Slides for the February 2018 pfSense Hangout video

1. RADIUS and LDAP
pfSense 2.4
February 2018 Hangout
Jim Pingle

2. About this Hangout
● Project News
● RADIUS and LDAP intro
● Areas of pfSense that support RADIUS and LDAP
●
Configuring RADIUS and LDAP servers for use by pfSense
● RADIUS and LDAP for the pfSense GUI
● RADIUS and LDAP for VPNs
● RADIUS for Captive Portal
● RADIUS for Wireless WPA2 Enterprise/802.1x
● Using Google Authenticator with the FreeRADIUS 3.x package

3. Project News
●
2.4.3 will be coming soon
– Security, bug fixes, a few new features
– Kernel PTI mitigations for Meltdown in snapshots today
● XG-7100 1U device shipping next month
– Replacing the 4860-1U and 8860-1U
– (8) 1 GbE and (2) Intel® 10 GbE interfaces
– Quad core Intel Atom C3558 CPU
– 8 GB DDR4 RAM, and is upgradeable to 24GB
– $999 ($1,998 for HA pair)
●
Netgate is now a silver member of The Linux Foundation
● Be wary of purchasing firewalls running pfSense from unaffiliated vendors
– We had a report of a user who purchased a firewall from an Amazon seller that had no affiliation with Netgate (not a partner), and
the version of pfSense shipped on the device appears to have been compromised
– If a device claims to be have pfSense pre-loaded before shipping, check to ensure it is coming from Netgate or a Netgate partner
●
No other vendors can legally pre-load pfSense in this way, and if they do, the installation should not be trusted
– Always download pfSense and install yourself from www.pfsense.org to ensure it is unmodified
●
For Netgate appliances, login to your portal account and download the factory firmware image for your device

4. RADIUS Intro
● Remote Authentication Dial-In User Service
● Provides AAA – Authentication, Authorization, and Accounting
● Often used by ISPs for DSL/dialup/etc or by companies for central authentication
● Lots of implementations: FreeRADIUS, RADIATOR, Windows Server via NPS, many more
– Also various frontends such as daloRADIUS or billing systems with RADIUS
● In addition to authentication, can send back reply info about users
● Accounting allows for tracking usage over time (e.g. X MB per day), total login time (X hours
per day), and so on
● Can be compatible with external systems for additional authentication such as Google
Authenticator/mOTP, tokens, and similar Multi-Factor implementations
● Protocol itself is not encrypted, so (ideally) run it locally or over a VPN

5. LDAP Intro
● Lightweight Directory Access Protocol
● Primarily a repository of information about users and organizations, but can be used for authentication via
LDAP BIND operations
● Can be searched to find user info (e.g. group membership)
● Commonly used not just for authentication but also for e-mail contact storage, user profile information, and
similar tasks.
● Found in systems such as OpenLDAP, Active Directory, Novell Directory Services, Apple Open Directory, and
many more
– Some distributions such as ClearOS and Turnkey Linux use OpenLDAP
● LDAP Schemas vary widely, two common variations:
– RFC 2307 (OpenLDAP default) – Group membership indicated by a list of users on a group object
– RFC 2307bis/Active Directory – Group membership indicated by a list of groups on user object
● Can use SSL to encrypt queries

6. RADIUS and LDAP on pfSense
● GUI Authentication
– LDAP and RADIUS can both be used for GUI authentication
– Groups must be present on pfSense with the same name as LDAP or RADIUS, plus desired privileges
● For longer group names or group names with spaces, set the Group’s Scope to Remote on pfSense
● VPN Authentication
– OpenVPN supports RADIUS and LDAP
●
IP address, Routes, firewall rules, and DNS servers can be passed back via RADIUS attributes
– IPsec supports RADIUS (IKEv2/EAP or xauth) and LDAP (xauth)
– PPPoE and L2TP support only RADIUS
● Captive Portal
– RADIUS Only, there is some LDAP code in testing for a future version
– Per-user bandwidth restrictions can be passed back from RADIUS
– Time/day limits and transfer total limits may also be enacted by the RADIUS server
● Wireless – 802.1x / WPA2 Enterprise
– RADIUS only
● Other services cannot be used with RADIUS or LDAP, such as SSH.

