Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CP authentication against freeradius fails - password encryption problem?

    Scheduled Pinned Locked Moved Captive Portal
    3 Posts 2 Posters 8.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      factorx
      last edited by

      Hi,

      I've got a pfsense 1.0.1 box running that I want to use as Captive Portal for a WLAN subnet. Also I have a Freeradius 1.1.6 on an external network that I want to use as authentication server for the portal.
      We're using this freeradius for 802.1x EAP-TTLS and Cisco-VPN so it works just fine, at least for those appliances.
      The usernames and passwords that are to be checked by freeradius/CP are stored in LDAP in plaintext.

      So I set up the Captive Portal to use that remote radius server, entered the secret, but if I try to authenticate in that network via CP with 100% correct user credentials, the authentication process fails.

      The freeradius log says:

      Auth: Login incorrect (rlm_ldap: Bind as user failed): [my_username] (from client pfsensebox port 1 cli 00:17:f2:xx:yy:zz)

      As I said, the same username/password works fine with all other radius clients, so I'm wondering what's wrong in this case. So I guess freeradius expects another encryption, respectively another password authentication protocol. Maybe my freeradius is misconfigured…

      What can I do?

      Here is an excerpt from my radiusd.conf

      
modules {

        pap {
                encryption_scheme = crypt
        }

        chap {
                authtype = CHAP
        }

        pam {
                pam_auth = radiusd
        }

        $INCLUDE ${confdir}/eap.conf

        mschap {
                authtype = MS-CHAP
                use_mppe = yes
                require_encryption = yes
        }

        ldap {
                server = "myldapserver.de"
                basedn = "mydn"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                access_attr = "uid"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                password_attribute = userPassword
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }

authorize {
        auth_log
        chap
        mschap
        suffix
        eap
        ldap
        files
        daily
        pap
}

authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        Auth-Type LDAP {
                ldap
        }
        eap
}
      1 Reply Last reply Reply Quote 0
      • F
        factorx
        last edited by

        I just made a dump of the debugging output from radiusd -x and marked the probably relevant lines.
        Note that "?+@¬ÇÀcV?Ð?^w_?Ý" is actually not my password but it's what freeradius expects it to be since the CP sends something like that.

        rad_recv: Access-Request packet from host 111.222.333.444:56974, id=231, length=131
                NAS-IP-Address = 111.222.333.444
                NAS-Identifier = "pfsense.local"
                User-Name = "my_username"
                User-Password = "\022+@\254\307\300cV\003\320\031^w_\025\335"
                Service-Type = Login-User
                NAS-Port-Type = Ethernet
                NAS-Port = 1
                Framed-IP-Address = 192.168.23.200
                Called-Station-Id = "00:01:02:xx:yy:zz"
                Calling-Station-Id = "00:17:f2:xx:yy:zz"
        rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
        rlm_ldap: - authorize
        rlm_ldap: performing user authorization for my_username
        rlm_ldap: ldap_get_conn: Checking Id: 0
        rlm_ldap: ldap_get_conn: Got Id: 0
        rlm_ldap: (re)connect to ldapserver.mydomain.de:389, authentication 0
        rlm_ldap: bind as / to ldapserver.mydomain.de:389
        rlm_ldap: waiting for bind result …
        rlm_ldap: Bind was successful
        rlm_ldap: checking if remote access for my_username is allowed by uid
        rlm_ldap: looking for check items in directory...
        rlm_ldap: Adding uid as User-Name, value my_username & op=21
        rlm_ldap: looking for reply items in directory...
        rlm_ldap: Setting Auth-Type = ldap
        rlm_ldap: user my_username authorized to use remote access
        rlm_ldap: ldap_release_conn: Release Id: 0
        rlm_ldap: - authenticate
        rlm_ldap: login attempt by "my_username" with password "?+@¬ÇÀcV?Ð?^w_?Ý"
        rlm_ldap: user DN: uid=my_username,ou=People,...
        rlm_ldap: (re)connect to ldapserver.mydomain.de:389, authentication 1
        rlm_ldap: bind as uid=my_username,ou=People,…/?+@¬ÇÀcV?Ð?^w_?Ý to ldapserver.mydomain.de:389
        rlm_ldap: waiting for bind result ...
        rlm_ldap: Bind failed with invalid credentials
        Login incorrect (rlm_ldap: Bind as user failed): [my_username] (from client pfsensebox port 1 cli 00:17:f2:xx:yy:zz)
        rad_recv: Access-Request packet from host 111.222.333.444:56974, id=231, length=131
        Sending Access-Reject of id 231 to 111.222.333.444 port 56974

        1 Reply Last reply Reply Quote 0
        • P
          pierotr
          last edited by

          I have the same problem. I have a freeradius Server which authenticates users from Active Directory using  EAP-TLS authentication. I want configure pfSense captive portal to authenticate against Freeradius server but user authentication fails.
          I think  the  problem is that captive portal misses EAP-TLS authentication.
          Is there any configuration ?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.