Messages

1

24.1 Legacy Series / unbound dns not resolve

« on: July 23, 2024, 09:58:26 pm »

I'm having quite strange behavior, I have an opnsense installation (very basic config) behind a  router, under general--system I haven't set any DNS, I would like to use unbound for internal/external DNS resolution. opnsense acts as dhcp. apparently everything seems ok, I can navigate and opnsense's dnslookup resolves correctly, after a while (3/4 days) it no longer resolves, but if I restart opnsense without making any changes everything works again again, I tried to restart only unbound but it does not work

2

24.1 Legacy Series / Re: Freeradius with unifi controller auth

« on: July 08, 2024, 10:05:28 pm »

this is the resul with insert wrong user when prompt, but the connection use the correct certificate

Code: [Select]

(8) eap_peap: ERROR: We sent a success, but the client did not agree
(8) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed

but when i insert correct credential all warking

3

24.1 Legacy Series / Re: Freeradius with unifi controller auth

« on: July 08, 2024, 01:31:39 pm »

i attach the eap config freeradius

4

24.1 Legacy Series / Re: Freeradius with unifi controller auth

« on: July 07, 2024, 12:28:15 am »

But you started your post with EAP-TLS, and now you're at EAP-PEAP ?!?!

I would like the connection to be made via certificate or password. If the machine has the certificate, authenticate you and go to vlan10, if the machine does not have the certificate but you have the credentials go to the credentials vlan, if the data is wrong go to vlan20 which would be the fallback

Which basically forces you to use EAP-PEAP in the first place, especially when you mean by "machine" a Windows computer object.

I certainly made a mistake in setting both the post and the radius, I would like the clients (mostly Windows) to have that type of authentication, so at this point I have to recreate everything, including certificates.

5

24.1 Legacy Series / Re: Freeradius with unifi controller auth

« on: July 06, 2024, 07:05:43 pm »

I'll attach some screenshots.
these are the tests for wifi on win10
1-eap--->smart or certified - can't connect
2-eap-peap-smart or certificate -- prompt the credentials and if I enter the correct credentials it works by warning me that the connection is protected by the certificate and the certificate is correct, but if I enter the wrong ones it doesn't put me on the fallback vlan
3- if I try with ttls it tells me that I need the certificate


I would like the connection to be made via certificate or password. If the machine has the certificate, authenticate you and go to vlan10, if the machine does not have the certificate but you have the credentials go to the credentials vlan, if the data is wrong go to vlan20 which would be the fallback

6

24.1 Legacy Series / Re: Freeradius with unifi controller auth

« on: July 06, 2024, 12:24:49 pm »

this is debug from freeradius

Code: [Select]

