In fact, thank you for providing the idea. This topic belongs to the ones which I really enjoy making video about: first there is demand, second I have desire. Therefore I gave it the highest level of priority :D
Thanks a lot! Are those settings still safe with regard to the Blast-RADIUS attack? Or do we need to configure things differently (e.g. requiring the message authenticator attribute)?
Great tutorial, the only one on youtube. I wonder if it would be possible somehow in this configuration (pfsense, unifi) to limit so that the same login could not be used at one time on another device?
Thank you. Now It’s time to authenticate also wired device, is it possible to do that with pfsense? I have read that this could be done with proper switch 802.1x. Could you give me some advice what should I configure in pfsense to do that, thank you.
@@arturkruszyna4741 maybe I am wrong, but I don't think pfSense' freeradius server is limited to wifi client. In fact from this video you can see the way UniFi ap is connected to freeradius, it's nothing but a wired client. I think what you want to explore is freeradius client.
Hi, Greate tutorial, I have the same unifi setup, except I use mikrotik router as the firewall router, and the wifi clients get DHCP address from the Mikrotik via VLAN configured both at the Unifi controller and Mikrotik, I was wondering how I can make this work on that.
I have not tried freeradius with mikrotik, but as I know mikrotik can run it without problem. However I am not sure whether its configuration is similar to pfSense or not.
I would love to see a tutorial setting up EAP-TLS (avoiding passwords).. I have been unsuccessful exporting certs to my iphone. It still asks for username/password.
I know apple does not like p12 file without password. But I tried to export a p12 file with "Export Password", macOS does not think my password is correct, not sure why.
You failed to specify the required encryption algorithms for use with wpa3. If you do not manually specify edcsa 384 septr and higher than 2048 bit clients will simply not connect (and you won’t know why). This will work fine for wpa2, but nothing else… Edit: I decided to watch your video until the end, and that Mac connecting to the wpa3 network was a fluke (and so,etching that should have not happened). No up to date devices will connect without the security I previously mentioned. Just fyi (and that you may with to try with mobile clients for instance)…
Can I import multiple users to a pfSense for FreeRadius? Or will I need to create user by user? I didn't find any documentation that helps with this. :/
PfSense does have docs on integrating free radius with active directories.lf you just want to import users, you can look into the PfSense config.xml file.
Very Good tutorial my friend ;) I just do the same thing but on Server 2022 and NPS Radius server. Connexion is good for all my Windows user. but impossible to connect on mac. The certificate is not proposed at the connexion, and I Can't even connect to the wifi (with the certificate installed manualy .) Any Idea ?
Do you refer to the client IP in pfsense config? It should be your UniFi ap's IP address in the context of this video. If you mean the whole subnet thing(/24) is not safe, yes you are right but it's convenient. It's up to the admin to decide.
WOW! that was quick. Thank you very much. Best and probably the only one I have seen.
In fact, thank you for providing the idea. This topic belongs to the ones which I really enjoy making video about: first there is demand, second I have desire. Therefore I gave it the highest level of priority :D
another idea would be 802.1x and 802.11i with per user VLAN assignment. Again thanks very much.@@hz777
@@hz777is this eap tls?
thanks so much!! best tutorial on setting up freeradius with pfsense and my ruckus AP
Thanks a lot! Are those settings still safe with regard to the Blast-RADIUS attack? Or do we need to configure things differently (e.g. requiring the message authenticator attribute)?
best tutorial on that topic
Great video! Thanks.
Great tutorial, the only one on youtube.
I wonder if it would be possible somehow in this configuration (pfsense, unifi) to limit so that the same login could not be used at one time on another device?
This is a pretty complicated topic. It is related to ap accounting, mysql, Captiva, etc. Let me add it to my backlogs.
Thank you. Now It’s time to authenticate also wired device, is it possible to do that with pfsense? I have read that this could be done with proper switch 802.1x. Could you give me some advice what should I configure in pfsense to do that, thank you.
@@arturkruszyna4741 maybe I am wrong, but I don't think pfSense' freeradius server is limited to wifi client. In fact from this video you can see the way UniFi ap is connected to freeradius, it's nothing but a wired client. I think what you want to explore is freeradius client.
much appreciated - was wondering how to get a radius profile for windows radius server to auth users on AD !!! .... thank you.
nice ,but what is solution for android 14 ?
Hi, Greate tutorial, I have the same unifi setup, except I use mikrotik router as the firewall router, and the wifi clients get DHCP address from the Mikrotik via VLAN configured both at the Unifi controller and Mikrotik, I was wondering how I can make this work on that.
I have not tried freeradius with mikrotik, but as I know mikrotik can run it without problem. However I am not sure whether its configuration is similar to pfSense or not.
I would love to see a tutorial setting up EAP-TLS (avoiding passwords).. I have been unsuccessful exporting certs to my iphone. It still asks for username/password.
I know apple does not like p12 file without password. But I tried to export a p12 file with "Export Password", macOS does not think my password is correct, not sure why.
Great video and very useful and simple explanation.
What is the way to integrate Google SSO authentication with FreeRadius? Thank you in advance!
Sorry but I don't use google sso.
Great Tutorial!
Cool video. Thanks
You failed to specify the required encryption algorithms for use with wpa3. If you do not manually specify edcsa 384 septr and higher than 2048 bit clients will simply not connect (and you won’t know why). This will work fine for wpa2, but nothing else…
Edit: I decided to watch your video until the end, and that Mac connecting to the wpa3 network was a fluke (and so,etching that should have not happened). No up to date devices will connect without the security I previously mentioned. Just fyi (and that you may with to try with mobile clients for instance)…
Thank you very much. Super !!!
for client's IP, is it the IP of our Access Point? or can we use 0.0.0.0 for all?
As shown in the video, you can use subnet.
Can I import multiple users to a pfSense for FreeRadius? Or will I need to create user by user?
I didn't find any documentation that helps with this. :/
PfSense does have docs on integrating free radius with active directories.lf you just want to import users, you can look into the PfSense config.xml file.
Very Good tutorial my friend ;)
I just do the same thing but on Server 2022 and NPS Radius server.
Connexion is good for all my Windows user. but impossible to connect on mac.
The certificate is not proposed at the connexion, and I Can't even connect to the wifi (with the certificate installed manualy .) Any Idea ?
Sorry but I don't have the same setup to look into so I have no idea about the cause.
thanks
Can i use PfSense IP for Client IP Address? It's safe?
Do you refer to the client IP in pfsense config? It should be your UniFi ap's IP address in the context of this video.
If you mean the whole subnet thing(/24) is not safe, yes you are right but it's convenient. It's up to the admin to decide.
@@hz777 Sorry, in the 8:38 of the video. I have 9 APs, so can i use the pfSense IP? Or it's better use IP from one of my APs?
@@leosdc_In the later part of the video I did mention how to add multiple APs: you either add them individually, or add the whole subnet.
@@hz777 Oh, thank you! I'll add one by one! ;)