Unable to setup EAP-TLS using FreeRADIUS on OPNSense

Started by liner03_brogans, July 13, 2023, 06:30:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 13, 2023, 06:30:08 PM
hi, I am trying to set up EAP-TLS (802.1x certificate based authentication) on my OPNsense Box. As EAP-TLS uses cert, hence there should be no password. May I ask what should I type in the password box? Thank you~

I use pfsense FreeRADIUS plugin before, and I just leave it blank and it does authenticate users.

Versions OPNsense 23.1.11-amd64, FreeBSD 13.1-RELEASE-p8.

Plugin name: FreeRADIUS , Free Radius version 1.9.22.

screenshot link: https://imgur.com/a/Vt3AHVJ
Thanks all~
July 13, 2023, 08:11:43 PM #1
You dont need to set users, certificate is enough as you authenticate the device, not the user
July 14, 2023, 05:55:39 AM #2
Thank for your reply~ May I ask how to set a vlan for a EAP-TLS  device cert?
July 14, 2023, 09:51:18 AM #3
I think this is not possible via GUI. If you find a guide via CLI which you can reproduce I can have a look to implement it
December 14, 2023, 07:57:53 PM #4
Does this mean that it is not currently possible to configure OPNsense for EAP-TLS (802.1x certificate based authentication)?

I'd like to try to move from pfSense to OPNsense but lack of device certificate based 802.1x EAP-TLS authentication is a show stopper for us...  :-\
August 21, 2025, 05:58:30 PM #5
I wonder if there are any news concerning this feature ("how to set a vlan for a EAP-TLS  device cert") that was missing in 2023...
September 05, 2025, 10:09:49 AM #6 Last Edit: September 05, 2025, 11:00:57 AM by OPNenthu
Registering my interest also.  I'll check for and open a feature request on GH.

As a user with a private CA on OPNsense and no enterprise infrastructure for MDM, I'd still like to manually deploy my CA cert and the client certificates (as pkcs12 packages) to a small number of mobile clients and have FreeRADIUS assign the VLAN based on the client CN or OU.  That will also allow me to coalesce my broadcasting SSIDs and reduce airtime significantly while still using WPA3 security.  (Note: WPA3-SAE removed the option for multiple PPSKs per SSID)

Presently with the FreeRADIUS plugin in 25.7 we can only define Users with passwords, as for EAP-PEAP.  This doesn't work for Android 11+ clients because Google disallows private CAs for PEAP.  They are only allowed for EAP-TLS.

There is no GUI option presently to configure EAP-TLS VLAN assignment.
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 250GB | 4x 2.5GbE (I226-V)
Site 2 |  J4125 | 8GB | 1000GB | 4x 1GbE (I210)
September 06, 2025, 03:55:21 AM #7 Last Edit: September 06, 2025, 04:16:43 AM by OPNenthu
Quote from: mimugmail on July 14, 2023, 09:51:18 AMI think this is not possible via GUI. If you find a guide via CLI which you can reproduce I can have a look to implement it

Hi @mimugmail, I'm looking currently at the file /usr/local/etc/raddb/sites-enabled/check-eap-tls.  It looks to be already matching the cert CN and maybe it just needs to be extended for VLAN assignment as well?

According to ChatGPT it could be something like below.  These examples match either on the CN or the OU for department-wide VLAN assignment.

Code Select
post-auth {
    if ("%{TLS-Client-Cert-CN}" == "device01") {
        update reply {
            Tunnel-Type := VLAN
            Tunnel-Medium-Type := IEEE-802
            Tunnel-Private-Group-ID := "20"
        }
    }

    if ("%{TLS-Client-Cert-OU}" == "HR") {
        update reply {
            Tunnel-Type := VLAN
            Tunnel-Medium-Type := IEEE-802
            Tunnel-Private-Group-ID := "30"
        }
    }
}

Here, "device01" is a short name from the certificate CN, but this can also be device01.example.org.

It says that the Users files can also be used, as a second option (but not recommended):

Code Select
device01
    Tunnel-Type := VLAN,
    Tunnel-Medium-Type := IEEE-802,
    Tunnel-Private-Group-ID := "20"

In that case this snippet still needs to be in sites-enabled/default to extract the CN. 

Code Select
update request {
    User-Name := "%{TLS-Client-Cert-CN}"
}

I think the Users method could be harder to manage from the plugin since the config file is in conflict with the options needed for EAP-PEAP (for example Framed-Protocol = PPP),  but I'm not sure.  At least with this method the only thing that would be needed in the GUI is an option to disable the password requirement when EAP-TLS is enabled.

Can you guide me on how to test this on a live system so that the config changes don't get clobbered?  I have an Android 11 client and a Windows 10 laptop that I can try for now.   I can also try a wired Linux client.
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 250GB | 4x 2.5GbE (I226-V)
Site 2 |  J4125 | 8GB | 1000GB | 4x 1GbE (I210)
Print
Go Up Pages1
User actions