RADIUS user can't log in to webGUI
-
I'm using pfsense version 2.4.4-p3 with the freeradius3 0.15.7_6 package.
I followed a few tutorials on setting up RADIUS for webGUI authentication, including this one:
https://forum.netgate.com/topic/135424/solved-two-factor-authentication-for-admin-login/18I have not been successful in logging in with a RADIUS user even though the RADIUS user can pass the Diagnostics / Authentication test with the appropriate (admins) group membership.
I get the following error from the pfsense console:
pfSense php-fpm[10285]: /index.php: webConfigurator authentication error for userAnd on the webGUI I get:
Username or Password incorrectWhen logging into the webGUI with a RADIUS user and watching radiusd -X output, I only get the webConfigurator authentication error message.
Also, radtest gives an Access-Accept message when run on the pfsense console using the local loopback address.
Any help is greatly appreciated.
-
Have you added the router itself as a nas ?
-
Yes, I have. Does the computer I'm using to access the webGUI need a RADIUS profile?
-
No need to do the PC you’re trying to connect to the web gui from.
-
Can you post the output from radsniff -x, you should see something like this:-
[2.4.4-RELEASE][admin@pfsense]/root: radsniff -x Logging all events Defaulting to capture on all interfaces Sniffing on (igb0 pppoe0 igb1 ovpnc1 igb0.2 ovpnc2 igb0.3 ovpnc3 igb0.4 igb0.5 igb0.6 igb0.7 igb0.9 igb0.11 lo0 pflog0 igb2 igb3 igb4 igb5) 2019-12-11 13:44:00.284515 (1) Access-Request Id 83 lo0:127.0.0.1:48339 -> 127.0.0.1:1812 +0.000 User-Name = "andy" NAS-IP-Address = 172.16.0.1 Service-Type = Login-User NAS-Identifier = "pfsense" MS-CHAP-Challenge = 0xa32ac614148ecadb89e307a02437a142 MS-CHAP2-Response = 0x0101562df25e78a75af3bc4f6e950d625f750000000000000000f8c09de6c2cdaf818c228c248333eb258ab18c53cc787a41 Authenticator-Field = 0xbe350167349920546a5dfc401fc4e2b5 2019-12-11 13:44:00.285487 (2) Access-Accept Id 83 lo0:127.0.0.1:48339 <- 127.0.0.1:1812 +0.000 +0.000 Service-Type = Administrative-User Class = 0x61646d696e73 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-CHAP2-Success = 0x01533d46423631444539313832364444413230303634443737443036303744394537303542303337413837 Attr-26.311.17 = 0x804d5544b47493751c6f89a0deba54ad2bb9d7fff4e028f6629b4a97a29bb9bc236e Attr-26.311.16 = 0x8bc931710bfe5454b38c79f2b995734ef2f72e82859cc28e698c30e58f8ab8683ed8 Authenticator-Field = 0x61bb09cc4e01d003dfcf838eb451fe59 Message from syslogd@pfsense at Dec 11 13:44:00 ... pfsense php-fpm[99209]: /index.php: Successful login for user 'andy from: 172.16.2.20 (RADIUS/Local RADIUS Database) 2019-12-11 13:44:05.485487 (1) Cleaning up request packet ID 8Also does the top of your virtual-server-default look like this:-
server default { listen { type = auth ipaddr = * port = 1812 } listen { type = acct ipaddr = * port = 1813 } listen { type = auth ipv6addr = * port = 1812 } listen { type = acct ipv6addr = * port = 1813 } -
My virtual-server-default looks like what you posted.
When I run radsniff -x and try to authenticate on the webGUI, I get:
pfSense php-fpm[333]: /index.php: webConfigurator authentication error for user 'test' from: xx.xx.xx.xxIt's as if the webGUI will not even try to use the RADIUS database for logins, even though I set the RADIUS server under Authentication Servers (I am using 127.0.0.1 for the Host Name there).
I've tried this on my default setup and on a new VM with the same results.
-
@purple said in RADIUS user can't log in to webGUI:
My virtual-server-default looks like what you posted.
-
I got it to work finally.
I added NAS Clients, with matching Client Shortnames, for the IP address of my router and the machine I use to connect to the webGUI.
I also forgot to set that last bit you just posted when I was testing on my fresh install VM.
Thank you so much for your responses!
-
Youe welcome
