Messages

121

General Discussion / Re: FreeRadius EAP Settings Root and Server Certificate

« on: November 07, 2021, 09:52:40 am »

Hello benyamin,

changed yet the settings to TLS and check TLS Common Name marked. Created the new 4.th Certificate with Common Name User / Device Name. Imported and trusted this Cert to Client Device, but i still get prompted when choosing the WPA Enterprise Wifi Network.

Tried also with Common Name User and Device Name, and also without Check TLS Common Name, same result.

Thx!

122

General Discussion / Re: FreeRadius EAP Settings Root and Server Certificate

« on: November 05, 2021, 03:46:36 pm »

Upps, yes sorry was not my intend to quote myself:)

Thanks for the Update! I will look into this over the weekend.

123

General Discussion / Re: FreeRadius EAP Settings Root and Server Certificate

« on: November 05, 2021, 12:15:44 pm »

Regarding the number of certificates and using this solution for Windows and and Android devices, you would need to provide some more information about your use scenario(s). Also, the inclusion of Windows clients will likely be your limiting factor when making your solution homogeneous or platform-independent.

If this is for an enterprise, and you have Windows devices that are part of an Active Directory domain, you must choose a certificate-based supplicant authentication technique rather than using encrypted usernames and passwords. If you do not, the device will not be able to connect to the network prior to the user logging in and authenticating. In this use case, the device and not the user is the "client" and as the device effectively does not have a password, you must use a certificate assigned to the device instead (for authentication).

I have Windows 10 Devices, no ADS Domain. Created on my Unifi AP / WPA Enterprise Networks and on FreeRadius the AP as Client with shared secret and as IP the AP as remote Client. Authentication with the created Users / Passwords in FreeRadius works fine.

Now I try to get certificate-based authentication to work (EAP-TLS).

What Default EAP Type did you choose at Services: FreeRADIUS: EAP...?

EAP is not available to choose, I selected now PEAP, or do i need to select something different?

When you connect your Mac, I presume you get asked for username and password, yes?

Yes, still get asked for username and password. Even with the fully imported / trusted Certificate Chain

Regarding changing the GUI to say "Issuing CA Certificate", "someone" can raise it as an issue on Git. However, I would wait until any issues you are having are sorted out first.

ok, thank you.

To move the Root CA offline, you could try the technique I posted here, but I note it is NOT tested. I note Fright's comments below my post that, in his humble opinion, OPNsense really isn't built to be a CA and should not really be used for production purposes.

Would be nice to use OPNSense as fully CA for production in future …

Having said that, if you are using FreeRADIUS to manage users and clients internally, i.e. it is your user database (rather than say using a LDAP database), perhaps it has functionality to create client certificates (I don't know) in which case you might need the integrated CA.

Yes, I want to manage Users internally, but would like to use certificate-based authentication, and therefore the CA would be needed, right?

If you do decide to move the Root CA offline, perhaps you can post your outcome here, or in the other topic, or maybe even start a new topic.

I would love to see the possibility under System – Trust – Authorities where you have the Option to set CA Offline / Online

Thx!

124

Hardware and Performance / Re: Advice Conf LAGG LACP with VLANs

« on: November 04, 2021, 08:08:18 pm »

Hi pugs,

thanks a lot for your reply and your information! I definitely need Sensei / VLANs working in my network, so if i don't get the LAGG/VLAN somehow working, i will go the same route, to use 2 x 8 Port Switches to separate Server / Clients and IOT Devices. I just saw here a similar thread / issue

https://forum.opnsense.org/index.php?topic=22945.0

what was fixed via a patch, so i don't give up the hope yet

Just waiting to get my LACP able Switch to test ...

Thx!

125

Hardware and Performance / Advice Conf LAGG LACP with VLANs

« on: November 04, 2021, 02:36:12 pm »

Hello,
I need some advice, regarding LAGG Conf with VLANs. I have on my FW 6 Ports, and I use yet 1 for LAN / VLANS and 1 Port for WAN. As I have 4 free Ports (1Gbit) on my FW, and plan to buy a new switch, I was wondering if this would make sense:

- Use 1 Interface LAN just as Management Interface.
- Create 1 Lagg Group with the 4 free Interfaces and add all the VLANS to the Logical Interface. I have my Home Servers / Laptops / Mobiles / Printer / IOT .etc all in different VLANs and use also Suricata and Sensei, would this make sense performance wise ?

