IPsec multiple Phase 2
-
@keyser I understand now. I'm in the process of configuring RADIUS. Really appreciate your support!
-
I wasn't able to configure a static VPN pool IP assignment using the method where the IP is set in the EAP-Secret section, the IP address was assigned dynamically every time the user logged in.
However, assigning a static IP via the RADIUS Framed-IP-Address attribute works perfectly. It's a reliable and effective way to ensure users always get the same IP.@keyser Thanks for help!
-
@0x44 Yeah, the EAP-secret assignment model is flaky as it doesn't work with Windows Clients. If you are only working with at few clients the radius framed-ip model is great, but if you have a lot of clients I can really recommend the IP-Pool group model and returning the Class attribute instead. Then you don't have to micromanage every single client, and it works spectacularly great.
After I got Netgate to push that feature into pfSense+ it has become an entirely new and really GREAT contender for large scale VPN deployments. I have a customer with several thousands of users where we have replaced VERY costly Cisco appliances with a "cheap" 8300 Appliance and no license costs, and are now using built OS VPN clients and EntraID 2FA authentication. They love it :-) -
@keyser Can I ask where Class is? A while back we set up one with a few users, and used the "IPv4 Network Configuration" setting on the user. Not that we need to change, just curious.
-
@SteveITS Class is a Radius standard attribute you can ask the Radius server that authenticates the VPN user to return along with the “accept” message. If the string value of the attribute equals the IP Pool Group name you configured in pfSense, the VPN user is assigned an IP address from the specified IP pool instead of the default VPN Virtual pool you have configured on the Mobile VPN setup page.
-
@keyser Is it in the FreeRADIUS package though? I've clicked around and may be blind but am not seeing it. I did find a forum post from 2015 mentioning it though. :)
-
@SteveITS I’m 100% sure that Freeradius can do it - it’s very standard (for decades) radius behavior. But I don’t know if it’s available as an GUI option in the Freeradius package for pfSense. Most likely its something you have to configure as an advanced return setting on the user object or somewhere similar. I’m sure google can help here…
I use Microsoft NPS for my Radius needs in this case because that offers the Azure 2FA integration that requires the users to authenticate in their “Microsoft Authenticator app” on their mobile phones to establish a VPN connection. -
@keyser OK thanks. I will table it until needed then. I did try searching and didn't find much. It's probably just not in the package.
-
@SteveITS It’s there - its only a question of how to use it. I have done some Freeradius config previously, and I had freeradius return an Aruba hardware specific radius attribute to the Accesspoints. When I did that, all I had do to was use this field on the user object in freeradius:
-
@keyser Ah. Silly me I was looking for "class" :)
