Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CP authentication against freeradius fails - password encryption problem?

    Scheduled Pinned Locked Moved Captive Portal
    3 Posts 2 Posters 8.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      factorx
      last edited by

      Hi,

      I've got a pfsense 1.0.1 box running that I want to use as Captive Portal for a WLAN subnet. Also I have a Freeradius 1.1.6 on an external network that I want to use as authentication server for the portal.
      We're using this freeradius for 802.1x EAP-TTLS and Cisco-VPN so it works just fine, at least for those appliances.
      The usernames and passwords that are to be checked by freeradius/CP are stored in LDAP in plaintext.

      So I set up the Captive Portal to use that remote radius server, entered the secret, but if I try to authenticate in that network via CP with 100% correct user credentials, the authentication process fails.

      The freeradius log says:

      Auth: Login incorrect (rlm_ldap: Bind as user failed): [my_username] (from client pfsensebox port 1 cli 00:17:f2:xx:yy:zz)
      

      As I said, the same username/password works fine with all other radius clients, so I'm wondering what's wrong in this case. So I guess freeradius expects another encryption, respectively another password authentication protocol. Maybe my freeradius is misconfigured…

      What can I do?

      Here is an excerpt from my radiusd.conf

      
      modules {
      
              pap {
                      encryption_scheme = crypt
              }
      
              chap {
                      authtype = CHAP
              }
      
              pam {
                      pam_auth = radiusd
              }
      
              $INCLUDE ${confdir}/eap.conf
      
              mschap {
                      authtype = MS-CHAP
                      use_mppe = yes
                      require_encryption = yes
              }
      
              ldap {
                      server = "myldapserver.de"
                      basedn = "mydn"
                      filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                      start_tls = no
                      access_attr = "uid"
                      dictionary_mapping = ${raddbdir}/ldap.attrmap
                      ldap_connections_number = 5
                      password_attribute = userPassword
                      timeout = 4
                      timelimit = 3
                      net_timeout = 1
              }
      
      authorize {
              auth_log
              chap
              mschap
              suffix
              eap
              ldap
              files
              daily
              pap
      }
      
      authenticate {
              Auth-Type PAP {
                      pap
              }
              Auth-Type CHAP {
                      chap
              }
              Auth-Type MS-CHAP {
                      mschap
              }
              Auth-Type LDAP {
                      ldap
              }
              eap
      }
      
      
      1 Reply Last reply Reply Quote 0
      • F
        factorx
        last edited by

        I just made a dump of the debugging output from radiusd -x and marked the probably relevant lines.
        Note that "?+@¬ÇÀcV?Ð?^w_?Ý" is actually not my password but it's what freeradius expects it to be since the CP sends something like that.

        rad_recv: Access-Request packet from host 111.222.333.444:56974, id=231, length=131
                NAS-IP-Address = 111.222.333.444
                NAS-Identifier = "pfsense.local"
                User-Name = "my_username"
                User-Password = "\022+@\254\307\300cV\003\320\031^w_\025\335"
                Service-Type = Login-User
                NAS-Port-Type = Ethernet
                NAS-Port = 1
                Framed-IP-Address = 192.168.23.200
                Called-Station-Id = "00:01:02:xx:yy:zz"
                Calling-Station-Id = "00:17:f2:xx:yy:zz"
        rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
        rlm_ldap: - authorize
        rlm_ldap: performing user authorization for my_username
        rlm_ldap: ldap_get_conn: Checking Id: 0
        rlm_ldap: ldap_get_conn: Got Id: 0
        rlm_ldap: (re)connect to ldapserver.mydomain.de:389, authentication 0
        rlm_ldap: bind as / to ldapserver.mydomain.de:389
        rlm_ldap: waiting for bind result …
        rlm_ldap: Bind was successful
        rlm_ldap: checking if remote access for my_username is allowed by uid
        rlm_ldap: looking for check items in directory...
        rlm_ldap: Adding uid as User-Name, value my_username & op=21
        rlm_ldap: looking for reply items in directory...
        rlm_ldap: Setting Auth-Type = ldap
        rlm_ldap: user my_username authorized to use remote access
        rlm_ldap: ldap_release_conn: Release Id: 0
        rlm_ldap: - authenticate
        rlm_ldap: login attempt by "my_username" with password "?+@¬ÇÀcV?Ð?^w_?Ý"
        rlm_ldap: user DN: uid=my_username,ou=People,...
        rlm_ldap: (re)connect to ldapserver.mydomain.de:389, authentication 1
        rlm_ldap: bind as uid=my_username,ou=People,…/?+@¬ÇÀcV?Ð?^w_?Ý to ldapserver.mydomain.de:389
        rlm_ldap: waiting for bind result ...
        rlm_ldap: Bind failed with invalid credentials

        Login incorrect (rlm_ldap: Bind as user failed): [my_username] (from client pfsensebox port 1 cli 00:17:f2:xx:yy:zz)
        rad_recv: Access-Request packet from host 111.222.333.444:56974, id=231, length=131
        Sending Access-Reject of id 231 to 111.222.333.444 port 56974

        1 Reply Last reply Reply Quote 0
        • P
          pierotr
          last edited by

          I have the same problem. I have a freeradius Server which authenticates users from Active Directory using  EAP-TLS authentication. I want configure pfSense captive portal to authenticate against Freeradius server but user authentication fails.
          I think  the  problem is that captive portal misses EAP-TLS authentication.
          Is there any configuration ?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.