On Tue, Jun 21, 2011 at 8:51 AM, Roberto Nunnari <roberto.nunn...@supsi.ch> wrote: > Roberto Nunnari wrote: >> >> Roberto Nunnari wrote: >>> >>> Roberto Nunnari wrote: >>>> >>>> Chris Buechler wrote: >>>>> >>>>> On Thu, Jun 9, 2011 at 5:49 AM, Roberto Nunnari >>>>> <roberto.nunn...@supsi.ch> wrote: >>>>>> >>>>>> Hi all. >>>>>> >>>>>> We now face a problem.. the captive portal, will need to authenticate >>>>>> users >>>>>> via a radius server. Unfortunately, that radius server doesn't support >>>>>> PAP, >>>>>> and pfSense seems to be using right that.. on the web interface I >>>>>> didn't see >>>>>> an option to change it.. >>>>>> >>>>>> Is it possible to set authentication protocol to something more >>>>>> advanced >>>>>> than PAP.. say EAP, PEAP.. we could even accept CHAP.. >>>>>> >>>>> >>>>> Currently no. But you can always add that yourself, or get us to do it >>>>> for you if you have a budget for it. It uses Auth_RADIUS, which can >>>>> support CHAP with additional extensions. EAP and/or PEAP would require >>>>> quite a bit more work. >>>> >>>> >>>> Hi Chris. >>>> Humm.. I'm still in the evaluation stage.. >>>> >>>> Could you just tell me what files/libraries should I edit/use in order >>>> to add peap or mschapv2? For sure I would give the patches back to the >>>> pfSense project once done, but a little help would be much appreciated. >>> >>> humm.. files seems to be in /etc/inc/ .. at least radius.inc and auth.inc >>> .. >> >> !!! there's already a funtion Auth_RADIUS_MSCHAPv2 in radius.inc !!! >> >> I'm going to try that out right away. >> >> Robi >> >> >>> >>> Robi >>> >>> >>>> >>>> I'm a developer and have good experience with C/C++/Java, some >>>> experience with php and I'm now starting with python. I also have a good >>>> working knowledge of FreeBSD and I'm the system administrator of a few >>>> FreeBSD boxes since version 4 to version 6.4. If it is a matter of no more >>>> than a couple of days of work, I could try to add support for peap and/or >>>> mschapv2. >>>> >>>> Our radius guy told me that the only accepted protocols at present for >>>> us are peap and mschapv2. So, I was wrong when I said that chap was an >>>> acceptable option for us. >>>> >>>> To be true, I'm surprised that pfSense, in the case of radius with >>>> captive portal, puts credentials on the network in clear text (PAP) without >>>> a chance to choose a more secure protocol. >>>> But I also understand that pfSense is free software, and that you guys >>>> already have done a great amount of work and released such a wonderful >>>> software for free! >>>> Thank you again! >>>> >>>> Best regards. >>>> Robi >>>> > > > I offer my help to add mschapv2, but I'm new to pfSense and so I don't know > anything about current implementation and the startup scripts. > > In particular I'd like to know > 1) what is covered in the current implementation regarding mschapv2 > 2) what is missing in the current implementation regarding mschapv2 > 3) is mschapv2 implementation in radius.inc complete? > 4) should it be enough to change auth.inc to see it working as an initial > test?
All of the RADIUS bits are handled with PHP's Auth_RADIUS, by looking into it vs. what we have in our inc files you should be able to answer #1-4. I don't know the answers there offhand. > 5) where to put configuration parameters? In config.xml the same as everything else is handled for all portions of the system. > 6) I believe it would be desirable to choose at least php/mschapv2 in the > captive portal configuration in the web interface. Yeah it would have an option for each configured RADIUS server, or maybe just globally, to select which. > 7) is there a developer guide? Not really, there is quite a bit of info on devwiki.pfsense.org. --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
