FreeRadius Interfaces

WhiteTiger-IT

I didn't know what address I need to put in the FreeRadius "Interface IP Address" field.
I have three servers in DMZ. The IP Address of the NIC on pfSense corresponding to the DMZ is 192.168.103.1
The users are in the LAN and to access the server they authenticate themselves on these. The IP Address of the NIC on pfSense corresponding to the LAN is 192.168.101.1
So, in FreeRadius I have to create three clients, one for server.

I didn't understand if in FreeRadius I need an interface on the LAN (192.168.101.1) to listen to the users' PCs or on the DMZ (192.168.103.1) to listen to the servers.

Users also connect via OpenVPN, but I don't think this should be listened to too.

NogBadTheBad

@whitetiger-it I point mine to a virtual ip with a /32 mask.

Firewall -> Virtual IPs

WhiteTiger-IT

@nogbadthebad
i didn't understand how to use them.

NogBadTheBad

@whitetiger-it

Screenshot 2021-11-10 at 11.58.31.png

Screenshot 2021-11-10 at 11.58.41.png

Screenshot 2021-11-10 at 12.00.10.png

Screenshot 2021-11-10 at 12.03.34.png

https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-address-comparison.html

WhiteTiger-IT

@nogbadthebad
Let's see if I understand correctly.
The switch, instead of querying the RADIUS on the firewall IP, queries a virtual (and therefore non-existent) IP that you have associated with the localhost of the firewall itself.

Good idea, but I didn't understand why.
The IP of the firewall is however known, for example because it is the Gateway of the network, there is DHCP, DNS, etc.

However, my question remains open.
Is the RADIUS interface the network on which the users are located or the one on which the servers/devices interrogated by the user are located?

From what you have posted, it seems to me that it is the second answer.

NogBadTheBad

@whitetiger-it said in FreeRadius Interfaces:

@nogbadthebad
Let's see if I understand correctly.
The switch, instead of querying the RADIUS on the firewall IP, queries a virtual (and therefore non-existent) IP that you have associated with the localhost of the firewall itself.

Nope its a virual address tied to the localhost interface, if I had bound my FreeRadius to the LAN interface IP and I had shut it down then devices couldn't authenticate.

Screenshot 2021-11-11 at 11.24.29.png

Good idea, but I didn't understand why.
The IP of the firewall is however known, for example because it is the Gateway of the network, there is DHCP, DNS, etc.

However, my question remains open.
Is the RADIUS interface the network on which the users are located or the one on which the servers/devices interrogated by the user are located?

From what you have posted, it seems to me that it is the second answer.

The radius interface is the IP address that Radius requests are sent to, as per "Enter the IP address (e.g. 192.168.100.1) of the listening interface. If you choose * then it means all interfaces. (Default: *)"

You can point your devices to any IP address any pfSense interface you want if you leave the IP address as the default of *