freeradius

In-depth documentation for nearly all modules is now available at networkradius.com/doc/3.0.7/radd…

Un ancien physicien canadien contrôle l'authentification de 100 millions d'utilisateurs quotidiens. Alan DeKok maintient seul FreeRADIUS depuis 1999 — la moitié des connexions internet mondiales passent par son code. da.van.ac/un-physicien-n…

@DominoTree You know you want to do it!

Someone talk me out of standing up FreeRADIUS at home

@FFmpeg This, 100%. A multi-billion dollar company can't find the time to send a patch? No reasonable person should expect a volunteer to write a patch, just to keep that company happy.

For the avoidance of doubt security issues are taken extremely seriously in FFmpeg, but fixes are written by volunteers.

@MyNameIsMurray @beamflash The cloud RADIUS solutions haven't given a single penny or line of code to help with FreeRADIUS. While they're welcome to do more, history shows that they won't. We're working on updated TEAP for TEAPv2. Any external help is welcome.

@beamflash @freeradius We need the people in charge of the spec to actually make it workable. We need the likes of FreeRADIUS to support it so that many of the cloud RADIUS solutions that sit atop that solution can have support. We need Microsoft to add better support. It just needs to be a thing.

I got a few small blocks of time to tinker with this FreeRADIUS setup a bit more, and I think I made a lot of progress. While I haven't moved beyond testing on-server with "radtest" and "eapol_test" at this stage, I do have this thing authenticating users from my Entra tenant.

@MyNameIsMurray @beamflash Unfortunately while the spec allows for certificate provisioning, the Microsoft client doesn't do this. Which means that any certificate provisioning has to be done outside of TEAP.

@beamflash Ahhh, what? FreeRADIUS is one of the only solutions that even supports TEAP right now, they do support both device and user configurations in a single policy, and TEAP is literally designed to use a device connection until the user certificate is generated and then re-auth.

@beamflash @MyNameIsMurray Nothing in that draft allows for TEAP success when user auth fails. :(

@MyNameIsMurray The RFC standard version of TEAP doesn't cover device pass/user fail, and FreeRADIUS is a stickler for RFC compliance. There is an updated RFC in the works that allows for it. datatracker.ietf.org/doc/draft-ietf…

@beamflash @MyNameIsMurray Huh? FreeRADIUS supports device success and no user auth, which can be used for onboarding. The TEAP protocol doesn't allow for the inner user auth to fail, but still have the outer TEAP succeed. Read the specs to see why.

@MyNameIsMurray FreeRADIUS can't do device success/user fail for TEAP, which is what your want for onboarding. So far only ISE and ClearPass do it.

@yosida95 Problems with FR usually fall into one of two issues. 1. under specified requirements. "I want to do stuff" is not an actionable requirement. 2. Not reading the debug output. "I changed a bunch of stuff and now it doesn't work". Maybe look at the debug output to see why?

FreeRADIUS の man 、「デバッグモードを有効にしろ」「ログを読め」「設定の変更はできるだけ小さく」「変更のたびに挙動を確認しろ」「どれだけ言っても足らない」と大切なことを言っていると同時に、コミュニティの苦労が偲ばれる freeradius.org/radiusd/man/ra…

FreeRADIUS なんも分からんになっている

@AnyunguWanyungu We don't recommend LLMs for configuring FreeRADIUS. There's not a lot of good training data for them to use, so they just make things up. A lot. The LLM suggestions for FreeRADIUS configuration will be wrong. Most aren't even correct FR syntax!

After a solid 3 weeks of prompting and trying to get the free radius working, I was so exhausted. I had tried every suggestion. I took a week break. Studied Mikrotik, freedius and the radius protocol. Guess what? It’s working.

Let’s talk LLMs. I have for a couple of months been building a mikrotik router access control system for client X. Pretty simple. User management. Mpesa webhook. Routers, subscriptions, payments, SMs integration.

@MyNameIsMurray @beamflash @Collab_Seth OSX should support TTLS+PAP. You might have to mangle the .mobileconfig manually, though.