7. RADIUS and LDAP Server Config
● Configure the authentication server to allow queries from the firewall
– Network connectivity to the server (VPN, routes, firewall rules, etc)
– Client access (NAS entry, bind user, etc)
● Add users and groups to the authentication server as needed
● Determine the parameters required for pfSense to access the server
– Varies by protocol, but would include things such as server address and
port, query credentials, and so on.

8. Configuring RADIUS Servers
●
FreeRADIUS
– Install the FreeRADIUS 3.x pfSense package, or use an external server
– Select CA/certificate on the EAP tab
– Add an Interface to FreeRADIUS to listen/bind
– Add a NAS / Clients entry for the firewall, note the shared secret
– Add Users
– Adjust any other required items on the Settings tab, Save
●
Active Directory (via NPS)
– Add Network Policy and Access Services role
– Configure NPS/NAP
– Add RADIUS client entry for the firewall, note the shared secret
– Add a Network Policy to grant access based on user attributes (e.g. users in a specific group)
– May need to ensure users have Dial-In permission set to be managed by NPS
– Add users/groups as needed

9. Configuring LDAP Servers
● OpenLDAP
– Too complex to cover here, but there are many how-to docs out there
– Be sure to add a cert for SSL support (Let’s Encrypt is great for this)
– Or use a distro such as Turnkey Linux or similar that has a frontend for it
– Web-based LDAP Frontends can be helpful for finding info and managing users
● Active Directory
– Support is already there in Windows Server by default
– Add Certificate Authority role to use SSL
– Use ADSI Edit to easily locate Base DN
● Others
– Consult OS docs for info on what, if anything, needs to be done

10. Setup pfSense for a RADIUS Server
●
System > User Manager, Authentication Servers tab, click + Add
●
Enter a Descriptive Name
●
Set Type to RADIUS
●
Select the Protocol
– Must match what is supported by the RADIUS server
– MSCHAPv2 is the best choice, but some features like OTP (Google Authenticator or mOTP) require using PAP
●
Enter the Hostname or IP address of the RADIUS server
●
Enter the Shared Secret configured for this firewall in the NAS/Client entry on the RADIUS server
● Pick the Services offered by the RADIUS server, typically either Authentication or both Authentication and Accounting
●
Unless the server ports have been changed, leave them at default values
●
If the RADIUS server is reached through a slow connection or tunnel, consider raising the timeout
– Default is 5 seconds, can be higher but may slow down access to resources while the firewall waits for a response
●
Save and visit Diagnostics > Authentication to test
●
For group membership to work:
– The RADIUS server must return the group name(s) in the Class attribute as a string, e.g. Class := "admins;VPNUsers"
– The same group names must be present on pfSense (Groups tab)

11. Setup pfSense for an LDAP Server
● If the LDAP server uses SSL, import the CA from the LDAP server under System > Cert Manager, CA tab before proceeding
● System > User Manager, Authentication Servers tab, Add +
● Enter a Descriptive Name
● Set Type to LDAP
● Enter the Hostname or IP address of the LDAP server
– If using SSL, this should be the hostname!
– Also ensure the server certificate (not imported to pfSense) contains this hostname, and that the hostname also exists in DNS
● Pick the Transport, plain TCP or SSL
– SSL is highly recommended as TCP transmits credentials in the clear!
– Use TCP to start with, so you can use a packet capture to see the results for troubleshooting in Wireshark
● Adjust the Port value if needed
●
If using SSL, set the Peer Certificate Authority to the CA imported previously
●
Pick the LDAP Protocol Version, commonly 3 but may vary depending on server
● Set the Server Timeout to a somewhat low value, if used for GUI access any timeout will delay page loads by this amount

12. pfSense LDAP Server (cont'd)
● Parameters from here on all depend on LDAP server configuration and type
● Search Scope
– Level typically should be Entire Subtree – Especially on Active Directory!
– Base DN, the lowest level distinguished name on the LDAP server for this site, e.g. DC=example,DC=com
● If unknown, check LDAP schema, GUI, ADSI Edit, etc
● Authentication Containers
– Typically set to an OU, varies by LDAP schema
– Select button will show containers from the server. BIND credentials will need to be correct for it to work.
● Extended Query
– Specifies an LDAP filter to limit search results, such as:
– memberOf=CN=VPNUsers,CN=Users,DC=example,DC=com
● Bind Credentials – May or may not be necessary
– OpenLDAP typically allows anonymous binds/searches, but depends on schema
– Active Directory typically requires a valid user to bind, may need to be a service account or Administrator, depends on
configuration of the server, check Windows server docs

