OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • [solved] Send radius configuration files from an external server.
« previous next »
  • Print
Pages: [1] 2

Author Topic: [solved] Send radius configuration files from an external server.  (Read 7836 times)

sens_ible

  • Newbie
  • *
  • Posts: 22
  • Karma: 0
    • View Profile
[solved] Send radius configuration files from an external server.
« on: October 08, 2017, 08:43:38 pm »
I would like to manage freeradius configuration files on my computer in the office and then send it to the OPNsense appliance. In particular I want to do the user management in the office with a nice graphical user interface.

What is the most convenient way to send a new users.conf automatically (without logging into the GUI every time) to the OPNsense appliance?

Can I use ftp to place RADIUS configuration files, e.g. users.conf files on the firewall or to read it in from there? There are only 4 hits for ftp in the documentation and none of the results seems to match.
« Last Edit: October 12, 2017, 06:50:08 am by sens_ible »
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6301
  • Karma: 434
    • View Profile
Re: Send radius configuration files from an external server.
« Reply #1 on: October 08, 2017, 08:46:03 pm »
This wont work since it will be overwritten by the template.
Usermanagement by the Plugin isnt easy enough?
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

sens_ible

  • Newbie
  • *
  • Posts: 22
  • Karma: 0
    • View Profile
Re: Send radius configuration files from an external server.
« Reply #2 on: October 09, 2017, 09:25:38 am »
> Usermanagement by the Plugin isnt easy enough?

It is easy, but it is very time-consuming. I would prefer a solution that can handle changes automatically and does not require me to login and use the graphical user interface.

Using ftp was just a first guess ... there might be other options.

- Is there a way to login via ssh and instruct the plugin via a command line interface?

- Maybe I can change the template (and not the config file) via ftp, ssh, curl ... ?

- If it is the plugin which causes that the config file is overwritten by the template: Is there an option to use freeradius without the plugin?

Any proposal is very much appreciated.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13694
  • Karma: 1176
    • View Profile
Re: Send radius configuration files from an external server.
« Reply #3 on: October 09, 2017, 09:39:06 am »
All freshly written plugins come with an UI and API. We make it a point to build the UI on top of that API, so you can actually automate the operation of any such plugin in any way that you deem appropriate using:

https://docs.opnsense.org/development/how-tos/api.html


Cheers,
Franco
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6301
  • Karma: 434
    • View Profile
Re: Send radius configuration files from an external server.
« Reply #4 on: October 09, 2017, 09:50:42 am »
Or you just install freeradius3 without the plugin and use cli only ...
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

sens_ible

  • Newbie
  • *
  • Posts: 22
  • Karma: 0
    • View Profile
Re: Send radius configuration files from an external server.
« Reply #5 on: October 09, 2017, 06:02:31 pm »
Quote from: franco on October 09, 2017, 09:39:06 am
All freshly written plugins come with an UI and API. We make it a point to build the UI on top of that API, so you can actually automate the operation of any such plugin in any way that you deem appropriate using:

https://docs.opnsense.org/development/how-tos/api.html

Wow, I think that is really a neat architecture. From looking at the how-to page I have got a rough idea how it works. Where would I find the documentation about a plugin's api? Or would I just go down the url IP_addr-> /api ->/core and see what comes next?

Anyway, do not get me wrong. I think the freeradius GUI is nicely done; only when you want to enter a large batch of users it may be time consuming.
Logged

sens_ible

  • Newbie
  • *
  • Posts: 22
  • Karma: 0
    • View Profile
Re: Send radius configuration files from an external server.
« Reply #6 on: October 09, 2017, 07:32:05 pm »
I just tried the API example, however, no connection seems to be allowed ...
I generated the key and the secret like described in the How-To

Code: [Select]
url = 'https://192.168.99.100/api/core/firmware/status'
# request data
r = requests.get(url,verify=False,auth=(api_key, api_secret))

Is the "verify=False" option correct? I did it, because the How-To says:
Quote
Before you can start, make sure your OPNsense has a valid SSL certificate (or choose to ignore it for testing purposes by setting verify=False), don’t forget to verify that the selected user may access the firmware page.

Meanwhile I have configured a firewall rule for incoming https traffic on the WAN interface. I can see in the log files that the incoming traffic passes, however, the python script can still not set up a connection.

