Messages

I am on the same boat. I hit a wall during the pandemic, because I wanted a policy for my kids when home schooling, different than mine, different from IoT, and different from guests.

I do not complain to Sunny Valley, because I am sure they have done their market research. We home users probably don't have much of a say in their business model, beyond testing and recommending it for larger deployments. Nevertheless, the price-point is for home users sort of a sour spot, and you end up looking for alternatives. My subscription is expiring in January, and I will not renew unless I can cover my use-case by then.

That said, I still find the free version excellent for its "price". Solid product.

I am with OP here. Two policies can't satisfy the needs of a home user. I need a policy for my kids during home-school time (only zoom, etc.), one for the evening, one for sleep time (Audible), one for guest, one for normal users. I understand that Sensei makes money with business and not with us home enthusiasts. But for me, the home license is not worth my money with this limitation. I hope Sunny Valley reconsiders this before my subscription expires.

it is tls_min_version and tls_max_version. Valid values are: 1.0, 1.1, 1.2 and 1.3.

Thanks a lot for this information. This fixed it! I added "tls_min_version = 1.0" below the "disable_tlsv1_2" option, restarted freeradius, and everything worked like before.

What is the setting of the cipher_list and the ecdh_curve?

I had the default values untouched as ecdh_curve = "prime256v1" and cipher_list = "DEFAULT"
The tls_min_version did the trick. It looks like freeradius increased the default min version to 1.2, and this broke my setup. Unfortunately, I cannot influence my printer's firmware. Despite being updated a few days ago, it seems to be stucked in 1.0. But I am happy with this workaround.

Thanks a lot KHE for your help.

it is in /usr/local/etc/raddb/mods-enabled/eap. It is not there by default. But maybe the ecdh_curve or the cipher_list changed.

Thanks for the hint. But could you please point me to the documentation or a way to find out the options? The documentation https://networkradius.com/doc/3.0.10/raddb/mods-available/eap.html doesn't seem to mention any way to increase the minimum protocol version. I have looked at the cipher list option, but I cannot figure out what this means or how it can help me. Thanks.

Did you also apply the latest hotfix 21.1.7_1?

I didn't apply any hotfix explicitly, but I did update the system to the latest state, until opnsense reports that no updates are available. At the same time, I do not think this issue is a bug requiring a hotfix. My guess is that developers probably decided to disable a low protocol version due to security issues or something along those lines. I am just looking for a way to whitelist.

After upgrading to 21.1.7 freeradius can't stop giving me headaches. First the eap issue described in https://forum.opnsense.org/index.php?topic=23556.0. But now I am not able to connect my printer via EAP-TLS anymore. The log reads

2021-06-19T12:15:02       Auth: (28) Login incorrect (eap_tls: (TLS) Alert write:fatal:protocol version): [ledPrinter/<via Auth-Type = eap>] (from client Wavelength port 0 cli 0C-96-E6-2B-78-59)   
2021-06-19T12:15:02       ERROR: (28) eap_tls: ERROR: (TLS) Server : Error in error   
2021-06-19T12:15:02       ERROR: (28) eap_tls: ERROR: (TLS) Alert write:fatal:protocol version

which points to some protocol version. I was trying to figure out if the upgrade somehow increased the minimum protocol version, which probably isn't supported by my printer. However, I can't figure out where such an option could be hidden. The file mods-enabled-eap didn't seem to have any option for this.

Downgrading freeradius to 21.1.6 fixed the issue, but it is not a long-term solution. Any help would be greatly appreciated! Thanks.