(9) Received Access-Request Id 2 from 10.0.1.7:33406 to 10.0.1.254:1812 length 229
(9)   User-Name = "aaa"
(9)   NAS-IP-Address = 10.0.1.7
(9)   NAS-Identifier = "229fc247a0b6"
(9)   Called-Station-Id = "22-9F-C2-47-A0-B6:Guest"
(9)   NAS-Port-Type = Wireless-802.11
(9)   Service-Type = Framed-User
(9)   Calling-Station-Id = "04-D3-B0-85-0D-CC"
(9)   Connect-Info = "CONNECT 0Mbps 802.11b"
(9)   Acct-Session-Id = "2BDF3CE2A430CBF0"
(9)   Acct-Multi-Session-Id = "1B3D52AEA9F908B1"
(9)   WLAN-Pairwise-Cipher = 1027076
(9)   WLAN-Group-Cipher = 1027076
(9)   WLAN-AKM-Suite = 1027073
(9)   Framed-MTU = 1400
(9)   EAP-Message = 0x02170007031915
(9)   State = 0xdcf7b0d4dce0bdb1b4e3b286b3189e07
(9)   Message-Authenticator = 0x9f9cd928685be38f5d04bbcb506e1d8a
(9) Restoring &session-state
(9)   &session-state:Framed-MTU = 994
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(9)   authorize {
(9)     policy filter_username {
(9)       if (&User-Name) {
(9)       if (&User-Name)  -> TRUE
(9)       if (&User-Name)  {
(9)         if (&User-Name =~ / /) {
(9)         if (&User-Name =~ / /)  -> FALSE
(9)         if (&User-Name =~ /@[^@]*@/ ) {
(9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)         if (&User-Name =~ /\.\./ ) {
(9)         if (&User-Name =~ /\.\./ )  -> FALSE
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(9)         if (&User-Name =~ /\.$/)  {
(9)         if (&User-Name =~ /\.$/)   -> FALSE
(9)         if (&User-Name =~ /@\./)  {
(9)         if (&User-Name =~ /@\./)   -> FALSE
(9)       } # if (&User-Name)  = notfound
(9)     } # policy filter_username = notfound
(9)     [preprocess] = ok
(9)     [chap] = noop
(9)     [mschap] = noop
(9)     [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "aaa", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 23 length 7
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9)     [eap] = updated
(9) files: users: Matched entry DEFAULT at line 45
(9)     [files] = ok
(9)     [expiration] = noop
(9)     [logintime] = noop
(9) pap: WARNING: Auth-Type already set.  Not setting to PAP
(9)     [pap] = noop
(9)   } # authorize = updated
(9) Found Auth-Type = Accept
(9) Auth-Type = Accept, accepting the user
(9) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(9)   post-auth {
(9)     update {
(9)       &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994
(9)     } # update = noop
(9)     [exec] = noop
(9)     policy remove_reply_message_if_eap {
(9)       if (&reply:EAP-Message && &reply:Reply-Message) {
(9)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(9)       else {
(9)         [noop] = noop
(9)       } # else = noop
(9)     } # policy remove_reply_message_if_eap = noop
(9)   } # post-auth = noop
(9) Login OK: [aaa/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli 04-D3-B0-85-0D-CC)
(9) Sent Access-Accept Id 2 from 10.0.1.254:1812 to 10.0.1.7:33406 length 48
(9)   Tunnel-Type = VLAN
(9)   Tunnel-Medium-Type = IEEE-802
(9)   Tunnel-Private-Group-Id = "20"
(9)   Framed-Protocol = PPP
(9)   Framed-MTU += 994
(9) Finished request
Waking up in 4.9 seconds.
(8) Cleaning up request packet ID 1 with timestamp +1542 due to cleanup_delay was reached
(9) Cleaning up request packet ID 2 with timestamp +1542 due to cleanup_delay was reached


7

24.1 Legacy Series / Re: Freeradius with unifi controller auth

« on: July 06, 2024, 09:16:35 am »

I saw in the debug that freeradius receives the request from the NAS (ubiqiti ap) and after authenticating with the wrong user it responds with the vlan to assign, but after a while it times out and I get unable to connect to the network. at this point the problem is the unifi ap. the thing I don't understand is that on unifi there aren't many settings on radius, I set the radius profile with the opnsense secred and ip, I enabled dynamic vlan assignment and enabled vlan fallbac. on the switch side, the ports where the APs are connected have the default of untagged and the other vlans tagged, on unifi I didn't find anything for the certificate part.

8

24.1 Legacy Series / Re: Freeradius with unifi controller auth

« on: July 05, 2024, 11:00:13 pm »

I understood all the auths ok, it was the fallback vlan that authenticates and moves to the desired vlan, this point is ok.

