Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    1. Home
    2. Tags
    3. radius
    Log in to post
    • All categories
    • S

      Using RADIUS server but on which device?
      General pfSense Questions • radius authentication security vpn connection • • Stef_R

      5
      0
      Votes
      5
      Posts
      89
      Views

      S

      @nogbadthebad said in Using RADIUS server but on which device?:

      Out of interest how many access-points do you have ?

      I have a total of 5 Cisco 1700 Series access points connected to the controller

    • T

      OpenVpn with NPS , ensure client health check
      OpenVPN • openvpn client radius openvpn • • tbaror

      1
      0
      Votes
      1
      Posts
      193
      Views

      No one has replied

    • M

      OpenVPN Connect iOs client randomly disconnecting multiple times
      OpenVPN • ios open vpn radius openvpn client • • markedo

      2
      0
      Votes
      2
      Posts
      298
      Views

      K

      @markedo hi , did you have luck resolving this ?

    • J

      captive portal with radius, ACCEPTing username even if NPS has trigger a "deny" policy
      Captive Portal • radius • • jimmychoosshoes

      5
      0
      Votes
      5
      Posts
      305
      Views

      J

      Interestingly I did all my testing with a Windows 10 and Windows 11 laptop until I was happy with my captive portal. I tested at each stage:

      set up captive portal with defaults, no authentication. set up voucher roll and voucher authentication. add SSL certificate (I already use an ACME letsencrypt with pfsense so I added another URL to the SAN for the captive portal) set up radius customise the logon HTML and the "error" HTML

      I was happy that this all worked - only the "edge browser" seems to have an oddity with captive portal (force redirect sorted that and I was going to force redirect to my "company landing page" anyway, chrome and firefox have no issue sending its captive portal check plus redirecting back. Now to test with other devices:

      *Ipad worked fine.
      *Android did not. Android was convinced that it was connected - it attempted a www.gstatic.com/generate_204 which apparently (according to the device) succeeded pre authentication! There was no traffic flow though (good). However I could not get the captive portal page to trigger on an android device, it was convinced that it needed to "sign in" but then would simply say that it was connected.

      I spent quite a lot of time looking at firewall logs, device logs and trying to fathom why the android device was convinced it had a connectivity allowed and I was never shown the captive portal page, I checked everything from DNS (I use pfsense forwarder and there is only one "exception" which is a "disclaimer landing page" simple URL on a local webserver).

      In the end I found that if I "disconnected all users" then this would work. After digging it seems that if I make a change to the pfsense portal settings I need to disconnect all users for my android device to see the captive portal. Most odd.

      Android device is version 12. I have no idea what this will do to the people who have vouchers when I disconnect (radius auth will be irrelevant of course, they can re-sign in.

    • se_marc

      Issue with multi wan & high availability setup - authenticating with radius
      Routing and Multi WAN • radius outbound nat multi wan multiwan high-avail • • se_marc

      4
      0
      Votes
      4
      Posts
      626
      Views

      se_marc

      please see this post for way more information.

    • T

      Source interface for RADIUS auth traffic
      General pfSense Questions • radius carp • • TO2020

      22
      0
      Votes
      22
      Posts
      667
      Views

      T

      @stephenw10
      The AWS side will likely propagate whatever you advertise to it, because I manage both ends and that's just how the virtual private gateway works in AWS.
      I guess there might be a slight risk here, but hopefully AWS won't make a change that reject these routes.

      Of course, ideally I hope that pfSense will allow the source to be configured in a future release of the OS. As far as I know, other firewall vendors are able to do so.

      /Thomas

    • C

      802.1x / Freeradius - Zugriffskontrolle LAN
      Allgemeine Themen • 802.1x radius freeradius ethernet • • cptnftr

      4
      0
      Votes
      4
      Posts
      447
      Views

      C

      Vielen Dank @JeGr @mike69 . Wieder einiges dazu gelernt.. :)

    • S

      Duvidada do Captive portal com Radius
      Portuguese • captiveportal radius • • secesar

      1
      0
      Votes
      1
      Posts
      87
      Views

      No one has replied

    • mohkhalifa

      Windows RADIUS Server
      Captive Portal • windows server windows radius captive portal radius • • mohkhalifa

      20
      0
      Votes
      20
      Posts
      1628
      Views

      J

      Old topic but try this:

      First you need to know the vendor code for PFSENSE which I found in https://github.com/pfsense/pfsense/blob/master/src/usr/share/doc/radius/dictionary.pfsense

