OPNsense Forum

English Forums => 18.7 Legacy Series => Topic started by: jcsarner on January 22, 2019, 12:46:23 am

Title: Enhancement: RADIUS EAP-TLS only configuration f/Wifi
Post by: jcsarner on January 22, 2019, 12:46:23 am
Greetings,

I am wondering if would be possible to add in options to the FreeRADIUS web administration to permit *only* EAP-TLS (and not EAP-TTLS), and exclude other insecure authentication methods, such as MD5, PAP, CHAP, etc.  I am looking to use the OPNSense freeradius server for Wifi and deploy WPA2 Enterprise with server/client certificates used to authenticate and associate.  When I manually edit the required configuration files used by freeradius, it is not working correctly for me so far, but I'm continuing to experiment. 

It would be a cleaner approach if we could enhance the web administration fields, and have the option to selectively include/exclude options, such as CHAP, MSCHAPv2, MD5, EAP-TTLS, EAP-TLS, etc.  Ultimately, I would like to only use EAP-TLS and exclude all others.  Is this something that is a possibility?  I'd also be happy to help test this out if anyone gives this a go.

Thank you in advance!
Jason
Title: Re: Enhancement: RADIUS EAP-TLS only configuration f/Wifi
Post by: mimugmail on January 22, 2019, 06:05:57 am
If you dont add users you cant use these mechanisms, or where exactly is the problem?
Title: Re: Enhancement: RADIUS EAP-TLS only configuration f/Wifi
Post by: jcsarner on January 24, 2019, 04:59:21 am
Hi,

Thanks for your reply.  I currently have users enabled in the Freeradius configuration, along with TTLS, using my own Certs that I created for Wifi and this is working for me, but I would like to strengthen the configuration so as to remove the requirement of a user to login using username/password, and only use certificates issued to clients instead.

The issue I'm having is that I would like to modify the Web Admin to include or exclude certain Freeradius configurations, which is not possible currently.  Ideally, the web admin could mimic the various configuration files found in /usr/local/etc/raddb (/mods-available, /siites-available, etc).  I have tried editing the various configuration files by hand, but have not achieved using EAP-TLS with certificates only yet.  I am hoping perhaps some enhancements could be made instead to give more granularity over Freeradius.

For example:
 - Only use EAP-TLS and required certs (which would not require a password), and no other type (such as TTLS, etc).
 - Disable PAP or any other unwanted/unused authentication protocol
Give access to modify /usr/local/etc/raddb/mods-available/eap with various options, including:
 - Ability to set cipher_list = "HIGH" or even specify the cipher list
 - Ability to set check_crl= "yes"
 - Ability to set ecdh_curve = "secp384r1"
Give access to modify /usr/local/etc/raddb/sites-available/default and inner-tunnel with:
 - Disable CHAP/MSCHAP (again, in support of EAP-TLS only in my case)

I hope this makes sense and thank you in advance.
-Jason
Title: Re: Enhancement: RADIUS EAP-TLS only configuration f/Wifi
Post by: mimugmail on January 24, 2019, 07:52:15 am
You can have a look here to see how it works:

https://github.com/opnsense/plugins/blob/master/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap

As far as I can see crl is enabled when you set one, so this should be fine.
I build the plugin to make it compatible by default for every need. With this as default it's a bit hard to template stuff like disabling specific features. I can try when I find time .. or .. you can try to read into the language and we do it together. It's not hard to edit plugins:
https://www.routerperformance.net/opnsense/plugin-development/enhancing-opnsense-plugins-by-example-pt-1/

cipher_list and curve is easy, if you want to give it a shot I'd be happy to help. Every new contributor is very welcome :)