9

24.1 Legacy Series / Re: Freeradius with unifi controller auth

« on: July 05, 2024, 10:46:34 pm »

this in debug mode with user system-->access-->tester and select radius, i use a wrong credential

Code: [Select]

(0) Received Access-Request Id 134 from 127.0.0.1:40992 to 127.0.0.1:1812 length 80
(0)   User-Name = "a"
(0)   Service-Type = Login-User
(0)   Framed-Protocol = 15
(0)   NAS-Identifier = "668815a1029c8"
(0)   NAS-Port = 0
(0)   NAS-Port-Type = Ethernet
(0)   User-Password = "a"
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "a", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry DEFAULT at line 45
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: Auth-Type already set.  Not setting to PAP
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0)   post-auth {
(0)     update {
(0)       No attributes updated for RHS &session-state:
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Login OK: [a/a] (from client opnsense port 0)
(0) Sent Access-Accept Id 134 from 127.0.0.1:1812 to 127.0.0.1:40992 length 42
(0)   Tunnel-Type = VLAN
(0)   Tunnel-Medium-Type = IEEE-802
(0)   Tunnel-Private-Group-Id = "20"
(0)   Framed-Protocol = PPP
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 134 with timestamp +27 due to cleanup_delay was reached


10

24.1 Legacy Series / Re: Freeradius with unifi controller auth

« on: July 05, 2024, 07:56:53 pm »

I add that with the radiusd -X command I receive this error

Failed binding to auth address * port 1812 bound to server default: Address already in use
/usr/local/etc/raddb/sites-enabled/default[4]: Error binding to port for 0.0.0.0 port 1812

this the file
root@OPNsense:~ # cat /usr/local/etc/raddb/sites-enabled/default

Code: [Select]

server default {

listen {
        type = auth
        ipaddr = *
        port = 0

        limit {
              max_connections = 16
              lifetime = 0
              idle_timeout = 30
        }
}

listen {
        ipaddr = *
        port = 0
        type = acct

        limit {
        }
}

listen {
        type = auth
        ipv6addr = ::
        port = 0

        limit {
              max_connections = 16
              lifetime = 0
              idle_timeout = 30
        }
}

listen {
        ipv6addr = ::
        port = 0
        type = acct

        limit {
        }
}

authorize {
        filter_username
        preprocess
        chap
        mschap
        digest
        suffix
        eap {
                ok = return
        }
        files
        -sql
        -ldap

        expiration
        logintime
        pap
}

authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        mschap
        digest
        eap
}

preacct {
        preprocess
        acct_unique
        suffix
        files
}


accounting {
        detail
        unix
        -sql
        exec
        attr_filter.accounting_response
}

session {
}

post-auth {
        update {
                &reply: += &session-state:
        }
        -sql
        exec
        remove_reply_message_if_eap
        Post-Auth-Type REJECT {
                -sql
                attr_filter.access_reject
                eap
                remove_reply_message_if_eap
        }

        Post-Auth-Type Challenge {
        }

}

pre-proxy {
}

post-proxy {
        eap
}
}

this is result for sockstat -4 -l | grep 181
root     radiusd    51602 9  udp4   *:1812                *:*
root     radiusd    51602 10 udp4   *:1813                *:*
root     radiusd    51602 13 udp4   127.0.0.1:18120       *:*

11

24.1 Legacy Series / Re: Freeradius with unifi controller auth

« on: July 05, 2024, 05:59:23 pm »

...but I'm encountering big problems, the configuration seems correct, I followed various guides and the settings are the same.

...the strange thing that I can't understand is why in the freeradius logs I always receive Login OK even if I enter the password incorrectly.

What are you going to use: EAP-TLS, EAP-TTLS or EAP-PEAP ?

Can you succesfully authenticate with one of the above EAP types (EAP-TLS is cert only) on your local Radius server (local test account with radtest) ?

on freeradius ui on opnsense i setting eap tls mode with own certificate, but when I connect to the wifi it always asks for the password, insert corret user and then tells me that the connection is protected by the certificate and seeing the certificate is the right one created on opnsense, if I enter a wrong user it doesn't tell me that the connection is protected by the certificate and asks me the user again but on the freeradiu logs I receive the same login ok
I did the test with system-->access-->testet selecting the radius server and from the freeradiu logs with any user I enter (wrong users) it gives me login ok

