Freeradius with unifi controller auth

[manustar]

Hi everyone, I'm trying to configure radius authentication via certificate (for now on wifi and in the future on wired) but I'm encountering big problems, the configuration seems correct, I followed various guides and the settings are the same. I created the authentication server on opnsense on ports 1812 and 1813, I created the CA with related server and client certificates, in the freeradius settings I put the Ubiquiti APs and the switch between the clients. I loaded the CA and the client certificate on Windows but when I try to connect to WiFi it asks me for the password (I activated Mac authentication on Unifi and added a user with the Mac as user and password), if I enter the credentials manually it connects and it tells me that the connection is protected by a certificate (I see the certificate and it's correct), but if I type connect via certificate it returns me to the credentials request. the strange thing that I can't understand is why in the freeradius logs I always receive Login OK even if I enter the password incorrectly. I'll post some screenshots for completeness. My need is the connection via certificate and if it doesn't have the certificate it moves me to a defined vlan.

this log from freeradiu:

Fri Jul  5 12:35:35 2024 : Auth: (3) Login OK: [a/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli 04-D3-B0-85-0D-CC)
Fri Jul  5 12:35:54 2024 : Auth: (5) Login OK: [a/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli 04-D3-B0-85-0D-CC)

Fri Jul  5 12:15:20 2024 : Auth: (7) Login OK: [B0-12-42-22-10-1F/B0-12-42-22-10-1F] (from client unifiap1 port 0 cli B0-12-42-22-10-1F)
Fri Jul  5 12:15:20 2024 : Auth: (9) Login OK: [laptop/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli B0-12-42-22-10-1F)
Fri Jul  5 12:15:26 2024 : Auth: (14) Login OK: [laptop/<via Auth-Type = Accept>] (from client unifiap2 port 0 cli B0-12-42-22-10-1F)


Fri Jul  5 12:33:57 2024 : Auth: (1) Login OK: [wifi/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli 04-43-40-45-04-4C)
Fri Jul  5 12:35:35 2024 : Auth: (3) Login OK: [a/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli 04-43-40-45-04-4C)
Fri Jul  5 12:35:54 2024 : Auth: (5) Login OK: [a/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli 04-43-40-45-04-4C)

in the logs in bold I used the user "wifi" which is correct and the user "a" which is not present in freeradius but in both cases I received login ok

[netnut]

...but I'm encountering big problems, the configuration seems correct, I followed various guides and the settings are the same.

...the strange thing that I can't understand is why in the freeradius logs I always receive Login OK even if I enter the password incorrectly.

Based on your second statement, it's almost impossible your first statement can be true...

Configuring 802.1x for wired/wireless is one of the more advanced setups you can deploy in your LAN, multiple components (Client, AP/Switch, Radius, Router) that needs to be configured in exactly the right way... You _really_ need to understand all of them in detail to be successful.

It _looks_ like you're trying to combine 802.1x with MAC Auth, I really can't think of any valid scenario why you would want to do that. After 802.1x authentication there are different ways to restrict MAC addresses, but that should be something to look in to _after_ the basic 802.1x setup works. And because your experiencing problems in your setup, it's even more important to simply things first, and configure the different components step-by-step. So ditch all the MAC Auth stuff and concentrate on 802.1x Radius authentication first:

What are you going to use: EAP-TLS, EAP-TTLS or EAP-PEAP ?

Can you succesfully authenticate with one of the above EAP types (EAP-TLS is cert only) on your local Radius server (local test account with radtest) ?

Did you read both the FreeRadius documentation and Wiki ? Also the Radius configuration files themself provide extensive documentation. Use these resources first instead of some random "Interweb Guide".

[manustar]

...but I'm encountering big problems, the configuration seems correct, I followed various guides and the settings are the same.

...the strange thing that I can't understand is why in the freeradius logs I always receive Login OK even if I enter the password incorrectly.

What are you going to use: EAP-TLS, EAP-TTLS or EAP-PEAP ?

