OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: sens_ible on October 08, 2017, 08:43:38 pm
-
I would like to manage freeradius configuration files on my computer in the office and then send it to the OPNsense appliance. In particular I want to do the user management in the office with a nice graphical user interface.
What is the most convenient way to send a new users.conf automatically (without logging into the GUI every time) to the OPNsense appliance?
Can I use ftp to place RADIUS configuration files, e.g. users.conf files on the firewall or to read it in from there? There are only 4 hits for ftp in the documentation and none of the results seems to match.
-
This wont work since it will be overwritten by the template.
Usermanagement by the Plugin isnt easy enough?
-
> Usermanagement by the Plugin isnt easy enough?
It is easy, but it is very time-consuming. I would prefer a solution that can handle changes automatically and does not require me to login and use the graphical user interface.
Using ftp was just a first guess ... there might be other options.
- Is there a way to login via ssh and instruct the plugin via a command line interface?
- Maybe I can change the template (and not the config file) via ftp, ssh, curl ... ?
- If it is the plugin which causes that the config file is overwritten by the template: Is there an option to use freeradius without the plugin?
Any proposal is very much appreciated.
-
All freshly written plugins come with an UI and API. We make it a point to build the UI on top of that API, so you can actually automate the operation of any such plugin in any way that you deem appropriate using:
https://docs.opnsense.org/development/how-tos/api.html
Cheers,
Franco
-
Or you just install freeradius3 without the plugin and use cli only ...
-
All freshly written plugins come with an UI and API. We make it a point to build the UI on top of that API, so you can actually automate the operation of any such plugin in any way that you deem appropriate using:
https://docs.opnsense.org/development/how-tos/api.html
Wow, I think that is really a neat architecture. From looking at the how-to page I have got a rough idea how it works. Where would I find the documentation about a plugin's api? Or would I just go down the url IP_addr-> /api ->/core and see what comes next?
Anyway, do not get me wrong. I think the freeradius GUI is nicely done; only when you want to enter a large batch of users it may be time consuming.
-
I just tried the API example, however, no connection seems to be allowed ...
I generated the key and the secret like described in the How-To
url = 'https://192.168.99.100/api/core/firmware/status'
# request data
r = requests.get(url,verify=False,auth=(api_key, api_secret))
Is the "verify=False" option correct? I did it, because the How-To says:
Before you can start, make sure your OPNsense has a valid SSL certificate (or choose to ignore it for testing purposes by setting verify=False), don’t forget to verify that the selected user may access the firmware page.
Meanwhile I have configured a firewall rule for incoming https traffic on the WAN interface. I can see in the log files that the incoming traffic passes, however, the python script can still not set up a connection.
Which permissions do I have to set to allow access to the API? How can I see what is going wrong?
-
For testing verify=false is fine. Did you allow your user that has the API key to access the firmware page?
-
Use the network debug with your browser to see whats happening within the API, it's really easy:
curl -k -u "key":"secret" https://<yourip>/api/freeradius/user/searchUser
Send a POST via setUser and you should be able to add new users ...
-
With this you can add a user:
curl -XPOST -d '{"user":{"enabled":"1","username":"oink","password":"oink","description":""}}' -H "Content-Type: application/json" -k -u "key":"secret" https://<yourip>/api/freeradius/user/addUser
-
For testing verify=false is fine. Did you allow your user that has the API key to access the firmware page?
Well, probably not, Where/How would I do it?
Meanwhile I have assigned all visible privileges to the admins group in groups:access:system, however, it does not make a difference. The connection request still times out.
-
Use the network debug with your browser to see whats happening within the API, it's really easy:
curl -k -u "key":"secret" https://<yourip>/api/freeradius/user/searchUser
Send a POST via setUser and you should be able to add new users ...
The result of the cURL command on the command line with -v option is just:
* Trying 192.168.99.100...
* connect to 192.168.99.100 port 443 failed: Connection timed out
How would I use cURL in firefox?
Is there a logfile in opnsense where I could find information what is going on?
I just did an NMAP scan of the firewall. Port 80 is open, however, 443 seems to be closed. Hence, no https process seems to be active. How can I activate https access?
-
Did you change the Port for webadmin?
Check your Firewall rules please
-
Did you change the Port for webadmin?
Check your Firewall rules please
No, I did not do any port changes.
I checked the firewall rules and from the logs I can confirm, that packets to port 443 actualy arrive and pass the firewall.
-
I have now changed the Settings / Admin Access to https because I hoped that would activate port 443.
I also activated ssh access.
However, as a result I have locked myself out completely. I can neither use the serial console (output can not be read any more, does not react to any keystroke), nor ssh access (timed out) and the web access fails with:
CSRF check failed. Your form session may have expired, or you may not have cookies enabled.
Seems I have to make a fresh install/write a fresh image to the CF card before going on ...
-
I have just set up a fresh system. Seems this is a great opportunity to prepare a How-To enable api access from the scratch ;-)
I will open a new thread and when the access to the API problem is solved, I can focus on the RADIUS configuration again.
Thanks for all the support I have received so far.
To be continued ...
-
Finally, the api calls work fine.
I will use mimugmails curl statements in a script and so I will be able to do an automatic management of radius subscribers.
Maybe it is worth mentioning the root cause for the problems I encountered before.
I started with the configuration of a WAN interface and I was connected to the appliance via the WAN interface. Even after a fresh install I found myself locked-out unexpectedly again somewhere in the course of configuration.
It seems that upon activation of a LAN interface, the default non-lockout rules (allow incoming port 80 and 443) are automatically removed from the WAN interface and established on the LAN interface. Hence, further login attempts from the WAN interface (and the api calls of course) will fail. After manually adding the rules on the WAN interface again, also the api calls worked as expected.
If someone else can confirm this, maybe one should consider a correction in one of the next versions of OPNsense.
Anyway, thanks a lot for all the support. And after it is working, I really appreciate these api calls. A great tool to manage all aspects of your firewall automatically.
-
You shouldn't have anti lockout rules on the WAN. Just create a static rule allowing your external static IP. Then there wont be anything removed when enabling LAN