-18T15:31:25 Error: BlastRADIUS check: Received packet without Proxy-State.
2024-10-18T15:31:25 Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
2024-10-18T15:31:25 Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
2024-10-18T15:31:25 Error: Once the client is upgraded, set "require_message_authenticator = true" for client OPNsense
2024-10-18T15:31:25 Error: UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.
2024-10-18T15:31:25 Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
2024-10-18T15:31:25 Error: Setting "require_message_authenticator = false" for client OPNsense
2024-10-18T15:31:25 Error: BlastRADIUS check: Received packet without Message-Authenticator.
OK. I'll submit this change as a pull request and then look after OPNsense as a client.
Thanks for testing.
Thanks for the help!
Sent from my SM-S916B using Tapatalk
No way I am implementing that myself - sorry. I opened a feature request instead.
https://github.com/opnsense/core/issues/7983
updated with your code Patrick and then enabled the option in the client section for my AP's, no more error/warning and devices can still connect correctly.
Thx for the fix/update.
Hopefully @Franco can merge it in the next release
Quote from: Patrick M. Hausen on October 17, 2024, 08:53:55 AM
Sorry, I don't know that one with the plugin repo for sure. The repo is used to build the plugins, I doubt you can live patch a running installation with opnsense-patch directly from it.
With "manual" I meant download the diffs and apply them locally. But to make this easier:
cp /usr/local/opnsense/service/templates/OPNsense/Freeradius/clients.conf /usr/local/opnsense/service/templates/OPNsense/Freeradius/clients.conf.bak
fetch -o /usr/local/opnsense/service/templates/OPNsense/Freeradius/clients.conf https://raw.githubusercontent.com/punktDeForks/opnsense-plugins/56cc9312f184a60e8b0916cffc1e204f3dd225f3/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf
cp /usr/local/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml /usr/local/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml.bak
fetch -o /usr/local/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml https://raw.githubusercontent.com/punktDeForks/opnsense-plugins/56cc9312f184a60e8b0916cffc1e204f3dd225f3/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml
cp /usr/local/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml /usr/local/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml.bak
fetch -o /usr/local/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml https://raw.githubusercontent.com/punktDeForks/opnsense-plugins/56cc9312f184a60e8b0916cffc1e204f3dd225f3/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml
@franco could you help, please? Can one apply this set of patches with opnsense-patch? If yes, how exactly?
https://github.com/punktDeForks/opnsense-plugins/commit/56cc9312f184a60e8b0916cffc1e204f3dd225f3
It's merged already. Unfortunately I do not understand the code well enough to implement the client side with OPNsense as a RADIUS client. That's why I created that feature request instead.
Our VPN IPSec service just broke today at 16:00 CEST due to Microsoft requiring the config change.
"RequireMsgAuth and/or limitProxyState configuration is in Disable mode. These settings should be configured in Enable mode for security purposes. See https://support.microsoft.com/help/5040268 to learn more."
So enabling the requirement to send RequireMsgAuth breaks the OPNsense Client - disabling it on the Windows Server NPS gives above error message.
I think a quick patch is required here!
@rainerle
Please add your situation to this issue in github, then. It's not guaranteed Franco or any other Deciso developer will take notice of this thread.
https://github.com/opnsense/core/issues/7983
Thanks!
Patrick
Looks I did not respond here...
Quote from: kevindd992002 on October 17, 2024, 08:14:34 AM
root@OPNsense:~ # opnsense-patch -a punktDeForks -c plugins a1f6543
fetch: https://github.com/punktDeForks/plugins/commit/a1f6543.patch: Not Found
How do I change the path to "opnsense-plugins" instead?
Since the repo is called "opnsense-plugins" just give it from the command line...
# opnsense-patch -a punktDeForks -c plugins -r opnsense-plugins a1f6543
However, there are a few bugs that I have to address for separate accounts and alternative repository names that don't match our defaults.
Cheers,
Franco
Quote from: franco on December 06, 2024, 08:51:40 AM
Looks I did not respond here...
Quote from: kevindd992002 on October 17, 2024, 08:14:34 AM
root@OPNsense:~ # opnsense-patch -a punktDeForks -c plugins a1f6543
fetch: https://github.com/punktDeForks/plugins/commit/a1f6543.patch: Not Found
How do I change the path to "opnsense-plugins" instead?
Since the repo is called "opnsense-plugins" just give it from the command line...
# opnsense-patch -a punktDeForks -c plugins -r opnsense-plugins a1f6543
However, there are a few bugs that I have to address for separate accounts and alternative repository names that don't match our defaults.
Cheers,
Franco
Got it. So don't use that method for now?
Sent from my SM-S916B using Tapatalk
> Got it. So don't use that method for now?
You can use it correctly with the proper command line switches. It's just the shortcuts that don't work very well. Remember, the scope for opnsense-patch is OPNsense@GitHub where everything works.
Cheers,
Franco
@rainerle implemented in 25.1.5:
https://github.com/opnsense/core/issues/7983