Can you succesfully authenticate with one of the above EAP types (EAP-TLS is cert only) on your local Radius server (local test account with radtest) ?

on freeradius ui on opnsense i setting eap tls mode with own certificate, but when I connect to the wifi it always asks for the password, insert corret user and then tells me that the connection is protected by the certificate and seeing the certificate is the right one created on opnsense, if I enter a wrong user it doesn't tell me that the connection is protected by the certificate and asks me the user again but on the freeradiu logs I receive the same login ok
I did the test with system-->access-->testet selecting the radius server and from the freeradiu logs with any user I enter (wrong users) it gives me login ok

[manustar]

I add that with the radiusd -X command I receive this error

Failed binding to auth address * port 1812 bound to server default: Address already in use
/usr/local/etc/raddb/sites-enabled/default[4]: Error binding to port for 0.0.0.0 port 1812

this the file
root@OPNsense:~ # cat /usr/local/etc/raddb/sites-enabled/default

Code: [Select]

server default {

listen {
        type = auth
        ipaddr = *
        port = 0

        limit {
              max_connections = 16
              lifetime = 0
              idle_timeout = 30
        }
}

listen {
        ipaddr = *
        port = 0
        type = acct

        limit {
        }
}

listen {
        type = auth
        ipv6addr = ::
        port = 0

        limit {
              max_connections = 16
              lifetime = 0
              idle_timeout = 30
        }
}

listen {
        ipv6addr = ::
        port = 0
        type = acct

        limit {
        }
}

authorize {
        filter_username
        preprocess
        chap
        mschap
        digest
        suffix
        eap {
                ok = return
        }
        files
        -sql
        -ldap

        expiration
        logintime
        pap
}

authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        mschap
        digest
        eap
}

preacct {
        preprocess
        acct_unique
        suffix
        files
}


accounting {
        detail
        unix
        -sql
        exec
        attr_filter.accounting_response
}

session {
}

post-auth {
        update {
                &reply: += &session-state:
        }
        -sql
        exec
        remove_reply_message_if_eap
        Post-Auth-Type REJECT {
                -sql
                attr_filter.access_reject
                eap
                remove_reply_message_if_eap
        }

        Post-Auth-Type Challenge {
        }

}

pre-proxy {
}

post-proxy {
        eap
}
}

this is result for sockstat -4 -l | grep 181
root     radiusd    51602 9  udp4   *:1812                *:*
root     radiusd    51602 10 udp4   *:1813                *:*
root     radiusd    51602 13 udp4   127.0.0.1:18120       *:*

[netnut]

I add that with the radiusd -X command I receive this error

Failed binding to auth address * port 1812 bound to server default: Address already in use
/usr/local/etc/raddb/sites-enabled/default[4]: Error binding to port for 0.0.0.0 port 1812

You can't run freeradius in debug mode (-X) when it's already running...

[manustar]

this in debug mode with user system-->access-->tester and select radius, i use a wrong credential

Code: [Select]

(0) Received Access-Request Id 134 from 127.0.0.1:40992 to 127.0.0.1:1812 length 80
(0)   User-Name = "a"
(0)   Service-Type = Login-User
(0)   Framed-Protocol = 15
(0)   NAS-Identifier = "668815a1029c8"
(0)   NAS-Port = 0
(0)   NAS-Port-Type = Ethernet
(0)   User-Password = "a"
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "a", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry DEFAULT at line 45
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: Auth-Type already set.  Not setting to PAP
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0)   post-auth {
(0)     update {
(0)       No attributes updated for RHS &session-state:
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Login OK: [a/a] (from client opnsense port 0)
(0) Sent Access-Accept Id 134 from 127.0.0.1:1812 to 127.0.0.1:40992 length 42
(0)   Tunnel-Type = VLAN
(0)   Tunnel-Medium-Type = IEEE-802
(0)   Tunnel-Private-Group-Id = "20"
(0)   Framed-Protocol = PPP
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 134 with timestamp +27 due to cleanup_delay was reached


[manustar]

I understood all the auths ok, it was the fallback vlan that authenticates and moves to the desired vlan, this point is ok.

[netnut]

I understood all the auths ok, it was the fallback vlan that authenticates and moves to the desired vlan, this point is ok.

That's the idea of configuring a fallback VLAN, if your auth _fails_ your 802.1x client will be "authenticated" and connected to this fallback VLAN, usually a restricted segment with a Captive Portal or access to a Sponsor Portal.

