Messages

I not create the VLANs, via GUI the VLANs were already present but not assigned and I was able to reassign them after changing the LAN on igb1 and the WAN on igb0.

Let's say it did the same as assigning standard interfaces during the first firewall installation, and the strange thing is that it did it even after I set the interfaces. I rebooted the system and found the new standard interfaces. Obviously, the VLANs were not visible for association, but from the GUI they were present waiting to be assigned.

The problem was that it reversed the assignments of the physical interfaces, my configuration is igb0 WAN and igb1 LAN and all the vlans are parents of igb1. The strange thing is that I reassigned the interfaces, reset the vlans (it didn't delete them but only unassigned them) and when I rebooted I found igb0 LAN igb1 WAN

I don't know if it's a coincidence, but I updated from GUI to version 26.1_4, and after about 30 minutes of not being able to connect, I went directly to the physical firewall and saw that it changed the order of the interfaces, which consequently disabled the various VLANs. I gradually fixed it and flagged prevert remove, also because this interface problem occurred even after I fixed it and restarted the fw.

hello everyone, I'm having a bit of a headache. I installed zabbix agent and proxy for monitoring, I can see the freebsd and opnsense part (official template) but I can't see or I don't even know if it's possible, check the opnsense version (maybe some upgrade if available) and also the package side on zabbix

I'm having quite strange behavior, I have an opnsense installation (very basic config) behind a  router, under general--system I haven't set any DNS, I would like to use unbound for internal/external DNS resolution. opnsense acts as dhcp. apparently everything seems ok, I can navigate and opnsense's dnslookup resolves correctly, after a while (3/4 days) it no longer resolves, but if I restart opnsense without making any changes everything works again again, I tried to restart only unbound but it does not work

this is the resul with insert wrong user when prompt, but the connection use the correct certificate

Code Select Expand

(8) eap_peap: ERROR: We sent a success, but the client did not agree
(8) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed


but when i insert correct credential all warking

i attach the eap config freeradius

But you started your post with EAP-TLS, and now you're at EAP-PEAP ?!?!

I would like the connection to be made via certificate or password. If the machine has the certificate, authenticate you and go to vlan10, if the machine does not have the certificate but you have the credentials go to the credentials vlan, if the data is wrong go to vlan20 which would be the fallback

Which basically forces you to use EAP-PEAP in the first place, especially when you mean by "machine" a Windows computer object.

I certainly made a mistake in setting both the post and the radius, I would like the clients (mostly Windows) to have that type of authentication, so at this point I have to recreate everything, including certificates.

I'll attach some screenshots.
these are the tests for wifi on win10
1-eap--->smart or certified - can't connect
2-eap-peap-smart or certificate -- prompt the credentials and if I enter the correct credentials it works by warning me that the connection is protected by the certificate and the certificate is correct, but if I enter the wrong ones it doesn't put me on the fallback vlan
3- if I try with ttls it tells me that I need the certificate


I would like the connection to be made via certificate or password. If the machine has the certificate, authenticate you and go to vlan10, if the machine does not have the certificate but you have the credentials go to the credentials vlan, if the data is wrong go to vlan20 which would be the fallback

this is debug from freeradius

Code Select Expand

(9) Received Access-Request Id 2 from 10.0.1.7:33406 to 10.0.1.254:1812 length 229
(9)   User-Name = "aaa"
(9)   NAS-IP-Address = 10.0.1.7
(9)   NAS-Identifier = "229fc247a0b6"
(9)   Called-Station-Id = "22-9F-C2-47-A0-B6:Guest"
(9)   NAS-Port-Type = Wireless-802.11
(9)   Service-Type = Framed-User
(9)   Calling-Station-Id = "04-D3-B0-85-0D-CC"
(9)   Connect-Info = "CONNECT 0Mbps 802.11b"
(9)   Acct-Session-Id = "2BDF3CE2A430CBF0"
(9)   Acct-Multi-Session-Id = "1B3D52AEA9F908B1"
(9)   WLAN-Pairwise-Cipher = 1027076
(9)   WLAN-Group-Cipher = 1027076
(9)   WLAN-AKM-Suite = 1027073
(9)   Framed-MTU = 1400
(9)   EAP-Message = 0x02170007031915
(9)   State = 0xdcf7b0d4dce0bdb1b4e3b286b3189e07
(9)   Message-Authenticator = 0x9f9cd928685be38f5d04bbcb506e1d8a
(9) Restoring &session-state
(9)   &session-state:Framed-MTU = 994
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(9)   authorize {
(9)     policy filter_username {
(9)       if (&User-Name) {
(9)       if (&User-Name)  -> TRUE
(9)       if (&User-Name)  {
(9)         if (&User-Name =~ / /) {
(9)         if (&User-Name =~ / /)  -> FALSE
(9)         if (&User-Name =~ /@[^@]*@/ ) {
(9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)         if (&User-Name =~ /\.\./ ) {
(9)         if (&User-Name =~ /\.\./ )  -> FALSE
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(9)         if (&User-Name =~ /\.$/)  {
(9)         if (&User-Name =~ /\.$/)   -> FALSE
(9)         if (&User-Name =~ /@\./)  {
(9)         if (&User-Name =~ /@\./)   -> FALSE
(9)       } # if (&User-Name)  = notfound
(9)     } # policy filter_username = notfound
(9)     [preprocess] = ok
(9)     [chap] = noop
(9)     [mschap] = noop
(9)     [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "aaa", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 23 length 7
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9)     [eap] = updated
(9) files: users: Matched entry DEFAULT at line 45
(9)     [files] = ok
(9)     [expiration] = noop
(9)     [logintime] = noop
(9) pap: WARNING: Auth-Type already set.  Not setting to PAP
(9)     [pap] = noop
(9)   } # authorize = updated
(9) Found Auth-Type = Accept
(9) Auth-Type = Accept, accepting the user
(9) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(9)   post-auth {
(9)     update {
(9)       &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994
(9)     } # update = noop
(9)     [exec] = noop
(9)     policy remove_reply_message_if_eap {
(9)       if (&reply:EAP-Message && &reply:Reply-Message) {
(9)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(9)       else {
(9)         [noop] = noop
(9)       } # else = noop
(9)     } # policy remove_reply_message_if_eap = noop
(9)   } # post-auth = noop
(9) Login OK: [aaa/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli 04-D3-B0-85-0D-CC)
(9) Sent Access-Accept Id 2 from 10.0.1.254:1812 to 10.0.1.7:33406 length 48
(9)   Tunnel-Type = VLAN
(9)   Tunnel-Medium-Type = IEEE-802
(9)   Tunnel-Private-Group-Id = "20"
(9)   Framed-Protocol = PPP
(9)   Framed-MTU += 994
(9) Finished request
Waking up in 4.9 seconds.
(8) Cleaning up request packet ID 1 with timestamp +1542 due to cleanup_delay was reached
(9) Cleaning up request packet ID 2 with timestamp +1542 due to cleanup_delay was reached


