OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: spi39492 on February 03, 2021, 04:33:41 pm
-
I'm on 21.1 with os-freeradius 1.9.9. OPNsense serves as a radius server on one internal interface.
Plain radius authentication against OPNsense works, testes with the tool radtest from a Linux node.
EAP-TTLS is configured with self-signed certificates and also works. Tested from same Linux node with the tool eapol_test. Access requests with certificates revoked by a CRL are successfully rejected. So that works too.
My issue though might be a misunderstanding, but I need the users to receive framed-ip and vlan id.
So if I define a user with password, framed-ip and vlan id and do a plain radius authentication with radtest I do get the right framed-ip and vlan id from freeradius.
If I do the same with EAP-TTLS I do get a framed-ip but the vlan is either not correct or somehow scrambled. I expect 1010 as a vlan ID but get 31303130 - it is surrounded by "3". The Mikrotik VLAN ID is scrambled at all.
The next issue I am having is that I need some users to be able to do just plain radius authentication via an authenticator with username/password. And I need other users doing certificate based authentication. Both groups of users need framed-ip and vlan id to be assigned. If I set up a new user for EAP-TTLS I also need to set their password (the freeradius users form requires it). But then that user could do plain authentication as well which they mustn't. The only workaround so far is to use a long complex password but that doesn't seem to be the right approach.
So somehow I miss a configuration option like a checkbox in user details what authentication methods a user might use. Or is there anything else I could use instead?
There is also an option "Check TLS Common-Name" in EAP options to check the CN against the username. Is there some way to check the CN against a user defined in the user list? I'd like to get the access request rejected as long there is no user defined in the user list or the user is disabled.
-
Can you check the users file about the vlan ist contents?
-
Can you check the users file about the vlan ist contents?
This one?
cat /usr/local/opnsense/service/templates/OPNsense/Freeradius/users
{% if helpers.exists('OPNsense.freeradius.general.enabled') and OPNsense.freeradius.general.enabled == '1' %}
{% if helpers.exists('OPNsense.freeradius.user.users.user') %}
{% for user_list in helpers.toList('OPNsense.freeradius.user.users.user') %}
{% if user_list.enabled == '1' %}
{{ user_list.username }} Cleartext-Password := "{{ user_list.password }}"{% if helpers.exists('OPNsense.freeradius.general.sessionlimit') and OPNsense.freeradius.general.sessionlimit == '1' %}{% if user_list.sessionlimit_max_session_limit is defined %}, Max-Daily-Session := {{ user_list.sessionlimit_max_session_limit }}{% endif %}{% endif %}{% if user_list.simuse is defined %}, Simultaneous-Use := "{{ user_list.simuse }}"{% endif %}{% if user_list.logintime is defined %}, Login-Time := "{{ user_list.logintime }}"{% endif %}
{% if user_list.ip is defined %}
Framed-IP-Address = {{ user_list.ip }},
{% endif %}
{% if user_list.subnet is defined %}
Framed-IP-Netmask = {{ user_list.subnet }},
{% endif %}
{% if user_list.route is defined %}
{% for network in user_list.route.split(',') %}
Framed-Route += "{{ network }}",
{% endfor %}
{% endif %}
{% if user_list.ip6 is defined %}
Framed-IPv6-Address = {{ user_list.ip6 }},
{% endif %}
{% if user_list.servicetype is defined %}
{% for servicelist in user_list.servicetype.split(',') %}
Service-Type = {{ servicelist }},
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.freeradius.general.vlanassign') and OPNsense.freeradius.general.vlanassign == '1' %}
{% if user_list.vlan is defined %}
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = {{ user_list.vlan }},
{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.freeradius.general.wispr') and OPNsense.freeradius.general.wispr == '1' %}
{% if user_list.wispr_bw_min_up is defined %}
WISPr-Bandwidth-Min-Up = {{ user_list.wispr_bw_min_up }},
{% endif %}
{% if user_list.wispr_bw_max_up is defined %}
WISPr-Bandwidth-Max-Up = {{ user_list.wispr_bw_max_up }},
{% endif %}
{% if user_list.wispr_bw_min_down is defined %}
WISPr-Bandwidth-Min-Down = {{ user_list.wispr_bw_min_down }},
{% endif %}
{% if user_list.wispr_bw_max_down is defined %}
WISPr-Bandwidth-Max-Down = {{ user_list.wispr_bw_max_down }},