Or should I Group them further like 2 LAGG Groups 2x2 Interfaces, and put in Group 1 just the Servers and in the other Group just the Clients?

One other question, can I create the LAGG on OPNsense just by unassign the existing VLAN Interfaces, or do I have to recreate them complete new?

Thanks a Lot!

126

General Discussion / Re: FreeRadius EAP Settings Root and Server Certificate

« on: November 03, 2021, 07:00:19 pm »

Yes, it would appear so, at least on a Mac

And on Windows and Android Devices?

It really should be changed to "Issuing CA".

Yes, would be perfect.

It is usually best practice to keep the Root CA offline

If there would be a way to implement this, would be great.

Thx!

127

General Discussion / Re: FreeRadius EAP Settings Root and Server Certificate

« on: November 02, 2021, 06:53:37 pm »

My question is, if this is the correct way to have now 3 Certificates installed on the Client? Im also not sure yet, if under the EAP Settings Root CA the Intermediate CA or the Radius Root CA should be selected? What is the real benefit to have a intermediate CA in general?

128

General Discussion / Re: FreeRadius EAP Settings Root and Server Certificate

« on: November 02, 2021, 05:22:48 pm »

Thx, imported yet both as recommended radius-ca and radius-intermediate-ca to the mac key store, and trusted them. Then i connect to the Wifi Network and get offered again also the radius certificate what i had to trust.

Afterwards i have again both CA Certs and the Server Certificate in the Key chain stored...

129

General Discussion / Re: FreeRadius EAP Settings Root and Server Certificate

« on: November 01, 2021, 05:34:20 pm »

I exported now the radius-ca under System - Trust - Authorities and installed / trusted the CA on my Mac.

Then i connect fresh to the wifi network and get offered / installed the radius-intermediate-ca and the radius certificate.

Now im wondering is this really correct, to have then radius-ca / radius-intermediate-ca and radius certificate installed on client pc?

If the process is the same with the webgui certificate like in the documentation https://docs.opnsense.org/manual/how-tos/self-signed-chain.html the last step there is "Download the intermediate CA and install it to your browser" , or im wrong here?

130

General Discussion / Re: FreeRadius EAP Settings Root and Server Certificate

« on: November 01, 2021, 01:26:59 pm »

Thanks, so under the Free Radius EAP Settings, i need to choose there as well the radius-ca or the radius-intermediate ca?

This is whats unclear for me, as i created under Trust the Radius CA, Radius Intermediate CA and Server Certificate?

131

General Discussion / Re: FreeRadius EAP Settings Root and Server Certificate

« on: November 01, 2021, 11:24:04 am »

Please see here Certificates offered first connect of Client, and afterwards installed Certificates to Keychain

132

General Discussion / FreeRadius EAP Settings Root and Server Certificate

« on: November 01, 2021, 10:45:15 am »

Hello,

created for Radius a new CA analog like for the webgui https://docs.opnsense.org/manual/how-tos/self-signed-chain.html

Under FreeRadius - EAP i set as Root Certificate the Radius Intermediate CA what i created is this correct way? Do i need to deploy before connecting via Radius the Radius Intermediate CA just to the specific Clients?

If i not deploy the Intermediate CA and connect with a Client to Radius, i get offered / installed to the keychain:

Server Certificate
Radius Intermediate CA

and additionally the Radius CA

Should there normally not only the Intermediate and the Radius Server Certificate be installed?

Thx!

133

Hardware and Performance / Re: LAGG Switch 16 Port for Opnsense

« on: November 01, 2021, 10:33:54 am »

Thank You!
br

134

Hardware and Performance / Re: LAGG Switch 16 Port for Opnsense

« on: November 01, 2021, 07:08:06 am »

Thx, Cisco would be nice, but i need from the height a flat switch, for me to understand, the switches must support lag proto LACP to get the aggregation to work with OPNsense ?

135

Hardware and Performance / LAGG Switch 16 Port for Opnsense

« on: October 31, 2021, 03:16:36 pm »

Hello,

im looking for a 16 Port Switch to enable LAGG for my OPNsense. I found a cheap Netgear GS116E what can do Static LAG, not dynamic.

Do anyone else have the Netgear GS116E Plus Switch, and use it successfully for LAG with OPNSense?

Thx!