13. pfSense LDAP Server (cont'd)
● Initial Template – OpenLDAP, Microsoft AD, Novell eDirectory
– Pre-fills the User naming, Group naming, and Group member attributes with common defaults for each style
– For OpenLDAP with RFC 2307 groups, Group member attribute should be memberUid
●
RFC 2307 Groups
– Default style lists groups on the user object (Used by Active Directory)
– RFC 2307 lists group members on group object (Used by some OpenLDAP schemas)
● Group Object Class
– Object class needed for RFC 2307 style, typically posixGroup
● UTF-8 Encoding
– Necessary if using any special characters in LDAP usernames or passwords
– Support varies by server, but should be safe to enable in most cases
● Username Alterations
– By default if someone enters user@host style naming, the @ and after is stripped. Check to preserve.
● Save and visit Diagnostics > Authentication to test
●
For group membership to work, the RADIUS server must return the group name(s) in the Class attribute as a string
AND the same group names must be present on pfSense (Groups tab)

14. RADIUS and LDAP for the GUI
● Privileges are assigned based on group membership
● Add groups on pfSense to match groups on the server
– Example: LDAP group “VPNUsers” needs a pfSense group “VPNUsers”
● Add privileges to the group(s) as desired
● Check the authentication server to be sure the groups are setup properly with users and to be seen by
pfSense:
– LDAP – Check the Schema to see if AD style group membership is needed or RFC 2307
– RADIUS – Ensure the server returns groups in Class attribute as a String, not binary
● Visit Diagnostics > Authentication, test users and ensure the groups are listed in the result
– If LDAP returns inconsistent authentication tests, use option 16 and then 11 on the console menu
● Visit System > User Manager, Settings tab, select the desired server, Save
– The Auth Refresh Time option controls how often a user’s group memberships are refreshed from the server, a low
value will mean more authentication server queries vs a high time that might not catch a change in user access

15. RADIUS and LDAP for VPNs
● For LDAP, to limit access to a specific group, use Extended Filter
– For different levels of access on different services, use multiple LDAP server entries with different filters
● On IPsec and OpenVPN, Ctrl-select multiple servers, if first fails, second is checked and so on
– No way to reorder them currently
● L2TP and PPPoE support only RADIUS and have RADIUS settings on their configuration pages, nothing
fancy
● IPsec
– RADIUS and LDAP both work for IKEv1 xauth
– Only RADIUS works with IKEv2/EAP
– VPN > IPsec, Mobile Clients tab, select the desired authentication server(s)
– For IKEv2, on Phase 1 also set Authentication Method to EAP-RADIUS
– IP Addresses can be assigned via RADIUS, leave the Virtual Address Pool blank and assign all users a Framed-IP-
Address
● OpenVPN – Next slide

16. RADIUS and LDAP for OpenVPN
●
Auth can come from LDAP or RADIUS (or both)
●
No accounting support at the moment
● For use with OpenVPN Client Export Package:
– User Auth only mode – One installer works for everyone (no certs)
– SSL/TLS + User Auth – Certs for external users must be manually added to the GUI
● No need to create local users, only certificates
●
RADIUS Reply Attributes can be used to pass back info for clients!
– Cisco-AVPair route=x.x.x.x y.y.y.y (Network/subnet address, subnet mask)
– Cisco-AVPair dns-servers=x.x.x.x y.y.y.y z.z.z.z (IP addresses separated by spaces)
– Cisco-AVPair inacl= or outacl=<permit|deny> [tcp|udp] from <any|host|net> to <any|host|net>, wildcard mask/Cisco ACL style
– Framed-IP-Address = x.x.x.x
● With topology subnet, client gets x.x.x.x, but also requires the RADIUS server to send back a Framed-Mask with subnet mask appropriate for
the tunnel network
● With topology net30, client gets x.x.x.x, server is x.x.x.x-1, be sure to align these properly for /30 networks
● Multi-Factor Auth is possible with RADIUS if the RADIUS server supports it/has a plugin/etc