@beamflash @freeradius @Collab_Seth And while EAP-TTLS/PAP is more readily supported for handling the type of securely tunneled user auth we need, the deal-breaker is that we need to authenticate other devices such as macOS devices, and they don't support that. Then again, maybe with NoMAD/Jamf Connect they could?

Anyone have experience with Foxpass RADIUS? I'm just so done with NPS, and so over quotes for a bajillion dollars a year for modern RADIUS solutions. Doesn't do TEAP from what I can see, but EAP-TTLS/PAP might be an interesting option. Splashtop stuff has always been good value.

@beamflash @Collab_Seth @MyNameIsMurray That works today in FreeRADIUS. We've pushed some things recently which make it easier to configure. These changes will be in 3.2.8

@freeradius @Collab_Seth @MyNameIsMurray Mist Access Assurance (their cloud RADIUS service) supports TEAP, but only machine pass/user pass, whereas what I and other schools want is machine pass/user fail for onboarding scenarios

@MyNameIsMurray @Collab_Seth At this point, pretty much everything that isn't Cisco, Microsoft, or Nokia is "FreeRADIUS under the hood". Especially various "cloud" or "product" vendors who have long marketing articles about how terrible FreeRADIUS is. :)

@freeradius @Collab_Seth Seems to be a bit of a trend, as several solutions I've seen so far have indicated that they are FreeRADIUS under the hood. Other examples are Foxpass of memory serves. I'm just not sure we want to deal with vanilla FreeRADIUS at this time, but it's on the list to look at.

@InkbridgeNtwrks 10K DORAs per second on commodity hardware. DHCPv4 or DHCPv6.

FreeRADIUS DHCP server benchmarks show superior performance in real-world deployments. Maintain speed even at pool capacity, integrate with your existing DNS server, and manage MAC address tracking through one platform. Learn more: inkbridgenetworks.com/blog/blog-10/d… #NetworkAdmin

@l0ldbl00d @Xxxxuuuuy_ If the module is useful for other people, send it over in a GitHub PR. We'll take a look at integrating it into the next release.

@Xxxxuuuuy_ Ну я короче написал модуль для FreeRADIUS, который давно хотел написать. Ну и вообще за эту неделю порешал множество старых проблем, которые были не срочные, но накопились. Неделя пиковой продуктивности.

Так, срочно делитесь хорошими новостями!

@MyNameIsMurray @Collab_Seth FYI Aruba Clearpass is a re-branded FreeRADIUS.

@Collab_Seth Sadly, we're a combination of Cisco and Aruba for Wi-Fi, so no Meraki option. This is why we gave ISE and Clearpass a look first... but there's just no budget for that. Aruba has some basic bits we can use, but it's not great without the pricey licensing.

@Collab_Seth @MyNameIsMurray TEAP has limited uses right now. Only small parts of the standard are interoperable across all vendors. We're working on RFC717-bis, and then after that TEAPv2. These updates will fix all of the issues with TEAP.

@MyNameIsMurray I haven’t found any cloud radius platform that supports TEAP. I don’t recall your networking hardware, but if you have Meraki with advanced licensing, Meraki access manager may be of interest. It supposed to be included at no additional cost when it GAs

There is a lot of misleading security advice out there. e.g. many sites copy the same tired myths about PAP vs CHAP. This is wrong: baeldung.com/cs/authenticat… The truth: inkbridgenetworks.com/blog/blog-10/p… Don't use CHAP. PAP is better. @michal_aibin

The RADIUS conference went very well. We have agreement from operators and impementers on how to fix long-standing issues with the protocol. radiusconference.org

Just gave a talk on the history of RADIUS. So many v4 questions. :)

@_trish_07 But there are definitely billion-dollar companies, and startups with hundreds of millions of dollars in funding who can't configure FreeRADIUS correctly. That doesn't stop them from selling services around it, though.

@_trish_07 From a business point of view, we're doing well. The companies who "scam" us by using our free product are usually addressing a set of businesses who would never buy from us.

companies making billions love open source because it’s free labor disguised as community you’re not passionate – you’re getting scammed