The pfSense Store

Author Topic: PFSense as WPA Enterprise Client  (Read 3281 times)

0 Members and 1 Guest are viewing this topic.

Offline Mattofsweden

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
PFSense as WPA Enterprise Client
« on: January 06, 2012, 08:22:07 am »
Hiya.

I know this has been on topic a few years ago but it ended nowhere really:
http://forum.pfsense.org/index.php/topic,4297.0.html

I'll spare you guys the story behind the situation.

Problem is as follows:
* Workplace (a school) use Wireless network with WPA (2?) Enterpise / RADUIS (tied to AD accounts)
* I need to connect to it on the WAN side with a Wireless card.

GUI does provide a whole bunch of options connecting to 802.1X wireless networks but I'm at a loss.

Connecting via shell works like a charm using a custom wpa_supplicant.conf looking like this:

Code: [Select]
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
ap_scan=1
network={
        ssid="FOOBAR"
        key_mgmt=WPA-EAP
        eap=PEAP
        identity="DOMAINNAME\USERNAME"
        password="My ActiveDirectory Password"
        phase1="peaplabel=0"
        phase2="auth=MSCHAPV2"
}

After a second or two I can receive my IP by
Code: [Select]
dhclient wpi0_wlan1
Is there anyone able to maybe do a few changes to the GUI to make this work GUI wise or anyone who's got an idea how I get this working by scripting it?

I need this to survive reboots, temporary auth failures, loss of DHCP lease (and to request a new one) etc.

Thanks a bunch guys!
Regards,
Mattias

IT Teacher & Networking Consultant

Offline wallabybob

  • Hero Member
  • *****
  • Posts: 5262
  • Karma: +0/-0
    • View Profile
Re: PFSense as WPA Enterprise Client
« Reply #1 on: January 06, 2012, 03:38:36 pm »
Is there anyone able to maybe do a few changes to the GUI to make this work GUI wise or anyone who's got an idea how I get this working by scripting it?
What changes to the GUI do you think are required and why?


Offline Mattofsweden

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: PFSense as WPA Enterprise Client
« Reply #2 on: January 08, 2012, 03:56:28 pm »
What changes to the GUI do you think are required and why?

Well, changes might be the wrong word, rather additions to the GUI. The ability to GUI wise add identity & password as well as the "phase" types. I'm yet to understand all these different wireless authentication types, but it seems that is what I need currently. Or a way around it that works until a release that might have it comes along.

Thanks
Regards,
Mattias

IT Teacher & Networking Consultant

Offline ccb056

  • Full Member
  • ***
  • Posts: 129
  • Karma: +0/-0
    • View Profile
Re: PFSense as WPA Enterprise Client
« Reply #3 on: January 08, 2012, 10:37:23 pm »
I think a good modification to the GUI would be to allow for the hiding of non-applicable options.

For example, instead of showing all the options for the wifi at once, have the user first select a mode: either AP or Client.
Then, if AP is selected, either grey out or hide all the settings that are client specific, and vice versa.

Likewise when selecting encryption.  When WPA is selected there should be no reason for WEP keys to be entered, so either hide or grey those options.

Offline Mattofsweden

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: PFSense as WPA Enterprise Client
« Reply #4 on: January 11, 2012, 08:06:34 am »
Nobody got any idea on how to make this work in a simple administrative manner?  :(
Regards,
Mattias

IT Teacher & Networking Consultant

Offline wallabybob

  • Hero Member
  • *****
  • Posts: 5262
  • Karma: +0/-0
    • View Profile
Re: PFSense as WPA Enterprise Client
« Reply #5 on: January 14, 2012, 06:21:57 am »
It looks to me that the GUI doesn't provide for configuration of a wireless client connecting to an AP which uses RADIUS authentication. In particular, there doesn't seem to be a way to input the RADIUS username (identity) and password. There doesn't seem to be a HOWTO for this type of configuration and it doesn't seem to be discussed in the pfSense book. It would probably be worth submitting a bug report on http://redmine.pfsense.org

In the meantime you could probably edit (saving a copy of the original file first) the pfSense file /etc/inc/interfaces.inc in the region of
Code: [Select]
        /* generate wpa_supplicant/hostap config if wpa is enabled */
        conf_mount_rw();

        switch ($wlcfg['mode']) {
                case 'bss':
                        if (isset($wlcfg['wpa']['enable'])) {
                                $wpa .= <<<EOD
ctrl_interface={$g['varrun_path']}/wpa_supplicant
ctrl_interface_group=0
ap_scan=1
#fast_reauth=1
network={
ssid="{$wlcfg['ssid']}"
scan_ssid=1
priority=5
key_mgmt={$wlcfg['wpa']['wpa_key_mgmt']}
psk="{$wlcfg['wpa']['passphrase']}"
pairwise={$wlcfg['wpa']['wpa_pairwise']}
group={$wlcfg['wpa']['wpa_pairwise']}
}
EOD;
to replace the section between <<<EOD and EOD with your desired contents for wpa_supplicant.conf, configure your wireless interface with mode Infrastructure and WPA enabled, save and apply and check wpa_supplicant.conf has your desired contents.

If t        /* generate wpa_supplicant/hostap config if wpa is enabled */
        conf_mount_rw();

        switch ($wlcfg['mode']) {
                case 'bss':
                        if (isset($wlcfg['wpa']['enable'])) {
                                $wpa .= <<<EOD
ctrl_interface={$g['varrun_path']}/wpa_supplicant
ctrl_interface_group=0
ap_scan=1
#fast_reauth=1
network={
ssid="{$wlcfg['ssid']}"
scan_ssid=1
priority=5
key_mgmt={$wlcfg['wpa']['wpa_key_mgmt']}
psk="{$wlcfg['wpa']['passphrase']}"
pairwise={$wlcfg['wpa']['wpa_pairwise']}
group={$wlcfg['wpa']['wpa_pairwise']}
}
EOD;

If that works it could be fragile with respect to wireless configuration changes.

Offline Mattofsweden

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: PFSense as WPA Enterprise Client
« Reply #6 on: April 27, 2012, 07:13:42 am »
It looks to me that the GUI doesn't provide for configuration of a wireless client connecting to an AP which uses RADIUS authentication. In particular, there doesn't seem to be a way to input the RADIUS username (identity) and password. There doesn't seem to be a HOWTO for this type of configuration and it doesn't seem to be discussed in the pfSense book. It would probably be worth submitting a bug report on http://redmine.pfsense.org


Better late than never ;)

It works, but as you said, a bit fragile. Thank you.

Issue submitted:
http://redmine.pfsense.org/issues/2400
Regards,
Mattias

IT Teacher & Networking Consultant