freeradius

[tja]

hi all,

1st i have to say that opnsense works very well and (comin from pf*) i like the fresh ui very much. thx for this amzing project.

unfortunatly i have massive problems with WPA2-Enterprise and opnsense 18.1.11/os-freeradius 1.7.0 on a atom D525 box.

i use it with a couple of openwrt routers as APs (which btw worked flawlessly with my previous installation of pf*). they have cloned OSes and are configured identical. the troubles are with all APs so i have ruled them out for now.

some wifi devices cant authenticate while others with the very same credentials can. some devices will work with some credentials but not with other credentials.
the devices in question are all across the landscape, android in various versions, notebooks with linux (mostly xubuntu)/OSX/win10. i can see no pattern in that regard.
my own dell xps 13 will connect with xubuntu but not with win10 whatever i try (using the same credentials).

sometimes rebooting the opnsense box will help. restarting freeradius alone did never help.

in the log (and radiusd -X, see below) i get ...

Code Select Expand

06:29:53 2018 : Auth: (207) Login incorrect (mschap: MS-CHAP2-Response is incorrect): [[i]USER[/i]/<via Auth-Type = eap>] (from client glw3aAP0 port 0 via TLS tunnel)
or

Code Select Expand

eap_peap: ERROR: TLS Alert read:fatal:access denied
eap_peap: SSL_read Error
eap_peap: ERROR: Error in fragmentation logic
eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied
eap_peap: ERROR: [eaptls process] = fail
eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed


on the device i get authentication errors or just cannot connect messages.

i know for sure that the credentials are correct as other devices will connect with the same credentials plus i checked config.xml.

i tried to debug with the help of manual starting radiusd with the "-X" flag but even when " Log Authentication Request"/" Log Authentication Bad Password"/" Log Authentication Good Password" is checked no passwords whatsoever are to be found in the debug output - so i cant say for sure that radius got the right credentials. i guess radius is compiled with some sort of "no password output whatsoever" compile flags.

i have not enough experience with freeradius to interpret the debug output of radiusd -X further - but i see no red lines besides "mschap: ERROR: MS-CHAP2-Response is incorrect" and the subsequent "eap_peap:   ERROR: The users session was previously rejected: returning reject (again.)" or the "eap_peap: ERROR: TLS Alert read:fatal:access denied ..." sequence.

is someone out there using a compareable setup and could point me in the right direction ?

tia,tja...

[mimugmail]

Can you post a screenshot of your EAP settings please?

[tja]

hi mimugmail,

thx for looking into this, see attached image.

tia,tja...

[mimugmail]

Can you try with default EAP type MD5 and Chap?
Also I'd need the complete debug for 1 session in freeradius -X

I tested EAP with Android yesterday while writing on a ebook, so in general it should be fine.

[tja]

hi,

partial success:
epa-md5 works for one android device/credential combo which didnt work before.
other devices i tested still work (android/OSX/xubuntu).

my xps 13 in win10 wont work. still "Keine Verbindung mit diesem Netzwerk möglich" (no connection possible). attached the radiusd -X log.
baffles me that it still says it would like to use PEAP ...

tia,tja...

[mimugmail]

For Windows, add the Wifi manually, WPA2 Enterprise, choose PEAP, under advanced CHAP, set dont very certificates if not installed on client.

It's a bit confusing, had similar issues with a client some days ago, no fun with Windows.

[tja]

thx, tried that - no luck  :(

i removed the network and added it manually but i wouldnt even be asked for credentials:

Code Select Expand

(218) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
(218) eap_peap: ERROR: TLS_accept: Failed in unknown state
(218) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)
(218) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
(218) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
(218) eap_peap: ERROR: System call (I/O) error (-1)
(218) eap_peap: ERROR: TLS receive handshake failed during operation
(218) eap_peap: ERROR: [eaptls process] = fail
(218) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed

and yes, i deactivated certification checks in windows. maybe they changed something with recent updates.

side question: wouldnt it be safer to use TLS for security reasons anyway ? is TLS problematic ? would one need a none private certificate/CA for it ?

tia,tja...

[mimugmail]

you could use EAP-TLS, sure, but then you have to roll-out CA and client-certificates on all clients.
You can also try EAP-TTLS, but I'm not sure if you then have to reconfigure all existing clients.

[tja]

success:
i got it working even on win10  :)

i deleted all traces of the wifi network and its predecessors and re-added it manually with fine-combing through all extended settings.

regarding security i will have to look deeper into that. although this network is may private one it also is a testbed for some customer installations so i have to play around more to tighten this.

you and https://searchnetworking.techtarget.com/feature/Choosing-the-right-flavor-of-8021X tells me that TLS or TTLS is the way to go.

thx for helping mimugmail.

[mimugmail]

Great! Perhaps you can share your settings from Windows with others here so we have a reference? :)

[tja]

got it working via PEAP (which should be secure i guess) too.

will document this step by step and post it here tomorrow. have only german windows though ...