The important bit is that your authentication still fails... You configured a bunch of certificates and the Radius server with "Default EAP Type" = "TLS" :

on freeradius ui on opnsense i setting eap tls mode with own certificate

As EAP-TLS is certificate only, it doesn't make much sense to try username/password authentication, that's only relevant for EAP-TTLS or EAP-PEAP. Next your NAS (AP? / Switch?) doesn't initiate EAP authentication at all, so at this stage EAP will simply never work.

this in debug mode with user system-->access-->tester and select radius, i use a wrong credential

Code: [Select]

...
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
...


You should fix your NAS config first, so it at least sends an EAP authentication message to your Radius server.

[manustar]

I saw in the debug that freeradius receives the request from the NAS (ubiqiti ap) and after authenticating with the wrong user it responds with the vlan to assign, but after a while it times out and I get unable to connect to the network. at this point the problem is the unifi ap. the thing I don't understand is that on unifi there aren't many settings on radius, I set the radius profile with the opnsense secred and ip, I enabled dynamic vlan assignment and enabled vlan fallbac. on the switch side, the ports where the APs are connected have the default of untagged and the other vlans tagged, on unifi I didn't find anything for the certificate part.

[manustar]

this is debug from freeradius

Code: [Select]

(9) Received Access-Request Id 2 from 10.0.1.7:33406 to 10.0.1.254:1812 length 229
(9)   User-Name = "aaa"
(9)   NAS-IP-Address = 10.0.1.7
(9)   NAS-Identifier = "229fc247a0b6"
(9)   Called-Station-Id = "22-9F-C2-47-A0-B6:Guest"
(9)   NAS-Port-Type = Wireless-802.11
(9)   Service-Type = Framed-User
(9)   Calling-Station-Id = "04-D3-B0-85-0D-CC"
(9)   Connect-Info = "CONNECT 0Mbps 802.11b"
(9)   Acct-Session-Id = "2BDF3CE2A430CBF0"
(9)   Acct-Multi-Session-Id = "1B3D52AEA9F908B1"
(9)   WLAN-Pairwise-Cipher = 1027076
(9)   WLAN-Group-Cipher = 1027076
(9)   WLAN-AKM-Suite = 1027073
(9)   Framed-MTU = 1400
(9)   EAP-Message = 0x02170007031915
(9)   State = 0xdcf7b0d4dce0bdb1b4e3b286b3189e07
(9)   Message-Authenticator = 0x9f9cd928685be38f5d04bbcb506e1d8a
(9) Restoring &session-state
(9)   &session-state:Framed-MTU = 994
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(9)   authorize {
(9)     policy filter_username {
(9)       if (&User-Name) {
(9)       if (&User-Name)  -> TRUE
(9)       if (&User-Name)  {
(9)         if (&User-Name =~ / /) {
(9)         if (&User-Name =~ / /)  -> FALSE
(9)         if (&User-Name =~ /@[^@]*@/ ) {
(9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)         if (&User-Name =~ /\.\./ ) {
(9)         if (&User-Name =~ /\.\./ )  -> FALSE
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(9)         if (&User-Name =~ /\.$/)  {
(9)         if (&User-Name =~ /\.$/)   -> FALSE
(9)         if (&User-Name =~ /@\./)  {
(9)         if (&User-Name =~ /@\./)   -> FALSE
(9)       } # if (&User-Name)  = notfound
(9)     } # policy filter_username = notfound
(9)     [preprocess] = ok
(9)     [chap] = noop
(9)     [mschap] = noop
(9)     [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "aaa", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 23 length 7
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9)     [eap] = updated
(9) files: users: Matched entry DEFAULT at line 45
(9)     [files] = ok
(9)     [expiration] = noop
(9)     [logintime] = noop
(9) pap: WARNING: Auth-Type already set.  Not setting to PAP
(9)     [pap] = noop
(9)   } # authorize = updated
(9) Found Auth-Type = Accept
(9) Auth-Type = Accept, accepting the user
(9) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(9)   post-auth {
(9)     update {
(9)       &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994
(9)     } # update = noop
(9)     [exec] = noop
(9)     policy remove_reply_message_if_eap {
(9)       if (&reply:EAP-Message && &reply:Reply-Message) {
(9)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(9)       else {
(9)         [noop] = noop
(9)       } # else = noop
(9)     } # policy remove_reply_message_if_eap = noop
(9)   } # post-auth = noop
(9) Login OK: [aaa/<via Auth-Type = Accept>] (from client unifiap1 port 0 cli 04-D3-B0-85-0D-CC)
(9) Sent Access-Accept Id 2 from 10.0.1.254:1812 to 10.0.1.7:33406 length 48
(9)   Tunnel-Type = VLAN
(9)   Tunnel-Medium-Type = IEEE-802
(9)   Tunnel-Private-Group-Id = "20"
(9)   Framed-Protocol = PPP
(9)   Framed-MTU += 994
(9) Finished request
Waking up in 4.9 seconds.
(8) Cleaning up request packet ID 1 with timestamp +1542 due to cleanup_delay was reached
(9) Cleaning up request packet ID 2 with timestamp +1542 due to cleanup_delay was reached


