Re: [pfSense Support] supported auth protocols
Roberto Nunnari wrote: Roberto Nunnari wrote: Roberto Nunnari wrote: Chris Buechler wrote: On Thu, Jun 9, 2011 at 5:49 AM, Roberto Nunnari roberto.nunn...@supsi.ch wrote: Hi all. We now face a problem.. the captive portal, will need to authenticate users via a radius server. Unfortunately, that radius server doesn't support PAP, and pfSense seems to be using right that.. on the web interface I didn't see an option to change it.. Is it possible to set authentication protocol to something more advanced than PAP.. say EAP, PEAP.. we could even accept CHAP.. Currently no. But you can always add that yourself, or get us to do it for you if you have a budget for it. It uses Auth_RADIUS, which can support CHAP with additional extensions. EAP and/or PEAP would require quite a bit more work. Hi Chris. Humm.. I'm still in the evaluation stage.. Could you just tell me what files/libraries should I edit/use in order to add peap or mschapv2? For sure I would give the patches back to the pfSense project once done, but a little help would be much appreciated. humm.. files seems to be in /etc/inc/ .. at least radius.inc and auth.inc .. !!! there's already a funtion Auth_RADIUS_MSCHAPv2 in radius.inc !!! I'm going to try that out right away. Robi Robi I'm a developer and have good experience with C/C++/Java, some experience with php and I'm now starting with python. I also have a good working knowledge of FreeBSD and I'm the system administrator of a few FreeBSD boxes since version 4 to version 6.4. If it is a matter of no more than a couple of days of work, I could try to add support for peap and/or mschapv2. Our radius guy told me that the only accepted protocols at present for us are peap and mschapv2. So, I was wrong when I said that chap was an acceptable option for us. To be true, I'm surprised that pfSense, in the case of radius with captive portal, puts credentials on the network in clear text (PAP) without a chance to choose a more secure protocol. But I also understand that pfSense is free software, and that you guys already have done a great amount of work and released such a wonderful software for free! Thank you again! Best regards. Robi I offer my help to add mschapv2, but I'm new to pfSense and so I don't know anything about current implementation and the startup scripts. In particular I'd like to know 1) what is covered in the current implementation regarding mschapv2 2) what is missing in the current implementation regarding mschapv2 3) is mschapv2 implementation in radius.inc complete? 4) should it be enough to change auth.inc to see it working as an initial test? 5) where to put configuration parameters? 6) I believe it would be desirable to choose at least php/mschapv2 in the captive portal configuration in the web interface. 7) is there a developer guide? Best regards. Robi - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] OpenVPN as WAN
Hi, I am using pfSense 1.2.3 between two sites, A B. Site A has a static IP and site B has a dynamic. I have a OpenVPN connection between the two sites and would like site A (static) to act as site B's WAN so that all WAN traffic from site B reflects site A's static IP for all traffic. Is this possible and if so is there perhaps a document on this? Thanks, Dom. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Certificate
Is PfSense Version 1.2.3 capable of handling 2048 bit certificate? Or does it need to be 1024 bit? Dwane
Re: [pfSense Support] need reboot after changing firewall rules?
On Mon, Jun 20, 2011 at 11:04 AM, Roberto Nunnari roberto.nunn...@supsi.ch wrote: Hi. Mr Router wrote: Just upgraded to RC 2 will check this now and update my findings Could you replicate the problem? Today I upgrade to RC3 and now the problem seems solved. There were a couple days of RC2 snapshots that had broken check_reload_status which prevented filter reloads, right around the time of the original post here. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Certificate
Thank you. That answers my question. Dwane From: Carlos Vicente [mailto:cjpvice...@gmail.com] Sent: Tuesday, June 21, 2011 11:36 AM To: support@pfsense.com Subject: Re: [pfSense Support] Certificate You can create 2048 bits certificates (OpenVPN), all you need is to change that specific line on the vars file before creating the certificates On Tue, Jun 21, 2011 at 4:54 PM, Atkins, Dwane P atki...@uthscsa.edumailto:atki...@uthscsa.edu wrote: Is PfSense Version 1.2.3 capable of handling 2048 bit certificate? Or does it need to be 1024 bit? Dwane -- * http://www.sebastiaoguerra.com http://www.atelierdamoto.com http://www.blocoa3.comhttp://www.blocoa3.com/ -- Este e-mail e quaisquer ficheiros a ele anexados são confidenciais e destinados, exclusivamente, à pessoa ou entidade a quem foi endereçado. Se recebeu este e-mail por erro, por favor, contacte-nos. Obrigado. This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify us. Antes de imprimir este e-mail pense se necessita mesmo de o fazer
[pfSense Support] OpenVPN
Hi, I need to configure a OpenVPN and I have followed a howto but it's not working. Does anyone have a howto to send please? cheers, Erik
Re: [pfSense Support] OpenVPN
Hi, Can you send for me your HowTo for configuring OpenVPN please, I will do the same in my company, and if it doesn't work I will give you a feedback. Thanks, Younes EL AMRAOUI, 2011/6/21 Erik Silva Sobral eriksob...@gmail.com Hi, I need to configure a OpenVPN and I have followed a howto but it's not working. Does anyone have a howto to send please? cheers, Erik -- Younes EL AMRAOUI *Engineering Student at ESIREM.* *Computer Science Engineering School.* *+33629153757* *Dijon ,FRANCE .*