I saw in the debug that freeradius receives the request from the NAS (ubiqiti ap) and after authenticating with the wrong user it responds with the vlan to assign, but after a while it times out and I get unable to connect to the network. at this point the problem is the unifi ap. the thing I don't understand is that on unifi there aren't many settings on radius, I set the radius profile with the opnsense secred and ip, I enabled dynamic vlan assignment and enabled vlan fallbac. on the switch side, the ports where the APs are connected have the default of untagged and the other vlans tagged, on unifi I didn't find anything for the certificate part.

I understood all the auths ok, it was the fallback vlan that authenticates and moves to the desired vlan, this point is ok.

this in debug mode with user system-->access-->tester and select radius, i use a wrong credential

Code Select Expand

(0) Received Access-Request Id 134 from 127.0.0.1:40992 to 127.0.0.1:1812 length 80
(0)   User-Name = "a"
(0)   Service-Type = Login-User
(0)   Framed-Protocol = 15
(0)   NAS-Identifier = "668815a1029c8"
(0)   NAS-Port = 0
(0)   NAS-Port-Type = Ethernet
(0)   User-Password = "a"
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "a", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry DEFAULT at line 45
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: Auth-Type already set.  Not setting to PAP
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0)   post-auth {
(0)     update {
(0)       No attributes updated for RHS &session-state:
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Login OK: [a/a] (from client opnsense port 0)
(0) Sent Access-Accept Id 134 from 127.0.0.1:1812 to 127.0.0.1:40992 length 42
(0)   Tunnel-Type = VLAN
(0)   Tunnel-Medium-Type = IEEE-802
(0)   Tunnel-Private-Group-Id = "20"
(0)   Framed-Protocol = PPP
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 134 with timestamp +27 due to cleanup_delay was reached


I add that with the radiusd -X command I receive this error

Failed binding to auth address * port 1812 bound to server default: Address already in use
/usr/local/etc/raddb/sites-enabled/default[4]: Error binding to port for 0.0.0.0 port 1812

this the file
root@OPNsense:~ # cat /usr/local/etc/raddb/sites-enabled/default

Code Select Expand

server default {

listen {
        type = auth
        ipaddr = *
        port = 0

        limit {
              max_connections = 16
              lifetime = 0
              idle_timeout = 30
        }
}

listen {
        ipaddr = *
        port = 0
        type = acct

        limit {
        }
}

listen {
        type = auth
        ipv6addr = ::
        port = 0

        limit {
              max_connections = 16
              lifetime = 0
              idle_timeout = 30
        }
}

listen {
        ipv6addr = ::
        port = 0
        type = acct

        limit {
        }
}

authorize {
        filter_username
        preprocess
        chap
        mschap
        digest
        suffix
        eap {
                ok = return
        }
        files
        -sql
        -ldap

        expiration
        logintime
        pap
}

authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        mschap
        digest
        eap
}

preacct {
        preprocess
        acct_unique
        suffix
        files
}


accounting {
        detail
        unix
        -sql
        exec
        attr_filter.accounting_response
}

session {
}

post-auth {
        update {
                &reply: += &session-state:
        }
        -sql
        exec
        remove_reply_message_if_eap
        Post-Auth-Type REJECT {
                -sql
                attr_filter.access_reject
                eap
                remove_reply_message_if_eap
        }

        Post-Auth-Type Challenge {
        }

}

pre-proxy {
}

post-proxy {
        eap
}
}


this is result for sockstat -4 -l | grep 181
root     radiusd    51602 9  udp4   *:1812                *:*
root     radiusd    51602 10 udp4   *:1813                *:*
root     radiusd    51602 13 udp4   127.0.0.1:18120       *:*