      VENDOR pfSense 13644 BEGIN-VENDOR pfSense ATTRIBUTE pfSense-Bandwidth-Max-Up 1 integer ATTRIBUTE pfSense-Bandwidth-Max-Down 2 integer ATTRIBUTE pfSense-Max-Total-Octets 3 integer END-VENDOR pfSense

      Now you can go to your network policy in NPS for the captive portal. Go to:
      SETTINGS, VENDOR SPECIFIC, ADD, "custom", "Vendor specific/Radius standard", ADD,ADD:

      Enter Vendor Code = 13644 Yes it conforms configure Attribute -> 1 for pfSense-Bandwidth-Max-Up with decimal and you bandwidth

      repeat for 2 = pfSense-Bandwidth-Max-Down

      Untested but this should work in theory.

    • mohkhalifa

      Integration of freeRADIUS with MS Active Directory
      pfSense Packages • captive portal freeradius radius bandwidth • • mohkhalifa

      1
      0
      Votes
      1
      Posts
      201
      Views

      No one has replied

    • D

      FreeRadius / EAP-TLS: Client certificate cannot be found
      General pfSense Questions • radius eap-tls certificate • • DaveU

      26
      0
      Votes
      26
      Posts
      2797
      Views

      D

      After playing around for a little while I made an interesting discovery that I have not been able to find an explanation to...

      FreeRadius EAP Settings has a check box "Check Client Certificate CN" ("When enabled, the Common Name of the client certificate must match the username set in 'FreeRADIUS > Users'").

      When using a certificate to authenticate, it seems to me that the certificate CN would NOT be checked against the Users database. Regardless of the users I have added, I always get error messages like below when I have that check box checked:

      Nov 30 17:33:15 radiusd 1388 tls: Certificate CN (K14) does not match specified value (host/K14)! Nov 30 17:33:15 radiusd 1388 tls: TLS_accept: Error in error Nov 30 17:33:15 radiusd 1388 (4) Login incorrect (Failed retrieving values required to evaluate condition): [host/K14/<via Auth-Type = eap>] (from client SW21 port 2 cli xx-xx-xx-xx-xx-xx) host/K14 -

      So far I have not been able to figure how to effectively enable the client cert. CN check.

      I wonder if this is also some stupid beginner's mistake, or is this something else?

      And where does this "host/" prefix come from? At least it seems to be independent of the 802.1X authentication mode in the client (User vs. computer authentication)...

      When the check box is not checked, authentication with the certificate succeeds without any problems.

      FWIW, Radius debug log reveals:

      (2) files: users: Matched entry host/K14 at line 2 (2) [files] = ok

      ...so it seems that it indeed performs the check against user database where I have an entry "host/K14".

    • K

      pfSense 2.4.4-p3 Unable to retrieve package information
      Installation and Upgrades • package manager installation squidguard radius • • kenj05

      1
      0
      Votes
      1
      Posts
      218
      Views

      No one has replied

    • ?

      FreeRADIUS3: Starting up too late for IPSEC?
      pfSense Packages • radius freeradius ipsec • • A Former User

      1
      0
      Votes
      1
      Posts
      235
      Views

      No one has replied

    • E

      pfsense / openvpn / radius / sbs 2011 - integration
      OpenVPN • pfsense firewal openvpn problem radius authentication • • eidolontubes

      4
      0
      Votes
      4
      Posts
      549
      Views

      E

      In case this will help any one else, I've figured this out....

      Here is a link on how to find the logs for NPS...

      https://social.technet.microsoft.com/Forums/windows/en-US/45aa3000-c32b-483b-8d6e-565b56b163fc/how-to-check-the-nps-logs-in-the-event-viewer?forum=winserverNAP

      Basically there are text file logs in c:\Windows\System32\LogFiles\In* , or you can check in Event Viewer under Diagnostics -> Event Viewer -> Custom Views -> Server Roles -> Network Policy.

      In my case, the problem users were set to "Deny Access" under the "Dial In" tab of the user properties in AD Users & Computers. Setting to Allow Access fixed it up.

      If you don't see the "Dial In" tab, this may be of help :

      https://support.microsoft.com/en-ca/help/975448/the-dial-in-tab-is-not-available-in-the-active-directory-users-and-com

      For me, I had to be on the server to get that tab, not accessing Active Directory Users and Computers on another PC.

      Hope this will help someone else.

      Thanks, Derelict for pointing me in the right direction!