Re: [pfSense Support] OpenVPN
I have followed this HowTo http://blog.stefcho.eu/?p=492 but I have problems to create the users certicate. On Tue, Jun 21, 2011 at 2:34 PM, Younes EL AMRAOUI oun...@gmail.com wrote: Hi, Can you send for me your HowTo for configuring OpenVPN please, I will do the same in my company, and if it doesn't work I will give you a feedback. Thanks, Younes EL AMRAOUI, 2011/6/21 Erik Silva Sobral eriksob...@gmail.com Hi, I need to configure a OpenVPN and I have followed a howto but it's not working. Does anyone have a howto to send please? cheers, Erik -- Younes EL AMRAOUI *Engineering Student at ESIREM.* *Computer Science Engineering School.* *+33629153757* *Dijon ,FRANCE .*
Re: [pfSense Support] OpenVPN
Did you try this : You can create 2048 bits certificates (OpenVPN), all you need is to change that specific line on the vars file before creating the certificates On Tue, Jun 21, 2011 at 4:54 PM, Atkins, Dwane P atki...@uthscsa.eduwrote: Is PfSense Version 1.2.3 capable of handling 2048 bit certificate? Or does it need to be 1024 bit? Dwane 2011/6/21 Erik Silva Sobral eriksob...@gmail.com I have followed this HowTo http://blog.stefcho.eu/?p=492 but I have problems to create the users certicate. On Tue, Jun 21, 2011 at 2:34 PM, Younes EL AMRAOUI oun...@gmail.comwrote: Hi, Can you send for me your HowTo for configuring OpenVPN please, I will do the same in my company, and if it doesn't work I will give you a feedback. Thanks, Younes EL AMRAOUI, 2011/6/21 Erik Silva Sobral eriksob...@gmail.com Hi, I need to configure a OpenVPN and I have followed a howto but it's not working. Does anyone have a howto to send please? cheers, Erik -- Younes EL AMRAOUI *Engineering Student at ESIREM.* *Computer Science Engineering School.* *+33629153757* *Dijon ,FRANCE .* -- Younes EL AMRAOUI *Engineering Student at ESIREM.* *Computer Science Engineering School.* *+33629153757* *Dijon ,FRANCE .*
Re: [pfSense Support] supported auth protocols
On Tue, Jun 21, 2011 at 8:51 AM, Roberto Nunnari roberto.nunn...@supsi.ch wrote: Roberto Nunnari wrote: Roberto Nunnari wrote: Roberto Nunnari wrote: Chris Buechler wrote: On Thu, Jun 9, 2011 at 5:49 AM, Roberto Nunnari roberto.nunn...@supsi.ch wrote: Hi all. We now face a problem.. the captive portal, will need to authenticate users via a radius server. Unfortunately, that radius server doesn't support PAP, and pfSense seems to be using right that.. on the web interface I didn't see an option to change it.. Is it possible to set authentication protocol to something more advanced than PAP.. say EAP, PEAP.. we could even accept CHAP.. Currently no. But you can always add that yourself, or get us to do it for you if you have a budget for it. It uses Auth_RADIUS, which can support CHAP with additional extensions. EAP and/or PEAP would require quite a bit more work. Hi Chris. Humm.. I'm still in the evaluation stage.. Could you just tell me what files/libraries should I edit/use in order to add peap or mschapv2? For sure I would give the patches back to the pfSense project once done, but a little help would be much appreciated. humm.. files seems to be in /etc/inc/ .. at least radius.inc and auth.inc .. !!! there's already a funtion Auth_RADIUS_MSCHAPv2 in radius.inc !!! I'm going to try that out right away. Robi Robi I'm a developer and have good experience with C/C++/Java, some experience with php and I'm now starting with python. I also have a good working knowledge of FreeBSD and I'm the system administrator of a few FreeBSD boxes since version 4 to version 6.4. If it is a matter of no more than a couple of days of work, I could try to add support for peap and/or mschapv2. Our radius guy told me that the only accepted protocols at present for us are peap and mschapv2. So, I was wrong when I said that chap was an acceptable option for us. To be true, I'm surprised that pfSense, in the case of radius with captive portal, puts credentials on the network in clear text (PAP) without a chance to choose a more secure protocol. But I also understand that pfSense is free software, and that you guys already have done a great amount of work and released such a wonderful software for free! Thank you again! Best regards. Robi I offer my help to add mschapv2, but I'm new to pfSense and so I don't know anything about current implementation and the startup scripts. In particular I'd like to know 1) what is covered in the current implementation regarding mschapv2 2) what is missing in the current implementation regarding mschapv2 3) is mschapv2 implementation in radius.inc complete? 4) should it be enough to change auth.inc to see it working as an initial test? All of the RADIUS bits are handled with PHP's Auth_RADIUS, by looking into it vs. what we have in our inc files you should be able to answer #1-4. I don't know the answers there offhand. 5) where to put configuration parameters? In config.xml the same as everything else is handled for all portions of the system. 6) I believe it would be desirable to choose at least php/mschapv2 in the captive portal configuration in the web interface. Yeah it would have an option for each configured RADIUS server, or maybe just globally, to select which. 7) is there a developer guide? Not really, there is quite a bit of info on devwiki.pfsense.org. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