Which permissions do I have to set to allow access to the API? How can I see what is going wrong?
« Last Edit: October 09, 2017, 08:33:03 pm by sens_ible »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13694
  • Karma: 1176
    • View Profile
Re: Send radius configuration files from an external server.
« Reply #7 on: October 09, 2017, 11:40:42 pm »
For testing verify=false is fine. Did you allow your user that has the API key to access the firmware page?
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6301
  • Karma: 434
    • View Profile
Re: Send radius configuration files from an external server.
« Reply #8 on: October 10, 2017, 06:13:59 am »
Use the network debug with your browser to see whats happening within the API, it's really easy:

curl -k -u "key":"secret" https://<yourip>/api/freeradius/user/searchUser

Send a POST via setUser and you should be able to add new users ...
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

mimugmail

  • Hero Member
  • *****
  • Posts: 6301
  • Karma: 434
    • View Profile
Re: Send radius configuration files from an external server.
« Reply #9 on: October 10, 2017, 06:33:23 am »
With this you can add a user:

curl -XPOST -d '{"user":{"enabled":"1","username":"oink","password":"oink","description":""}}' -H "Content-Type: application/json" -k -u "key":"secret" https://<yourip>/api/freeradius/user/addUser
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

sens_ible

  • Newbie
  • *
  • Posts: 22
  • Karma: 0
    • View Profile
Re: Send radius configuration files from an external server.
« Reply #10 on: October 10, 2017, 07:03:51 pm »
Quote from: franco on October 09, 2017, 11:40:42 pm
For testing verify=false is fine. Did you allow your user that has the API key to access the firmware page?

Well, probably not, Where/How would I do it?

Meanwhile I have assigned all visible privileges to the admins group in groups:access:system, however, it does not make a difference. The connection request still times out.
« Last Edit: October 10, 2017, 08:01:27 pm by sens_ible »
Logged

sens_ible

  • Newbie
  • *
  • Posts: 22
  • Karma: 0
    • View Profile
Re: Send radius configuration files from an external server.
« Reply #11 on: October 10, 2017, 07:58:03 pm »
Quote from: mimugmail on October 10, 2017, 06:13:59 am
Use the network debug with your browser to see whats happening within the API, it's really easy:

curl -k -u "key":"secret" https://<yourip>/api/freeradius/user/searchUser

Send a POST via setUser and you should be able to add new users ...

The result of the cURL command on the command line with -v option is just:

Code: [Select]
*   Trying 192.168.99.100...
* connect to 192.168.99.100 port 443 failed: Connection timed out

How would I use cURL in firefox?

Is there a logfile in opnsense where I could find information what is going on?

I just did an NMAP scan of the firewall. Port 80 is open, however, 443 seems to be closed. Hence, no https process seems to be active. How can I activate https access?
« Last Edit: October 10, 2017, 08:18:54 pm by sens_ible »
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6301
  • Karma: 434
    • View Profile
Re: Send radius configuration files from an external server.
« Reply #12 on: October 10, 2017, 08:50:07 pm »
Did you change the Port for webadmin?
Check your Firewall rules please
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

sens_ible

  • Newbie
  • *
  • Posts: 22
  • Karma: 0
    • View Profile
Re: Send radius configuration files from an external server.
« Reply #13 on: October 11, 2017, 04:28:28 am »
Quote from: mimugmail on October 10, 2017, 08:50:07 pm
Did you change the Port for webadmin?
Check your Firewall rules please

No, I did not do any port changes.
I checked the firewall rules and from the logs I can confirm, that packets to port 443 actualy arrive and pass the firewall.
Logged

sens_ible

  • Newbie
  • *
  • Posts: 22
  • Karma: 0
    • View Profile
Re: Send radius configuration files from an external server.
« Reply #14 on: October 11, 2017, 04:39:27 am »
I have now changed the Settings / Admin Access to https because I hoped that would activate port 443.
I also activated ssh access.

However, as a result I have locked myself out completely. I can neither use the serial console (output can not be read any more, does not react to any keystroke), nor ssh access (timed out) and the web access fails with:

Code: [Select]
CSRF check failed. Your form session may have expired, or you may not have cookies enabled.
Seems I have to make a fresh install/write a fresh image to the CF card before going on ...

Logged

  • Print
Pages: [1] 2
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • [solved] Send radius configuration files from an external server.
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2