Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - marin

Pages1
#1
20.1 Legacy Series / Support for EAP Radius Authentication
March 29, 2020, 10:02:55 AM
Hi,

We're trying to make a few OPNsense 20.1 boxes authenticate users against a FreeRADIUS instance with EAP. The FreeRADIUS instance is also an OPNsense 20.1 box. While server-side EAP is enabled, it seems none of our boxes are actually using it. Below is the debug output from FreeRADIUS after one of the box tried to authenticate. Authentication succeeded while EAP-TTLS was enabled server-side with an invalid self-signed certificate. Debug messages show that EAP was not used (search for line (0) eap: No EAP-Message, not doing EAP)

Code Select

Ready to process requests
Threads: total/active/spare threads = 5/0/5
Waking up in 0.3 seconds.
Thread 1 got semaphore
Thread 1 handling request 0, (1 handled so far)
(0) Received Access-Request Id 31 from 192.168.1.241:23849 to 192.168.1.249:1812 length 84
(0)   User-Name = "someuser"
(0)   Service-Type = Login-User
(0)   Framed-Protocol = 15
(0)   NAS-Identifier = "5e8049ad39eb5"
(0)   NAS-Port = 0
(0)   NAS-Port-Type = Ethernet
(0)   User-Password = "SomePassword"
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "someuser", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (uid=someuser)
(0) ldap: Performing search in "cn=users,cn=accounts,dc=local,dc=domain,dc=tld" with filter "(uid=someuser)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "uid=someuser,cn=users,cn=accounts,dc=local,dc=domain,dc=tls"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ipa-00.core.local.domain.tld:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = ok
(0)     if ((ok || updated) && User-Password) {
(0)     if ((ok || updated) && User-Password)  -> TRUE
(0)     if ((ok || updated) && User-Password)  {
(0)       update control {
(0)         Auth-Type := LDAP
(0)       } # update control = noop
(0)     } # if ((ok || updated) && User-Password)  = noop
(0)     [expiration] = noop
(0)     [logintime] = noop
Not doing PAP as Auth-Type is already set.
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = LDAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Auth-Type LDAP {
rlm_ldap (ldap): Reserved connection (1)
(0) ldap: Login attempt by "someuser"
(0) ldap: Using user DN from request "uid=someuser,cn=users,cn=accounts,dc=local,dc=domain,dc=tld"
(0) ldap: Waiting for bind result...
(0) ldap: Bind successful
(0) ldap: Bind as user "uid=someuser,cn=users,cn=accounts,dc=local,dc=domain,dc=tld" was successful
rlm_ldap (ldap): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ipa-00.core.local.domain.tld:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = ok
(0)   } # Auth-Type LDAP = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0)   post-auth {
(0)     update {
(0)       No attributes updated for RHS &session-state:
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Login OK: [someuser] (from client dnsr-00.local.domain.tld port 0)
(0) Sent Access-Accept Id 31 from 192.168.1.249:1812 to 192.168.1.241:23849 length 0
(0) Finished request


Could someone confirm that I'm not missing something ? If not, I think it would be valuable:

  • To write explicitly in the documentation that EAP will not be used for Radius authentication even when available on the remote server
  • To plan to add EAP support to OPNsense authentication
  • To add an option to the FreeRADIUS plugin to disable non-EAP (fallback) mechanisms when EAP is enabled

Many thanks,

Marin
#2
19.1 Legacy Series / OpenVPN DNS DHCP options not pushed to clients
April 09, 2019, 12:38:30 PM
Hi,

We use OPNsense 19.1.5 on 3 different sites as OpenVPN servers for roaming clients. OpenVPN is configured to send its own IP address (first address from the OpenVPN range) as a DNS server to the clients.

This setup works correctly on one of our sites, but not on the 2 others, where the OpenVPN omits to include a DHCP DNS options in the PUSH_REPLY command:

Code Select
Tue Apr 09 12:35:51 2019 PUSH: Received control message: 'PUSH_REPLY,route 10.6.0.0 255.255.0.0,route 10.6.9.1,topology net30,ping 5,ping-restart 20,ifconfig 10.6.9.6 10.6.9.5,peer-id 0,cipher AES-256-GCM'

I have already tried removing then re-adding DNS options, but still no change. The server config is identical to the one running on the first site, except regarding subnets, of course, and I don't know what to do more.

Any idea ?

Many thanks!

Marin.

#3
18.1 Legacy Series / Import config file from CLI
February 08, 2018, 11:03:52 AM
Hi,

We're planning to deploy several tens OpnSense instances in our enterprise network. These instances will share common alias and rule sets.

I do not know of any reliable central management solution capable of automating the update of these sets on such a scale. AFAIK, there is no web service or API either dedicated to these tasks. This is why we need to find our own way to push the updates to our boxes.

I plan to develop a tool which would generate dynamic OpnSense XML config files from a set of parameters. The files would be valid XML config files, either full or partial (e.g. aliases only).

My issue is how to perform the actual update on the target firewalls: let's assume I have a valid config.xml file which contains the desired config state. Does there exist a CLI tool able to perform the update? Such a tool would allow us to ease config updates with an Ansible-like engine.

If such a tool exists, does it also support partial config files, just like the Web UI?

Thanks,

Marin.
Pages1