FreeRADIUS 1st setup - authentication failed. How to troubleshoot?

Cabledude

Hey all,

I've watched a video by Tom Lawrence on how to setup a Remote Access VPN and another one on how to use FreeRADIUS for authentication.

I followed the instructions meticulously.

Alas when I come to the step how to add users and then go to Menu / Diagnostics / Authentication I first get a 10 sec pause where the web browser is loading a new page and then "Authentication failed".

I'm stuck as I don't know what to try next.

My system:

• I'm on an SG-1100 with the latest 21.05.02 version.
• I've setup 7 VLANS, pfBlocker and Avahi, nothing else.
• I've locked things down quite thoroughly using firewall rules.
• No custom NAT entries.
• Behind the Netgate router is a respectable (for a home user) UniFi stack containing 5 switches, 6 AP's, 6 cameras, Cloud Key gen 2+.
• No VPNs as of yet, no open ports.
• FreeRADIUS version 3-0.15.7_32.

What I tried so far:

• I first installed freeRADIUS while on 21.02.1 and the installation didn't go 100% okay as there was a notification that de certificate had an issue
• I deleted all freeradius settings (but not the freeradius certificate - I think), deleted the freeradius package, deleted pfBlocker and Avahi too and upgraded the appliance to the latest version: 21.05.02
• I reinstalled pfBlocker and Avahi and checked if all was working okay which it did
• I installed the freeRADIUS package again, but now on 21.05.02 and didn't get any errors
• I set up the FreeRADIUS package again according to Tom's tutorial but not dice: Authentication failed again.

Do you have any suggestions where to start troubleshooting ?

Should I delete the FreeRADIUS certificate and create a new one (how?)
Could the issue be caused by any firewall rules I should check or fix?

The 10 sec pause is peculiar as in Tom's video his authentication test result is instantaneous, even when he demonstrates that authentication fails when he selects "Local Database" instead of the RadServer. So why is authenticating process taking so long on my system?

Would appreciate any help.

Pete

NogBadTheBad

@cabledude

Open up the console on your router, then run radsniff -x then test.

You may see a clue from the output.

Gertjan

@cabledude

Another debug alternative to what @NogBadTheBad proposed :
Stop the "freeradius" in the GUI.
Go to the command line (option 8) and enter

radius -X

Now you see the radius logs on the screen.
Your mission is, if you accept it, to resolve all the error messages (the red lines).
When done, Ctrl-C to terminate de debug session, and start radius in the GUI.
Note that in normal mode you can also set up radius to log, see the set up menus.
These logs can and should be consulted.
These will answer your 'troubleshoot' questions.

Cabledude

@nogbadthebad said in FreeRADIUS 1st setup - authentication failed. How to troubleshoot?:

@cabledude

Open up the console on your router, then run radsniff -x then test.

You may see a clue from the output.

@gertjan said

Another debug alternative to what @NogBadTheBad proposed :
Stop the "freeradius" in the GUI.
Go to the command line (option 8) and enter

radius -X

These will answer your 'troubleshoot' questions.

So after a family weekend I open up my laptop and here are two presents (your replies) waiting for me to unwrap. Thanks so much guys! I am close to totally inexperienced with the console, all I did once was install a firmware update supplied to me by the Netgate engineers.
As soon as I have some time off from work I'll go and learn and I will absolutely report back here.

Cabledude

Hey guys I tried some debugging. Not much luck yet, so I thought I'd post some findings.

1. The radius server won't start
   When I go to dashboard / service status the radiusd shows a red X and it shows not running. When I run manually I see a green wheel turning for 10 seconds or so but it won't start.

When I run radiusd -X and try to start I get this:

   tls-config tls-common {
        verify_depth = 0
        ca_path = "/usr/local/etc/raddb/certs"
        pem_file_type = yes
        private_key_file = "/usr/local/etc/raddb/certs/server_key.pem"
Unable to check file "/usr/local/etc/raddb/certs/server_key.pem": No such file or directory
/usr/local/etc/raddb/mods-enabled/eap[24]: Failed parsing configuration item "private_key_file"

2 When I look in the documentation I can try authenticating from the console this is my output:

Sent Access-Request Id 17 from 0.0.0.0:61881 to 127.0.0.1:1812 length 75
        User-Name = "user2"
        User-Password = "user2"
        NAS-IP-Address = 192.168.46.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "user2"
(0) No reply from server for ID 17 socket 3

Anyway if the service won't start then it's not much use trying to do authentication tests I suppose.

3 One very curious thing
I followed Tom's video and entered 127.0.0.1 for the NAS server address. When I verified all settings today it showed 127.0.0.2, both in the Services/Freeradius/NAS-Clients section and in the System/User manager/Authentication servers section. I am quite sure I followed Tom's settings. Why would I type 127.0.0.2 instead of 127.0.0.1 "twice"?

Any clues would be wildly appreciated.

Pete

Cabledude

Shortly after testing I needed to restore the SG-1100 to the last known good working config. After restarting the device there was no internet connectivity. I had been playing around with DNS settings and even though I think I turned back my changes, internet did not come back up. I could perform DNS requests via the pfsense diagnostics / DNS lookup though. However I couldn't ping any WAN side hosts.

Anyway as I reverted to a previous backup, my freeradius settings are gone as well. All that remains is the certificate.

Can I safely remove the freeradius entries in the "CA" and "Certificates" sections?

Cabledude

Just one final thing for today: you might have missed it, but I when I installed freeradius for the first time, about a week ago (in nov 2021) my SG-1100 was still on 21.02.1. So basically I installed the latest package before upgrading to 21.05.2. Could this have caused trouble? I read now that I should upgrade the pfsense version first before upgrading packages.

If affirmative, is there anything I can do to fix it? Completely deleting the package and reinstalling (after upgrading to 21.05.2 of course) did not work.

Cabledude

@NogBadTheBad @Gertjan :
I received my spare SG-1100, set it up using the absolute basics and installed the FreeRADIUS package on that unit. Exact same issue.

So the problem was the FreeRADIUS Server Certificate which was not created automatically, like in Tom's video. Right after installing the package I got the following notice:

This was exactly the same on my production SG-1100 unit.

I don't understand why the SC could not be created where the CA was created just fine. I found this other post right here on the forums of another SG-1100 user running into the same issue. Could this be related to the SG-1100 specifically?

Anyway I created a Server Certificate under de FreeRADIUS CA and boom the server is running and it is authenticating.

Just one question as this is the first time I create my own certificate: The common name field cannot be left blank or I'll get an error creating the certificate:

However I didn't know what to enter there for this special FreeRADIUS use case. So I just entered a non-existing url. Will that be adequate?

Thanks for your help!

Pete