Freeradius2 and wifi controller
-
Hi
I try to setup freeradius2 on a pfsense as a radius server for my wifi controller
Locally all works fine, I mean when using pfsense vlans
When I try log in through my wifi and check logs I see that (both IPs are on the same subnet)
radiusd[11880]: Ignoring request to authentication address IP-WAN-on-pfsense port 1812 from unknown client IP-of-my-controller port 41978
Here is result of test
$ radtest michal abc IP-WAN-on-pfsense 10 klucz
Sending Access-Request of id 8 to 66.234.240.134 port 1812
User-Name = "michal"
User-Password = "abc"
NAS-IP-Address = 192.168.1.1
NAS-Port = 10
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 66.234.240.134 port 1812, id=8, length=70
WISPr-Bandwidth-Max-Up = 1536000
WISPr-Bandwidth-Max-Down = 1024000
WISPr-Redirection-URL = "http://www.cnn.com"That is what I have on my controller side
-
I think you need to enable 802.1x since your ap don't appear to have wpa2 enterprise.
-
Would be interesting to see your freeradius2 configuration at least your "NAS/Clients" configuration.
The message "from unknown client IP-of-my-controller port 41978" looks like you haven't configured the "client IP-of-my-controller" not on freeradius "NAS/Clients".
Or misconfigured shared secret (or special character which is not allowed/misinterpredted).
If you have NAT between your wifi controller and pfsense this could be a problem, too. -
That is test enviroment so I will share real info.
Key is 100% correct, you can even try.
There is no NAT, both are on the same subnet with public IP.
I am listening only on 66.234.240.134 on ports 1812 and 1813
"client IP-of-my-controller" is different than radius sitting on pfsense (using the same IP for both)
/usr/pbi/freeradius-amd64/local/etc/raddb/clients.conf
client "klucz" {
ipaddr = 66.234.240.134
proto = udp
secret = klucz
require_message_authenticator = no
max_connections = 16
shortname = klucz
nastype = otherlogin = !root
password = someadminpass
}
-
I am not sure if I understand you correct.
Is your freeradius listening on the same IP than the IP of the NAS ? (66.234.240.134) ?
Then for me it looks like if the NAS is on pfsense itself !?!? Then use loopback ip (127.0.0.1).What looks a little bit strange ist this from your first post:
NAS-IP-Address = 192.168.1.1
which is different than your public NAS IP.
-
I must have messed up sth. Correct I dont know why is NAS-IP-Address = 192.168.1.1 showing that, I can't find that in my config files. That IP is a gateway form default pfsense's LAN interface.
What I want to achieve is authorization using WAN interface between pfsense radius plugin and wifi controller which is also in the same subnet. Everything else should be disabled.
-
Then it seems to be NAT somewhere in your network.
-
Not sure what to change, just to recap
66.234.240.134 is my WAN address
66.234.240.132 is my controller192.168.1.1 is my LAN gateway that I dont want to involve in this setup at all and it shows up as my address during the radtest
I belive my setup should be
client "klucz" {
ipaddr = 66.234.240.132
proto = udp
secret = klucz
require_message_authenticator = no
max_connections = 16
shortname = klucz
nastype = other
### login = !root ###
### password = someadminpass ###
}Currently I listen on * ports 1812 and 1813
There is a rule on my WAN interface
IPv4 TCP/UDP 66.234.240.132 * WAN address 1812 (RADIUS) * none radius
I have one user for test that works
How can I get rid of that wrong NAS IP playing with the NAT?