[netnut]

...on unifi I didn't find anything for the certificate part.

That's correct, the only certificate(s) that is/are relevant is the one configured on the Radius Server (server cert) which creates an encrypted authentication channel, your NAS (Switch/AP) is just passing through EAP traffic, it doesn't need a certificate.

Because you configured EAP-TLS, what you _also_ do need to configure is a certificate on the 802.1x client (client cert) to authenticate to the Radius server. Username / Password authentication with 802.1x is only possible with EAP-TTLS or EAP-PEAP, so you need to double check if your 802.1x client is also configured for EAP-TLS, has a client certificate AND a Root CA. The latter should already be ok because it looks like your server certificate (Radius Server) is trusted.

Are you really sure your 802.1x client isn't configured with EAP-PEAP

Code: [Select]

(9) Received Access-Request Id 2 from 10.0.1.7:33406 to 10.0.1.254:1812 length 229
...
(9) eap: Peer sent EAP Response (code 2) ID 23 length 7
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9)     [eap] = updated
(9) files: users: Matched entry DEFAULT at line 45
...

At least it's doing _something_ EAP, but the authentication succeeds _because_ of the VLAN fallback setting (that's the "DEFAULT" match).

[manustar]

I'll attach some screenshots.
these are the tests for wifi on win10
1-eap--->smart or certified - can't connect
2-eap-peap-smart or certificate -- prompt the credentials and if I enter the correct credentials it works by warning me that the connection is protected by the certificate and the certificate is correct, but if I enter the wrong ones it doesn't put me on the fallback vlan
3- if I try with ttls it tells me that I need the certificate


I would like the connection to be made via certificate or password. If the machine has the certificate, authenticate you and go to vlan10, if the machine does not have the certificate but you have the credentials go to the credentials vlan, if the data is wrong go to vlan20 which would be the fallback

[netnut]

1-eap--->smart or certified - can't connect

That's the EAP type you configured on the OPNsense Radius server, so if you can't connect your (client) certificate isn't configured right.

2-eap-peap-smart or certificate -- prompt the credentials and if I enter the correct credentials it works by warning me that the connection is protected by the certificate and the certificate is correct, but if I enter the wrong ones it doesn't put me on the fallback vlan

It probably gets a Radius "REJECT" and never hits the "DEFAULT" entry with the fallback VLAN, or the specific VLAN attributes aren't copied to the inner tunnel

But you started your post with EAP-TLS, and now you're at EAP-PEAP ?!?!

3- if I try with ttls it tells me that I need the certificate

It depends on the config, EAP-TTLS can work with or without client certificates. Again, you started your post with EAP-TLS,

I would like the connection to be made via certificate or password. If the machine has the certificate, authenticate you and go to vlan10, if the machine does not have the certificate but you have the credentials go to the credentials vlan, if the data is wrong go to vlan20 which would be the fallback

Which basically forces you to use EAP-PEAP in the first place, especially when you mean by "machine" a Windows computer object.

[manustar]

But you started your post with EAP-TLS, and now you're at EAP-PEAP ?!?!

I would like the connection to be made via certificate or password. If the machine has the certificate, authenticate you and go to vlan10, if the machine does not have the certificate but you have the credentials go to the credentials vlan, if the data is wrong go to vlan20 which would be the fallback

Which basically forces you to use EAP-PEAP in the first place, especially when you mean by "machine" a Windows computer object.

I certainly made a mistake in setting both the post and the radius, I would like the clients (mostly Windows) to have that type of authentication, so at this point I have to recreate everything, including certificates.

[manustar]

i attach the eap config freeradius