"hello everyone, I'm having a bit of a headache. I installed zabbix agent and proxy for monitoring, I can see the freebsd and opnsense part (official template) but I can't see or I don't even know if it's possible, check the opnsense version (maybe some upgrade if available) and also the package side on zabbix
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
25.1, 25.4 Series / Monitoring with zabbix agent
April 12, 2025, 12:14:42 AMhello everyone, I'm having a bit of a headache. I installed zabbix agent and proxy for monitoring, I can see the freebsd and opnsense part (official template) but I can't see or I don't even know if it's possible, check the opnsense version (maybe some upgrade if available) and also the package side on zabbix
#2
24.1, 24.4 Legacy Series / unbound dns not resolve
July 23, 2024, 09:58:26 PMI'm having quite strange behavior, I have an opnsense installation (very basic config) behind a router, under general--system I haven't set any DNS, I would like to use unbound for internal/external DNS resolution. opnsense acts as dhcp. apparently everything seems ok, I can navigate and opnsense's dnslookup resolves correctly, after a while (3/4 days) it no longer resolves, but if I restart opnsense without making any changes everything works again again, I tried to restart only unbound but it does not work
#3
24.1, 24.4 Legacy Series / Re: Freeradius with unifi controller auth
July 08, 2024, 10:05:28 PM
this is the resul with insert wrong user when prompt, but the connection use the correct certificate
but when i insert correct credential all warking
Code Select
(8) eap_peap: ERROR: We sent a success, but the client did not agree
(8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
but when i insert correct credential all warking
#4
24.1, 24.4 Legacy Series / Re: Freeradius with unifi controller auth
July 08, 2024, 01:31:39 PM
i attach the eap config freeradius
#5
24.1, 24.4 Legacy Series / Re: Freeradius with unifi controller auth
July 07, 2024, 12:28:15 AMQuote
But you started your post with EAP-TLS, and now you're at EAP-PEAP ?!?!
Quote
I would like the connection to be made via certificate or password. If the machine has the certificate, authenticate you and go to vlan10, if the machine does not have the certificate but you have the credentials go to the credentials vlan, if the data is wrong go to vlan20 which would be the fallback
Which basically forces you to use EAP-PEAP in the first place, especially when you mean by "machine" a Windows computer object.
I certainly made a mistake in setting both the post and the radius, I would like the clients (mostly Windows) to have that type of authentication, so at this point I have to recreate everything, including certificates.
#6
24.1, 24.4 Legacy Series / Re: Freeradius with unifi controller auth
July 06, 2024, 07:05:43 PM
I'll attach some screenshots.
these are the tests for wifi on win10
1-eap--->smart or certified - can't connect
2-eap-peap-smart or certificate -- prompt the credentials and if I enter the correct credentials it works by warning me that the connection is protected by the certificate and the certificate is correct, but if I enter the wrong ones it doesn't put me on the fallback vlan
3- if I try with ttls it tells me that I need the certificate
I would like the connection to be made via certificate or password. If the machine has the certificate, authenticate you and go to vlan10, if the machine does not have the certificate but you have the credentials go to the credentials vlan, if the data is wrong go to vlan20 which would be the fallback
these are the tests for wifi on win10
1-eap--->smart or certified - can't connect
2-eap-peap-smart or certificate -- prompt the credentials and if I enter the correct credentials it works by warning me that the connection is protected by the certificate and the certificate is correct, but if I enter the wrong ones it doesn't put me on the fallback vlan
3- if I try with ttls it tells me that I need the certificate
I would like the connection to be made via certificate or password. If the machine has the certificate, authenticate you and go to vlan10, if the machine does not have the certificate but you have the credentials go to the credentials vlan, if the data is wrong go to vlan20 which would be the fallback
#7
24.1, 24.4 Legacy Series / Re: Freeradius with unifi controller auth
July 06, 2024, 12:24:49 PM
this is debug from freeradius
Code Select
(9) Received Access-Request Id 2 from 10.0.1.7:33406 to 10.0.1.254:1812 length 229
(9) User-Name = "aaa"
(9) NAS-IP-Address = 10.0.1.7
(9) NAS-Identifier = "229fc247a0b6"
(9) Called-Station-Id = "22-9F-C2-47-A0-B6:Guest"
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) Calling-Station-Id = "04-D3-B0-85-0D-CC"
(9) Connect-Info = "CONNECT 0Mbps 802.11b"
(9) Acct-Session-Id = "2BDF3CE2A430CBF0"
(9) Acct-Multi-Session-Id = "1B3D52AEA9F908B1"
(9) WLAN-Pairwise-Cipher = 1027076
(9) WLAN-Group-Cipher = 1027076
(9) WLAN-AKM-Suite = 1027073
(9) Framed-MTU = 1400
(9) EAP-Message = 0x02170007031915
(9) State = 0xdcf7b0d4dce0bdb1b4e3b286b3189e07
(9) Message-Authenticator = 0x9f9cd928685be38f5d04bbcb506e1d8a
(9) Restoring &session-state
(9) &session-state:Framed-MTU = 994
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "aaa", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 23 length 7
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) files: users: Matched entry DEFAULT at line 45
(9) [files] = ok
(9) [expiration] = noop
(9) [logintime] = noop
(9) pap: WARNING: Auth-Type already set. Not setting to PAP
(9) [pap] = noop
(9) } # authorize = updated
(9) Found Auth-Type = Accept
(9) Auth-Type = Accept, accepting the user
(9) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(9) post-auth {
(9) update {
(9) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994
(9) } # update = noop
(9) [exec] = noop
(9) policy remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else {
(9) [noop] = noop
(9) } # else = noop
(9) } # policy remove_reply_message_if_eap = noop
(9) } # post-auth = noop
(9) Login OK: [aaa/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli 04-D3-B0-85-0D-CC)
(9) Sent Access-Accept Id 2 from 10.0.1.254:1812 to 10.0.1.7:33406 length 48
(9) Tunnel-Type = VLAN
(9) Tunnel-Medium-Type = IEEE-802
(9) Tunnel-Private-Group-Id = "20"
(9) Framed-Protocol = PPP
(9) Framed-MTU += 994
(9) Finished request
Waking up in 4.9 seconds.