12

24.1 Legacy Series / Freeradius with unifi controller auth

« on: July 05, 2024, 01:16:30 pm »

Hi everyone, I'm trying to configure radius authentication via certificate (for now on wifi and in the future on wired) but I'm encountering big problems, the configuration seems correct, I followed various guides and the settings are the same. I created the authentication server on opnsense on ports 1812 and 1813, I created the CA with related server and client certificates, in the freeradius settings I put the Ubiquiti APs and the switch between the clients. I loaded the CA and the client certificate on Windows but when I try to connect to WiFi it asks me for the password (I activated Mac authentication on Unifi and added a user with the Mac as user and password), if I enter the credentials manually it connects and it tells me that the connection is protected by a certificate (I see the certificate and it's correct), but if I type connect via certificate it returns me to the credentials request. the strange thing that I can't understand is why in the freeradius logs I always receive Login OK even if I enter the password incorrectly. I'll post some screenshots for completeness. My need is the connection via certificate and if it doesn't have the certificate it moves me to a defined vlan.

this log from freeradiu:

Fri Jul  5 12:35:35 2024 : Auth: (3) Login OK: [a/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli 04-D3-B0-85-0D-CC)
Fri Jul  5 12:35:54 2024 : Auth: (5) Login OK: [a/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli 04-D3-B0-85-0D-CC)

Fri Jul  5 12:15:20 2024 : Auth: (7) Login OK: [B0-12-42-22-10-1F/B0-12-42-22-10-1F] (from client unifiap1 port 0 cli B0-12-42-22-10-1F)
Fri Jul  5 12:15:20 2024 : Auth: (9) Login OK: [laptop/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli B0-12-42-22-10-1F)
Fri Jul  5 12:15:26 2024 : Auth: (14) Login OK: [laptop/<via Auth-Type = Accept>] (from client unifiap2 port 0 cli B0-12-42-22-10-1F)


Fri Jul  5 12:33:57 2024 : Auth: (1) Login OK: [wifi/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli 04-43-40-45-04-4C)
Fri Jul  5 12:35:35 2024 : Auth: (3) Login OK: [a/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli 04-43-40-45-04-4C)
Fri Jul  5 12:35:54 2024 : Auth: (5) Login OK: [a/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli 04-43-40-45-04-4C)

in the logs in bold I used the user "wifi" which is correct and the user "a" which is not present in freeradius but in both cases I received login ok

13

General Discussion / Re: VoIP phone

« on: March 02, 2024, 08:30:48 pm »

I was also thinking of another approach. if I connect an opnsense WAN2 interface to a router port on vlan20(192.168.2.1) and the vlan of the phones behind opnsense I give it as a WAN2 gateway all the traffic would go out with the public IP of the 192.168.2.1 network of the ISP router. (I don't know if that's right)

14

General Discussion / VoIP phone

« on: March 02, 2024, 02:55:51 pm »

Hi everyone, I'm going crazy to configure VoIP behind fw. originally the 7 phones were connected to the Vodafone ISP router which has the data LAN 192.168.1.1/24 and the voice LAN 192.168.2.1/24 (vlan20). now I put opnsense on a router port with public IP directly on the wan, on the lan which is now 10.1.1.0/24 I created vlan20 10.2.1.0/24. the phones get the right IP but they don't register, I installed sipproxy, set wan outbound and vlan20 inbound but they still don't work. I'm sure I'm doing something wrong

15

General Discussion / Re: AdGuard - no client hostnames

« on: November 14, 2023, 10:00:27 am »

Sorry for my intrusion in the post.

i have installed AGH on OPNsense but no see client name

this my config:

DHCP on OPNsense with static lease and this the gateway
LAN 192.168.1.254
VLAN10 192.168.10.254
VLAN20 192.168.20.254

disable unbound dns on OPNsense

on AGH use the standaard cfg and when i add upstream dns (127.0.0.1 / 192.168.1.254) i recive the error on AHG