23.1.8, 23.1.9 RADIUS servers using PAP

Started by protocol6v, June 16, 2023, 05:24:21 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
June 16, 2023, 05:24:21 PM
I started having a problem since 23.1.8 (That i noticed it, believe it was working in 23.1.7), where RADIUS server are trying to authenticate using PAP instead of MS-CHAPv2, so my IKE mobile VPNs will no longer authenticate.

I can't seem to find any documentation on forcing the authentication method like you can in PFSense for RADIUS servers. Can someone point me int he right direction here?

I've tried removing and re-adding the RADIUS servers, but they continue to all try PAP. Not sure if it matters or not but my RADIUS servers are Windows AD NPS. Previously working, now not. Other appliances I use RADIUS on are all still working fine, but not OPN since i believe 23.1.8.

Please help!
June 16, 2023, 05:51:47 PM #1
opnsense-revert -r 23.1.7 freeradius3

Via CLI, does this fix it?
June 16, 2023, 05:55:52 PM #2
Thanks, but

Code Select
root@firewall:~ # opnsense-revert -r 23.1.7 freeradius3
Package 'freeradius3' is not installed

Is the result. Do i need to install freeradius now for some reason?
June 19, 2023, 02:21:02 PM #3
Anybody else have any ideas here? This is a major problem for me, I use similar setups in many locations, and I now cannot upgrade any until I have a fix for this.

I'm not using Freeradius package as I am not using OPNsense as a radius server, simply as a client against an active directory NPS radius server.

Otherwise, in the mean time, is there a simple way to revert the entire release back to 23.1.7? or is this a backup and reinstall?

Thank you for any and all assistance!
June 19, 2023, 02:36:41 PM #4
I think there was a Patch added recently.
Can you revert to opnsense 23.1.7, the revert line but opnsense instead of freeradius3
June 19, 2023, 02:38:25 PM #5
Are you saying I should attempt an update for a new patch, and if that doesn't help, revert?

When reverting, do I need to just revert opnsense, or the kernel as well?

Thanks!
June 20, 2023, 06:28:07 AM #6
I wouldn't try patching now as it requires a new package dependency. Wait for 23.1.10 to come out first...


Cheers,
Franco
June 20, 2023, 06:01:31 PM #7
I'll try to wait, but in the meantime, can anyone tell me how to edit the authentication "Servers" list via CLI, or what package manages these? I can't seem to find any info on how this works.

Thanks!
June 21, 2023, 08:41:12 AM #8
There's no CLI handling of server settings itself. There's also no direct way to influence the system's authentication server being used... however, the console password recovery script resets the list to local authentication in case of a lockout.

Long story short I don't think you will find what you seek. Another way is to edit the /conf/config.xml file directly.


Cheers,
Franco
June 21, 2023, 03:02:09 PM #9
Of course, you are correct. I tried adding:

Code Select
<radius_protocol>MSCHAPv2</radius_protocol>

to the authserver block, taken from a PFSense config, but seems OPN doesn't use/respect this line.

I really hope a fix is incoming for this soon!
June 21, 2023, 03:09:06 PM #10
It has been committed only 3 days ago. We need to respect the process a little here. ;)

https://github.com/opnsense/core/commit/58b1ec1ea6

The development version of tomorrow's 23.1.10 has this included (the "development" type, not "community").


Cheers,
Franco
June 21, 2023, 03:12:11 PM #11
Oh i understand, and am very much OK with waiting as long as I know things are in the works. I'm also glad I discovered this where I did before updating other production systems!

Thanks for all your help!
June 27, 2023, 03:04:08 PM #12
https://github.com/opnsense/core/commit/f1305748eecb5f1 will be in 23.1.11 tomorrow.


Cheers,
Franco
June 27, 2023, 03:15:45 PM #13
Thats great news! Looking forward to upgrading and getting fixed up.

Thanks!
June 29, 2023, 02:53:42 PM #14
23.1.11 with this option did indeed fix me up. Very happy camper here. Thanks for your help!
Print
Go Up Pages1 2
User actions