17. RADIUS for Captive Portal
● See the Advanced Captive Portal hangout (June 2017) for lots more info
● Captive Portal only supports RADIUS at this time, but there are patches in testing to allow LDAP
– The patches move Captive Portal auth to the user manager, so LDAP support is gained naturally
● RADIUS Authentication can use PAP, CHAP-MD5, MSCHAPv1, or MSCHAPv2
– Check RADIUS server config/docs to see what it supports, MSCHAPv2 is the current recommended choice
● Enter the IP address and port for the RADIUS server
● Shared Secret is the “password” set in the RADIUS server for the firewall as a NAS/Client
● Four total RADIUS Servers permitted:
– Primary Authentication Source and its backup
– Secondary Authentication Source and its backup
– Backups are consulted if the main servers do not respond
– Secondary authentication source uses separate fields
– Can be used to effectively have two sources of auth (e.g. pre-paid cards and standard users) – all up to the
servers and what they support

18. RADIUS for Captive Portal
● RADIUS Accounting:
– If enabled, sends information about user login sessions, data transferred, time of login/logout, and so on
– Stop/start accounting only sends data on login and logout
– Stop/start (FreeRADIUS) sends session data in a way that is accepted by FreeRADIUS for time/data tracking
– Interim update sends periodic updates to the accounting server during a user session
● RADIUS Options – More here than are supported in the user manager
● Reauthentication
– Forces a new auth request every minute. If users must be disconnected for time or bandwidth usage
calculations this must be checked!
● RADIUS MAC Authentication
– Sends the MAC address as user name and “MAC Authentication Secret” as the password. Allows automatic
login by MAC address, MACs must be added to the RADIUS server as users.
● NAS IP
– IP address sent in RADIUS requests to identify this firewall (e.g. Called-Station-Id)

19. RADIUS for Captive Portal
●
Session-Timeout
– Obtain the client's allowed session time from the Session-Timeout RADIUS reply attribute.
● Type
– Controls how Called-Station-Id and Calling-Station-Id are handled
– Varies by need of RADIUS server, typically “default”
●
Accounting Style
– Inverts value of input and output for bandwidth calculations to suit some RADIUS server assumptions
●
Idle time accounting
– Includes idle time in a user’s session time when disconnecting the user for an idle timeout
●
NAS Identifier
– A name passed to the RADIUS server to identify this firewall
● MAC Address Format
– The format of the MAC address expected by the RADIUS server

20. RADIUS for Captive Portal
● Some parameters may be passed back in RADIUS Reply Attributes:
– Varies by RADIUS vendor
– WISPr-Bandwidth-Max-Up (and -Down)
● Sets up a limiter for this specific user to the given bw
– WISPr-Redirection-URL
●
Passes a string with a full URL to use for redirection
– Acct-Interim-Interval
– Session-Timeout
– Idle-Timeout
● Do not set a simultaneous use limit on users that will use Captive Portal

21. RADIUS for Wireless
●
802.1x A.K.A. WPA2 Enterprise
●
More secure than plain WPA/WPA2
– Less prone to brute forcing
– Harder to snoop
●
RADIUS only, no LDAP
●
Second RADIUS server is used if the first fails
●
Settings are placed on the wireless Interface (e.g. Interfaces > WiFi)
●
Set WPA Key Management to EAP!
●
Check Enable 802.1X Authentication
●
Enter the RADIUS server settings
●
Set client to PEAP (Or whatever mode is configured on RADIUS server)
●
Clients will login using the username/password on the RADIUS server
●
Check the Wireless log for info if access fails
●
The AP daemon (hostapd) supports dynamic VLAN assignment but we do not currently enable that or support it in the GUI – perhaps in
the future

22. Bonus: Google Authenticator
● Settings tab, enable OTP, keep the defaults
● Install the Google Authenticator application on user devices (phone, tablet, etc)
● For individual users in FreeRADIUS 3…
– Enter the Username
– Leave the Password field blank
– Check Enable One-Time Password for this user
– Change OTP Auth Method to Google-Authenticator
– Click Generate OTP Secret
● If the user is manually configuring their Google Authenticator application (not using QR Code), they will need this secret, click Show OTP Secret to
view it
– Enter a random PIN for the user
●
This PIN is prepended to the OTP generated by the app, for example, if the PIN is 1234 and the code is 888888, the user enters 1234888888 for the
password
– Leave the Time Offset as 0 unless the user is in a different time zone
– Click Generate QR Code to display a code which can be scanned by the Google Authenticator app
●
This image could be saved and given to the user, printed, etc.
●
Do not e-mail it or send it via insecure means!
● The RADIUS NAS/Client must use PAP when communicating with the RADIUS server

23. Conclusion
● Questions?
● Ideas for hangout topics? Post on forum, comment on the blog
posts, Reddit, etc