Does Diagnostics -> Authentication actually work for testing RADIUS servers?
-
In System Manager -> Users -> Authentication Servers I have defined two authentication servers: one LDAP and one RADIUS both pointing to the same Windows 2022 domain controller managing my AD and also running NPAS.
In Diagnostics -> Authentication, I have tested the EXACT SAME user and same password (in fact, I don't change them, I am just changing the server tested), and the LDAP test passes while the RADIUS test fails.
Well, you might say I have my RADIUS server configured incorrectly... except that I have an OpenVPN server configured in VPN -> OpenVPN -> Servers that is set to use SSL/TLS + User Auth, where the Backend for authentication is the RADIUS server, and it successfully works to authenticate my incoming OpenVPN clients.
It seems that using Diagnostics -> Authentication doesn't toss any info into Status -> System Logs (or I can't find it under the Authentication tab anyway), so I have no idea how I can investigate further why the Diagnostics is failing, and whether or not I should be concerned.
-
@zippydan ssh onto your router and run radsniff -x you should be able to debug from the output.
-
@zippydan As far as I recall the “Authentication” test only works for PAP (cleartext) authentication setups using Radius.
If your policies or needs requires CHAP or anything more advanced like Chapv2 or any kind of EAP, it won’t work because it has no “how to encrypt the test” settings. -
@keyser If I recall correctly I am using CHAPv2 on my Windows Server RADIUS Server. It seems that including support for testing with encryption should be included...
I mean, you have to select an already defined server when running an authentic test, so pfSense has all the information it needs about what encryption is used...
-
@zippydan Yeah - well at least for Chap/Chapv2 it does. EAP not so much :-)
In Windows NPS its a simple tickbox to enable PAP temporarely on your policy, so it should be quite fast to do a simple test.
-
@zippydan But… Your domain policy needs to allow reversible encryption (not enabled by default). So if that policy is not enabled, then it won’t work regardless of PAP or not.
-
@keyser My point is this... if pfSense can receive a connection request via the defined OpenVPN server and pass the supplied credentials through the defined pipeline for the defined RADIUS server with its defined security parameters within the defined Authentication servers, why can it not pass a manual authentication test through the same already defined pipeline?
-
@zippydan I don’t think you understand how Radius works. The exchange with radius is done between the “authenticator” and the Radius server. The Authenticator in your setup is OpenVPN. Pfsense’ Radius setup knows nothing about how/what data is passed between Radius and OpeVPN - Nor does it know anything about what encryption it might have.
So what you are asking would require pfSense’s “test authentication” module to have a full authenticator featureset. Not a simple task, and certainly a lot of code for no real benefit. But it would be nice if it at least had a PAP/Chap/Chapv2 selectorbox for the test as the last two are standard hashmodules where all the code is readily available and would be easy to implement.