{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.freeradius.general.chillispot') and OPNsense.freeradius.general.chillispot == '1' %}
{% if user_list.chillispot_bw_max_up is defined %}
ChilliSpot-Bandwidth-Max-Up = {{ user_list.chillispot_bw_max_up }},
{% endif %}
{% if user_list.chillispot_bw_max_down is defined %}
ChilliSpot-Bandwidth-Max-Down = {{ user_list.chillispot_bw_max_down }},
{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.freeradius.general.mikrotik') and OPNsense.freeradius.general.mikrotik == '1' %}
{% if user_list.mikrotik_vlan_id_number is defined %}
Mikrotik-Wireless-VLANID = {{ user_list.mikrotik_vlan_id_number }},
{% endif %}
{% if user_list.mikrotik_vlan_id_type is defined %}
Mikrotik-Wireless-VLANID-Type = {{ user_list.mikrotik_vlan_id_type }},
{% endif %}
{% endif %}
{% if user_list.linkedAVPair|default("") != "" %}
{% for avlist in user_list.linkedAVPair.split(",") %}
{% set avlistdetail = helpers.getUUID(avlist) %}
{% if avlistdetail != {} and avlistdetail.enabled == '1' %}
{{ avlistdetail.name }} {{ avlistdetail.operator }} {{ avlistdetail.value }},
{% endif %}
{% endfor %}
{% endif %}
Framed-Protocol = PPP
{% endif %}
{% endfor %}
{% endif %}
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
{% endif %}
Or that one?
cat /usr/local/etc/raddb/users
bob Cleartext-Password := "bob"
Framed-IP-Address = 1.2.3.4,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 200,
Mikrotik-Wireless-VLANID = 200,
Framed-Protocol = PPP
xxx1@xxx.yyy.zzz Cleartext-Password := "xxx"
Framed-IP-Address = 9.9.9.9,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 255,
Mikrotik-Wireless-VLANID = 255,
Framed-Protocol = PPP
xxx2@xxx.yyy.zzz Cleartext-Password := "xxx"
Framed-IP-Address = 10.10.10.10,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 2121,
Mikrotik-Wireless-VLANID = 2121,
Framed-Protocol = PPP
xxx3@xxx.yyy.zzz Cleartext-Password := "xxx"
Framed-IP-Address = 111.111.111.111,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 111,
Mikrotik-Wireless-VLANID = 111,
Framed-Protocol = PPP
lan Cleartext-Password := "lan"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 50,
Framed-Protocol = PPP
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
The ones ...@xxx... are the ones I use EAP-TTLS with.
-
OK, next 2 q:
- You have a Mikrotik WiFi solution?
- What is the use case for vlan in WiFi? Usually they are set per ssid?
-
OK, next 2 q:
- You have a Mikrotik WiFi solution?
- What is the use case for vlan in WiFi? Usually they are set per ssid?
Yes, I do have Mikrotik wifi - currently it is still not migrated to OPNsense as I've just recently set up OPNsense from scratch.
I use WPA2-Enterprise with one SSID, that's why I need radius. Most of my wifi clients support certificate based authentication, the others do username/password - but each client gets their own set of credentials and settings. As soon they authenticate they get their vlan id. Mikrotik applies the vlan id to the client so based on their radius configuration each client gets connected to a different network segment.
One SSID has some benefits like better air time. And Mikrotik fully supports IPv6 with dynamic vlan assignment. Not all manufactures support that kind of setup due to Multicast.
To sum it up - although I only use one SSID I can control network mapping based on radius.
So from an operational perspective each client needs user settings. If EAP-TTLS clients checked their CN against a configured user in the user list that would help to temporarily disable wifi connectivity for some clients for ex. maintenance.
-
Thx for clarification, now I understand the use case. Did you check only setting Mikrotik Vlan? I'm not sure about the syntax templated. Do you have a Mikrotik doc link about their Radius attributes?
-
Thx for clarification, now I understand the use case. Did you check only setting Mikrotik Vlan? I'm not sure about the syntax templated. Do you have a Mikrotik doc link about their Radius attributes?
No, I checked the default vlan id as well. As written it's surrounded by the number 3. So for a vlan 1010 I receive 31303130.
For Mikrotik here's a link for their radius attributes: https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client/vendor_dictionary (https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client/vendor_dictionary)
One thing to add - plain username/password authentication returns proper vlan IDs.
Thanks for your support so far!
-
I moved to a separate freeradius server installation for full EAP-TLS and EAP-TTLS support with dynamic vlan assignment.