Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Support for RADIUS challenge

    Scheduled Pinned Locked Moved
    Captive Portal
    3
    5
    817
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Branislav_341
      last edited by Branislav_341

      Hello,

      we are using the Netgate XG-1537 appliance with latest pfSense (22.05) with a MS NPS Radius authentication backend. Currently trying to integrate OpenVPN with passive MFA (mOTP), the OpenVPN client connection auths against RADIUS, RADIUS tells pfSense to ask for MFA but pfSense doesn't seem to translate the request back to the OpenVPN client (auth fails).

      The same setup works when using active MFA (push notification). This works because the MFA chain happens outside the OpenVPN client / pfSense chain.

      Our MFA provider suggested to find out if pfSense does actually support Radius challenge functionality. Can anyone confirm/deny or point us to relevant documentation?

      Any help is much appreciated.

      Branislav

      B 1 Reply Last reply Reply Quote 0
      • B
        Branislav_341 @Branislav_341
        last edited by

        Guys, this surely isn't a state-protected secret. Alternatively, I am looking for any reasonable way to integrate pfSense/OpenVPN with Yubikeys. I need a form of passive auth to work for users that don't have push-enabled devices.

        GertjanG M 2 Replies Last reply Reply Quote 0
        • GertjanG
          Gertjan @Branislav_341
          last edited by

          @branislav_341 said in Support for RADIUS challenge:

          this surely isn't a state-protected secret.

          Noop, as FreeRadius is open source 😊

          The implementation of FreeRadius into pfSEnse doesn't 'surface' all the possible settings Freeradius has to offer.
          The sheer number of settings is just daunting.

          Radius, like postfix, apache2, nginx and bind (named) just can't be set up using a GUI.
          These programs have often thousands of settings.
          A web, mail or domain name server are rather known, but the identification and authentication server like Radius is far less known. Still, everybody is using them all the time, without knowing it.
          All this is my opinion of course.

          I guess you have to tackle this one the old fashioned way :
          Get to know how freeradius work.
          Know how to test and debug.
          Then : what settings can be entered where in pfSense.

          See here : /usr/local/etc/raddb/ - all the files and sub folders, what the settings of a Freeradius server actually are.
          A small sub set is controlled by the pfSense GUI. The rest is hard coded during installation, but are still just settings, ready to be changed to get what you want.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • M
            mfld LAYER 8 @Branislav_341
            last edited by

            @branislav_341 Got pfsense OpenVPN with Radius+TOTP running following this https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-ra-auth-freeradius.html0

            And the video of a hangouts session with jimp on this topic.

            1 Reply Last reply Reply Quote 1
            • B
              Branislav_341
              last edited by

              Thank you guys, all your inputs are highly appreciated.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post