[solved] Send radius configuration files from an external server.

[sens_ible]

I would like to manage freeradius configuration files on my computer in the office and then send it to the OPNsense appliance. In particular I want to do the user management in the office with a nice graphical user interface.

What is the most convenient way to send a new users.conf automatically (without logging into the GUI every time) to the OPNsense appliance?

Can I use ftp to place RADIUS configuration files, e.g. users.conf files on the firewall or to read it in from there? There are only 4 hits for ftp in the documentation and none of the results seems to match.

[mimugmail]

This wont work since it will be overwritten by the template.
Usermanagement by the Plugin isnt easy enough?

[sens_ible]

> Usermanagement by the Plugin isnt easy enough?

It is easy, but it is very time-consuming. I would prefer a solution that can handle changes automatically and does not require me to login and use the graphical user interface.

Using ftp was just a first guess ... there might be other options.

- Is there a way to login via ssh and instruct the plugin via a command line interface?

- Maybe I can change the template (and not the config file) via ftp, ssh, curl ... ?

- If it is the plugin which causes that the config file is overwritten by the template: Is there an option to use freeradius without the plugin?

Any proposal is very much appreciated.

[franco]

All freshly written plugins come with an UI and API. We make it a point to build the UI on top of that API, so you can actually automate the operation of any such plugin in any way that you deem appropriate using:

https://docs.opnsense.org/development/how-tos/api.html


Cheers,
Franco

[mimugmail]

Or you just install freeradius3 without the plugin and use cli only ...

[sens_ible]

All freshly written plugins come with an UI and API. We make it a point to build the UI on top of that API, so you can actually automate the operation of any such plugin in any way that you deem appropriate using:

https://docs.opnsense.org/development/how-tos/api.html

Wow, I think that is really a neat architecture. From looking at the how-to page I have got a rough idea how it works. Where would I find the documentation about a plugin's api? Or would I just go down the url IP_addr-> /api ->/core and see what comes next?

Anyway, do not get me wrong. I think the freeradius GUI is nicely done; only when you want to enter a large batch of users it may be time consuming.

[sens_ible]

I just tried the API example, however, no connection seems to be allowed ...
I generated the key and the secret like described in the How-To

Code Select Expand

url = 'https://192.168.99.100/api/core/firmware/status'
# request data
r = requests.get(url,verify=False,auth=(api_key, api_secret))

Is the "verify=False" option correct? I did it, because the How-To says:

Before you can start, make sure your OPNsense has a valid SSL certificate (or choose to ignore it for testing purposes by setting verify=False), don't forget to verify that the selected user may access the firmware page.

Meanwhile I have configured a firewall rule for incoming https traffic on the WAN interface. I can see in the log files that the incoming traffic passes, however, the python script can still not set up a connection.

Which permissions do I have to set to allow access to the API? How can I see what is going wrong?

[franco]

For testing verify=false is fine. Did you allow your user that has the API key to access the firmware page?

[mimugmail]

Use the network debug with your browser to see whats happening within the API, it's really easy:

curl -k -u "key":"secret" https://<yourip>/api/freeradius/user/searchUser

Send a POST via setUser and you should be able to add new users ...

[mimugmail]

With this you can add a user:

curl -XPOST -d '{"user":{"enabled":"1","username":"oink","password":"oink","description":""}}' -H "Content-Type: application/json" -k -u "key":"secret" https://<yourip>/api/freeradius/user/addUser

[sens_ible]

For testing verify=false is fine. Did you allow your user that has the API key to access the firmware page?

Well, probably not, Where/How would I do it?

Meanwhile I have assigned all visible privileges to the admins group in groups:access:system, however, it does not make a difference. The connection request still times out.

[sens_ible]

Use the network debug with your browser to see whats happening within the API, it's really easy:

curl -k -u "key":"secret" https://<yourip>/api/freeradius/user/searchUser

Send a POST via setUser and you should be able to add new users ...

The result of the cURL command on the command line with -v option is just:

Code Select Expand

*   Trying 192.168.99.100...
* connect to 192.168.99.100 port 443 failed: Connection timed out

How would I use cURL in firefox?

Is there a logfile in opnsense where I could find information what is going on?

I just did an NMAP scan of the firewall. Port 80 is open, however, 443 seems to be closed. Hence, no https process seems to be active. How can I activate https access?

[mimugmail]

Did you change the Port for webadmin?
Check your Firewall rules please

[sens_ible]

Did you change the Port for webadmin?
Check your Firewall rules please

No, I did not do any port changes.
I checked the firewall rules and from the logs I can confirm, that packets to port 443 actualy arrive and pass the firewall.

[sens_ible]

I have now changed the Settings / Admin Access to https because I hoped that would activate port 443.
I also activated ssh access.

However, as a result I have locked myself out completely. I can neither use the serial console (output can not be read any more, does not react to any keystroke), nor ssh access (timed out) and the web access fails with:

Code Select Expand

CSRF check failed. Your form session may have expired, or you may not have cookies enabled.

Seems I have to make a fresh install/write a fresh image to the CF card before going on ...