1
20.1 Legacy Series / FreeRADIUS automatic configuration build
« on: August 10, 2020, 07:22:28 pm »
TLDR; how do I add a default matching rule that won't be overwritten when the GUI adds a new manual user?
Long storyshort slightly longer:
I'm on OPNsense 20.1.9-amd64 with modern UniFi APs and FreeRadius plugin to offer very basic RADIUS auth setup, plus Cisco 3560 switches with VLANs tagged on my PoE WiFi switchports to use multiple VLANs on the same AP / SSID. I migrated back from a UniFi USG Pro and I couldn't be happier. Here's my WiFi connection flow:
I'm managing known users in the GUI, but I need this default rule in the `users` file too, /usr/local/etc/raddb/users, symlinked from /usr/local/etc/raddb/mods-config/files/authorize:
When inserted manually (and I restart FreeRadius using the arrow "refresh" button at the top of the GUI), this gives the desired result... but gets overwritten when the GUI adds a new specific user (and I click APPLY to add that user).
Is it possible to use the GUI and still include a static rule such as this one? If so, where? I can't determine how the `users` file is actually being built. The `hints` file has some similar rules to the defaults at the bottom of `users`, but adding this to `hints` doesn't make it show up in the `users` file.
I'm looking to accomplish any of these:
Long story
I'm on OPNsense 20.1.9-amd64 with modern UniFi APs and FreeRadius plugin to offer very basic RADIUS auth setup, plus Cisco 3560 switches with VLANs tagged on my PoE WiFi switchports to use multiple VLANs on the same AP / SSID. I migrated back from a UniFi USG Pro and I couldn't be happier. Here's my WiFi connection flow:
- User WiFi devices connect with the WPA-PSK password
- then offer $MACADDRESS / $MACADDRESS as user / pass
- clients (my APs) are configured in the "clients section" of FreeRADIUS to use its auth
- a user is matched from the config (as entered in the GUI), mapped to their defined VLAN
- OR (via my manual entry), a DEFAULT user rule matches anyone else with the correct WiFi PSK and maps to a default VLAN with restrictions
I'm managing known users in the GUI, but I need this default rule in the `users` file too, /usr/local/etc/raddb/users, symlinked from /usr/local/etc/raddb/mods-config/files/authorize:
Code: [Select]
DEFAULT Auth-Type := Accept
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 123,
Framed-Protocol = PPP
When inserted manually (and I restart FreeRadius using the arrow "refresh" button at the top of the GUI), this gives the desired result... but gets overwritten when the GUI adds a new specific user (and I click APPLY to add that user).
Is it possible to use the GUI and still include a static rule such as this one? If so, where? I can't determine how the `users` file is actually being built. The `hints` file has some similar rules to the defaults at the bottom of `users`, but adding this to `hints` doesn't make it show up in the `users` file.
I'm looking to accomplish any of these:
- Understand the way the file is constructed when the "APPLY" button is clicked in the GUI and add my DEFAULT rule into a template that will put it in place
- Understand where the back-end users are parsed if it's possible to add this in that format as a default rule to be added at the time of build (the config file contains user/pass of each client, but doesn't appear to contain the verbiage to regenerate my default rule)
- Or... I might need to find another iteration of RADIUS that I should be using if this isn't possible. This is my first rodeo with RADIUS, so I just need to know if the OPNsense plugin is limited, where another version would make this easy