Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OPENVPN on RADIUS

    OpenVPN
    2
    9
    905
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jamerson last edited by

      Dear All,
      we are building a new infra using a RADIUS server Active directory
      the situation is as following:
      LAN of the Pfsense is 192.168.1.1 on that physique adapter we create 4 different VLANS.
      VLAN 10,20,30,40
      so the network 192.168.1.0/24 is not active on the network.
      Active directory is on the VLAN 20, from the active directory I can access the pfsense using each the IP of the VLAN 20/10/30/40 and even 192.168.1.1.
      I have followed the instruction https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory which I've done many times but today it does not wanna authenticate with user which is member of the group VPN users.
      Can someone please advise me how to get this fixed ?
      I am out of option.

      Edit : I just create a LDAP server too but the authentication does not reach the destination.
      I have disabled the local firewall of the Domain controller, remove the antivirus and nothing helps.
      on the LAN side 192.168.1.1 there is allow rules any to any.
      Please help.

      Thank you

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        Can you authenticate using Diagnostics > Authentication?

        If not, fix that before you mess around with the VPN.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J
          Jamerson last edited by

          @Derelict:

          Can you authenticate using Diagnostics > Authentication?

          If not, fix that before you mess around with the VPN.

          I Can't get the the authentication passed,
          this happened after we update the firewall to the latest updates.
          what could block the authentications ?

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            Incorrect configuration.

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • J
              Jamerson last edited by

              @Derelict:

              Incorrect configuration.

              I've done many times and it does works fine,
              the only issue now is when when the Domain controller on VLAN the authentications does not works.

              I have LAN 1. >>>> VLAN 20
                                  >>>> VLAN 10

              Domain controller is on VLAN10 and can't really check the authentications.
              LAN is 192.168.1.0/24
              VLAN 10 is 192.168.10.0/24

              when the active directory on LAN 1 network the authentication does works.

              am I supposed to allow something here ?

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                Maybe on the domain controller to accept requests from that subnet.

                Unless you have convoluted floating rules, outbound traffic from the firewall (and the reply) will be allowed automatically.

                Chattanooga, Tennessee, USA
                The pfSense Book is free of charge!
                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • J
                  Jamerson last edited by

                  @Derelict:

                  Maybe on the domain controller to accept requests from that subnet.

                  Unless you have convoluted floating rules, outbound traffic from the firewall (and the reply) will be allowed automatically.

                  From the domain controller the request is allowed from the all subnet, the floating rules are empty and there is no rules .
                  do I have to create one rule there or what ?
                  I hope you can help me here .

                  1 Reply Last reply Reply Quote 0
                  • Derelict
                    Derelict LAYER 8 Netgate last edited by

                    What does the test say when you try the authentication in Diagnostics > Authentication?

                    How about the logs on the RADIUS server?

                    Is there a proper RADIUS client defined on the server for the source IP address from the server's perspective?

                    A packet capture (Diagnostics > Packet Capture) filtered on the RADIUS server's IP address and the RADIUS port (UDP/1812 for instance) will show you a lot.

                    Wireshark can decode it:

                    RADIUS Protocol
                        Code: Access-Request (1)
                        Packet identifier: 0xd0 (208)
                        Length: 85
                        Authenticator: 29a29b7e61aa849b6dc4bff6f38fa657
                        [The response to this request is in frame 2]
                        Attribute Value Pairs
                            AVP: l=6 t=NAS-IP-Address(4): 0.0.0.0
                            AVP: l=31 t=NAS-Identifier(32): myradiusserver.example.com
                            AVP: l=10 t=User-Name(1): derelict
                            AVP: l=18 t=User-Password(2): Encrypted

                    RADIUS Protocol
                        Code: Access-Reject (3)
                        Packet identifier: 0xd0 (208)
                        Length: 20
                        Authenticator: d99636900f29588598c6f80d0e6dd368
                        [This is a response to a request in frame 1]

                    Chattanooga, Tennessee, USA
                    The pfSense Book is free of charge!
                    DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • J
                      Jamerson last edited by

                      Thank you for your answer,
                      I managed to get it fixed by using the IP address of the VLAN on the authenticator in the active directory.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post