pfSense

Been trying to get WPA2-Enterprise with freeradius auth setup with an onboard wireless interface. The settings were right, but the interface refused to switch out of OPEN mode. After digging through the wireless config it appears that the culprit is at least partially a result of empty secondary radius server data in the hostapd conf file generated by interface_wireless_configure in interfaces.inc.

If the Secondary 802.1X Auth Server IP Address or the Secondary 802.1X Auth Server Shared Secret are empty then the resulting config at /var/etc/hostapd_<iface>.conf includes those variables, but leaves them blank. This results in the call to hostapd with that config to silently fail with an " invalid IP address '' " and "empty shared secret is not allowed".

There's a simple enough workaround to just copy and paste the primary 802.1x auth server ip and key to at least have something in those fields when the config is automagically regenerated.

The real fix would be to modify the interfaces.inc script starting around line 2562 to only output the auth_server_port and auth_server_shared_secret if the corresponding values were actually set.

Making the changes got the interface to come up properly and presented a WPA2-Enterprise username / password field to wireless clients, but I still haven't successfully managed to get the clients to authenticate.