OPNsense Forum

English Forums => Development and Code Review => Topic started by: GurliGebis on January 22, 2017, 10:18:50 pm

Title: EAP-RADIUS support implemented
Post by: GurliGebis on January 22, 2017, 10:18:50 pm

Hey,

I have been playing around with a test setup of opnsense, but noticed that it is not currently possible to use EAP-RADIUS.

So, I went ahead and implemented it.
It is split across two pull requests:

https://github.com/opnsense/tools/pull/43
https://github.com/opnsense/core/pull/1342

I have tested it on my own setup, and it seems to be working just fine (Windows 10 clients connecting in).
Please note, that it has been several years since I have touched anything PHP related (moved to C#, since that is my day job).

The following text strings has been added, but I'm not sure how add the to the gettext dictionary for translation - if someone can tell me how to do that, I'll do it and add another commit/pullrequest for that.

Is it possible to get it into 17.1, or are we too close to release for that?

Thanks :)

Note to self, the text strings to translate is:

"You must enter both RADIUS server and secret to use EAP-RADIUS."
"RADIUS Server"
"Input your RADIUS server IP."
"RADIUS Secret"
"Input your RADIUS secret."

Title: Re: EAP-RADIUS support implemented
Post by: GurliGebis on January 22, 2017, 10:19:09 pm

Here is a sample ipsec section from my config file:

Code: [Select]

<ipsec>
  <phase1>
    <ikeid>2</ikeid>
    <iketype>ikev2</iketype>
    <interface>wan</interface>
    <mode>main</mode>
    <protocol>inet</protocol>
    <myid_type>user_fqdn</myid_type>
    <myid_data>@vpn.testnetwork.lan</myid_data>
    <encryption-algorithm>
    <name>aes</name>
    <keylen>256</keylen>
    </encryption-algorithm>
    <hash-algorithm>sha256</hash-algorithm>
    <dhgroup>2</dhgroup>
    <lifetime>10800</lifetime>
    <certref>5883810082894</certref>
    <radius_server>172.16.150.2</radius_server>
    <radius_secret>P@ssword</radius_secret>
    <authentication_method>eap-radius</authentication_method>
    <descr>Mobile Clients</descr>
    <nat_traversal>on</nat_traversal>
    <private-key/>
    <mobile>1</mobile>
    <rekey_enable>1</rekey_enable>
  </phase1>
  <phase2>
    <ikeid>2</ikeid>
    <uniqid>588379d6daf21</uniqid>
    <mode>tunnel</mode>
    <lifetime>3600</lifetime>
    <protocol>esp</protocol>
    <localid>
    <type>network</type>
    <address>172.16.150.0</address>
    <netbits>24</netbits>
    </localid>
    <remoteid>
    <type>mobile</type>
    </remoteid>
    <encryption-algorithm-option>
    <name>aes</name>
    <keylen>256</keylen>
    </encryption-algorithm-option>
    <encryption-algorithm-option>
    <name>3des</name>
    </encryption-algorithm-option>
    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    <mobile>1</mobile>
  </phase2>
  <client>
    <user_source>Local Database</user_source>
    <group_source>none</group_source>
    <pool_address>172.16.160.0</pool_address>
    <pool_netbits>24</pool_netbits>
    <dns_server1>172.16.150.2</dns_server1>
    <enable>1</enable>
  </client>
</ipsec>
The internal network is 172.16.150.0/24, and the network the clients is placed on when being connected is 172.16.160.0/24 .
The RADIUS server and DNS server is located on 172.16.150.2 .