(8) Cleaning up request packet ID 1 with timestamp +1542 due to cleanup_delay was reached
(9) Cleaning up request packet ID 2 with timestamp +1542 due to cleanup_delay was reached
#8
24.1, 24.4 Legacy Series / Re: Freeradius with unifi controller auth
July 06, 2024, 09:16:35 AM
I saw in the debug that freeradius receives the request from the NAS (ubiqiti ap) and after authenticating with the wrong user it responds with the vlan to assign, but after a while it times out and I get unable to connect to the network. at this point the problem is the unifi ap. the thing I don't understand is that on unifi there aren't many settings on radius, I set the radius profile with the opnsense secred and ip, I enabled dynamic vlan assignment and enabled vlan fallbac. on the switch side, the ports where the APs are connected have the default of untagged and the other vlans tagged, on unifi I didn't find anything for the certificate part.
#9
24.1, 24.4 Legacy Series / Re: Freeradius with unifi controller auth
July 05, 2024, 11:00:13 PM
I understood all the auths ok, it was the fallback vlan that authenticates and moves to the desired vlan, this point is ok.
#10
24.1, 24.4 Legacy Series / Re: Freeradius with unifi controller auth
July 05, 2024, 10:46:34 PM
this in debug mode with user system-->access-->tester and select radius, i use a wrong credential
Code Select
(0) Received Access-Request Id 134 from 127.0.0.1:40992 to 127.0.0.1:1812 length 80
(0) User-Name = "a"
(0) Service-Type = Login-User
(0) Framed-Protocol = 15
(0) NAS-Identifier = "668815a1029c8"
(0) NAS-Port = 0
(0) NAS-Port-Type = Ethernet
(0) User-Password = "a"
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "a", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 45
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated for RHS &session-state:
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = noop
(0) Login OK: [a/a] (from client opnsense port 0)
(0) Sent Access-Accept Id 134 from 127.0.0.1:1812 to 127.0.0.1:40992 length 42
(0) Tunnel-Type = VLAN
(0) Tunnel-Medium-Type = IEEE-802
(0) Tunnel-Private-Group-Id = "20"
(0) Framed-Protocol = PPP
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 134 with timestamp +27 due to cleanup_delay was reached
#11
24.1, 24.4 Legacy Series / Re: Freeradius with unifi controller auth
July 05, 2024, 07:56:53 PM
I add that with the radiusd -X command I receive this error
Failed binding to auth address * port 1812 bound to server default: Address already in use
/usr/local/etc/raddb/sites-enabled/default[4]: Error binding to port for 0.0.0.0 port 1812
this the file
root@OPNsense:~ # cat /usr/local/etc/raddb/sites-enabled/default
this is result for sockstat -4 -l | grep 181
root radiusd 51602 9 udp4 *:1812 *:*
root radiusd 51602 10 udp4 *:1813 *:*
root radiusd 51602 13 udp4 127.0.0.1:18120 *:*
Failed binding to auth address * port 1812 bound to server default: Address already in use
/usr/local/etc/raddb/sites-enabled/default[4]: Error binding to port for 0.0.0.0 port 1812
this the file
root@OPNsense:~ # cat /usr/local/etc/raddb/sites-enabled/default
Code Select
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
listen {
type = auth
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
limit {
}
}
authorize {
filter_username
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
-sql
-ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
-sql
exec
attr_filter.accounting_response
}
session {
}
post-auth {
update {
&reply: += &session-state:
}
-sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
Post-Auth-Type Challenge {
}
}
pre-proxy {
}
post-proxy {
eap
}
}this is result for sockstat -4 -l | grep 181
root radiusd 51602 9 udp4 *:1812 *:*
root radiusd 51602 10 udp4 *:1813 *:*
root radiusd 51602 13 udp4 127.0.0.1:18120 *:*
#12
24.1, 24.4 Legacy Series / Re: Freeradius with unifi controller auth
July 05, 2024, 05:59:23 PMQuote from: netnut on July 05, 2024, 04:00:39 PMon freeradius ui on opnsense i setting eap tls mode with own certificate, but when I connect to the wifi it always asks for the password, insert corret user and then tells me that the connection is protected by the certificate and seeing the certificate is the right one created on opnsense, if I enter a wrong user it doesn't tell me that the connection is protected by the certificate and asks me the user again but on the freeradiu logs I receive the same login okQuote from: manustar on July 05, 2024, 01:16:30 PM
...but I'm encountering big problems, the configuration seems correct, I followed various guides and the settings are the same.
