HabrИнтеграция TOTP в OСSERV (FreeRADIUS + FreeIPA)
В данном руководстве приведена инструкция по внедрению двухфакторной аутентификации (2FA/TOTP) для VPN-доступа на базе OCSERV (OpenConnect Server) в связке с FreeRADIUS и FreeIPA.
Ocserv 2FA/OTP (RADIUS + FreeIPA)
В данном руководстве приведена инструкция по внедрению двухфакторной аутентификации (2FA/TOTP) для VPN-доступа на базе ocserv (OpenConnect Server) в связке с FreeRADIUS и FreeIPA.
Matthew Newton@nxadm @paulos With #FreeRADIUS you're best doing the logic internally in unlang. People think it's easier to use Perl or Python as they are the languages they understand, but it's pretty much always slower than doing it directly in FreeRADIUS and just making outgoing database calls if needed.
I've not used Radiator so I don't know for sure, but maybe it is slower internally making external calls a more attractive option.
Pavel Valach 
The one thing I learned with #FreeRADIUS: minimal changes at the correct places usually work the best.
Oh, and the REST backend is actually cool. I will be using it to move the business logic. Unfortunately it will still be tightly coupled, as I need to supply the correct Radius attributes, but if I will be able to modify the business logic irrespective of the actual RADIUS server runtime, then hooray. It has been one of the pain points I've had with this - particularly when running with (please cover your eyes) Perl code.
Marek Zarychta 
FreeRADIUS is now the #RADIUS server with full Protocol-Error support. BTW, #FreeRADIUS runs just fine on #FreeBSD.
https://www.inkbridgenetworks.com/blog/blog-10/ietf-montreal-124-167
@mcnewton, what's your take? Will ECDSA do the job?
OpenVPN (pfSense) + SSL/TLS + 2FA telegram (freeradius + postgres + telegram bot)
В данной статье будет показан процесс настройки OpenVPN сервера на базе pfSense (но подойдет и любой другой) с подключением пользователей с аутентификацией с использованием SSL/TLS и Telegram в качестве 2FA.
https://habr.com/ru/articles/900304/
#vpn #openvpn #pfsense #2fa #telegrambot #freeradius #telegram
Yesterday's #RADIUS Conference 2025 was an outstanding event, thank you for allowing online participation and releasing these videos so quickly.
About #FreeRADIUS: "Every commit is built against #FreeBSD. Because it's a good operating system."
AlanDekok[1]
1. Source: freeradius-users@ mailing list, Fri Apr 22 20:20:34 UTC 2022.
Felix Palmen 
Ok HOW HARD CAN IT BE? 🤬
Currently trying to allow the #Windows machine I got from work (domain member, very much locked up, no local admin for me) in my private #wifi network (using 802.11x #authentication for #WPA with #freeradius and #PEAP using my own #samba based AD).
I don't strictly *need* it, the machine connects to my open guest wifi (mapped to a VLAN with access *only* to the internet), but it would be really nice being able to also access my local services while working at home.
What I tried:
- Just login (PEAP/MSCHAPv2), obviously. After lots of fiddling and reading logs (freeradius as well as windows events), I found some docs suggesting Windows doesn't support that any more unless you fiddle with something in HKLM, so, no dice, need something else...
- Allow EAP-TLS as well and issue a client certificate for my user, install that on windows. Doesn't work, the machine insists on using the machine cert from the machine store.
- Create a client cert with the UPN of my user in my home network in SAN ... same issue
- Create a client cert with the UPN of my *work* user in SAN ...
- Ok screw that, get freeradius to accept that stupid machine certificate: Allow the internal CA of my workplace and *only* the CN of exactly the machine certificate.
Now, it still won't work and I really don't get it, seeing stuff like:
(13) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello
(13) eap_tls: (TLS) TLS - send TLS 1.1 Alert, fatal protocol_version
(13) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:protocol version
(13) eap_tls: ERROR: (TLS) TLS - Server : Error in SSLv3 read client hello B
It makes little sense and all fiddling with TLS options so far didn't make it work. For other clients using PEAP, it just works with both TLS1.2 and TLS1.3. WTF is going on here?
mephisto#pfsense service toot:
Using #ACME certificates on your #freeradius for wifi authentication and things stop working after 60 days when the cert renews?
in the acme configuration add the follwing php-command to the actions list:
require_once('/usr/local/pkg/freeradius.inc'); freeradius_eapconf_resync(true);
(Long time lingering bug in pfsense, #netgate is not willing to fix)