...the strange thing that I can't understand is why in the freeradius logs I always receive Login OK even if I enter the password incorrectly.
What are you going to use: EAP-TLS, EAP-TTLS or EAP-PEAP ?
Can you succesfully authenticate with one of the above EAP types (EAP-TLS is cert only) on your local Radius server (local test account with radtest) ?
I did the test with system-->access-->testet selecting the radius server and from the freeradiu logs with any user I enter (wrong users) it gives me login ok
#13
24.1, 24.4 Legacy Series / Freeradius with unifi controller auth
July 05, 2024, 01:16:30 PMHi everyone, I'm trying to configure radius authentication via certificate (for now on wifi and in the future on wired) but I'm encountering big problems, the configuration seems correct, I followed various guides and the settings are the same. I created the authentication server on opnsense on ports 1812 and 1813, I created the CA with related server and client certificates, in the freeradius settings I put the Ubiquiti APs and the switch between the clients. I loaded the CA and the client certificate on Windows but when I try to connect to WiFi it asks me for the password (I activated Mac authentication on Unifi and added a user with the Mac as user and password), if I enter the credentials manually it connects and it tells me that the connection is protected by a certificate (I see the certificate and it's correct), but if I type connect via certificate it returns me to the credentials request. the strange thing that I can't understand is why in the freeradius logs I always receive Login OK even if I enter the password incorrectly. I'll post some screenshots for completeness. My need is the connection via certificate and if it doesn't have the certificate it moves me to a defined vlan.
this log from freeradiu:
Fri Jul 5 12:35:35 2024 : Auth: (3) Login OK: [a/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli 04-D3-B0-85-0D-CC)
Fri Jul 5 12:35:54 2024 : Auth: (5) Login OK: [a/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli 04-D3-B0-85-0D-CC)
Fri Jul 5 12:15:20 2024 : Auth: (7) Login OK: [B0-12-42-22-10-1F/B0-12-42-22-10-1F] (from client unifiap1 port 0 cli B0-12-42-22-10-1F)
Fri Jul 5 12:15:20 2024 : Auth: (9) Login OK: [laptop/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli B0-12-42-22-10-1F)
Fri Jul 5 12:15:26 2024 : Auth: (14) Login OK: [laptop/<via Auth-Type = Accept>] (from client unifiap2 port 0 cli B0-12-42-22-10-1F)
Fri Jul 5 12:33:57 2024 : Auth: (1) Login OK: [wifi/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli 04-43-40-45-04-4C)
Fri Jul 5 12:35:35 2024 : Auth: (3) Login OK: [a/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli 04-43-40-45-04-4C)
Fri Jul 5 12:35:54 2024 : Auth: (5) Login OK: [a/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli 04-43-40-45-04-4C)
in the logs in bold I used the user "wifi" which is correct and the user "a" which is not present in freeradius but in both cases I received login ok
#14
General Discussion / Re: VoIP phone
March 02, 2024, 08:30:48 PMI was also thinking of another approach. if I connect an opnsense WAN2 interface to a router port on vlan20(192.168.2.1) and the vlan of the phones behind opnsense I give it as a WAN2 gateway all the traffic would go out with the public IP of the 192.168.2.1 network of the ISP router. (I don't know if that's right)
#15
General Discussion / VoIP phone
March 02, 2024, 02:55:51 PM
Hi everyone, I'm going crazy to configure VoIP behind fw. originally the 7 phones were connected to the Vodafone ISP router which has the data LAN 192.168.1.1/24 and the voice LAN 192.168.2.1/24 (vlan20). now I put opnsense on a router port with public IP directly on the wan, on the lan which is now 10.1.1.0/24 I created vlan20 10.2.1.0/24. the phones get the right IP but they don't register, I installed sipproxy, set wan outbound and vlan20 inbound but they still don't work. I'm sure I'm doing something wrong
