OPENVPN on RADIUS



  • Dear All,
    we are building a new infra using a RADIUS server Active directory
    the situation is as following:
    LAN of the Pfsense is 192.168.1.1 on that physique adapter we create 4 different VLANS.
    VLAN 10,20,30,40
    so the network 192.168.1.0/24 is not active on the network.
    Active directory is on the VLAN 20, from the active directory I can access the pfsense using each the IP of the VLAN 20/10/30/40 and even 192.168.1.1.
    I have followed the instruction https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory which I've done many times but today it does not wanna authenticate with user which is member of the group VPN users.
    Can someone please advise me how to get this fixed ?
    I am out of option.

    Edit : I just create a LDAP server too but the authentication does not reach the destination.
    I have disabled the local firewall of the Domain controller, remove the antivirus and nothing helps.
    on the LAN side 192.168.1.1 there is allow rules any to any.
    Please help.

    Thank you


  • Netgate

    Can you authenticate using Diagnostics > Authentication?

    If not, fix that before you mess around with the VPN.



  • @Derelict:

    Can you authenticate using Diagnostics > Authentication?

    If not, fix that before you mess around with the VPN.

    I Can't get the the authentication passed,
    this happened after we update the firewall to the latest updates.
    what could block the authentications ?


  • Netgate

    Incorrect configuration.



  • @Derelict:

    Incorrect configuration.

    I've done many times and it does works fine,
    the only issue now is when when the Domain controller on VLAN the authentications does not works.

    I have LAN 1. >>>> VLAN 20
                        >>>> VLAN 10

    Domain controller is on VLAN10 and can't really check the authentications.
    LAN is 192.168.1.0/24
    VLAN 10 is 192.168.10.0/24

    when the active directory on LAN 1 network the authentication does works.

    am I supposed to allow something here ?


  • Netgate

    Maybe on the domain controller to accept requests from that subnet.

    Unless you have convoluted floating rules, outbound traffic from the firewall (and the reply) will be allowed automatically.



  • @Derelict:

    Maybe on the domain controller to accept requests from that subnet.

    Unless you have convoluted floating rules, outbound traffic from the firewall (and the reply) will be allowed automatically.

    From the domain controller the request is allowed from the all subnet, the floating rules are empty and there is no rules .
    do I have to create one rule there or what ?
    I hope you can help me here .


  • Netgate

    What does the test say when you try the authentication in Diagnostics > Authentication?

    How about the logs on the RADIUS server?

    Is there a proper RADIUS client defined on the server for the source IP address from the server's perspective?

    A packet capture (Diagnostics > Packet Capture) filtered on the RADIUS server's IP address and the RADIUS port (UDP/1812 for instance) will show you a lot.

    Wireshark can decode it:

    RADIUS Protocol
        Code: Access-Request (1)
        Packet identifier: 0xd0 (208)
        Length: 85
        Authenticator: 29a29b7e61aa849b6dc4bff6f38fa657
        [The response to this request is in frame 2]
        Attribute Value Pairs
            AVP: l=6 t=NAS-IP-Address(4): 0.0.0.0
            AVP: l=31 t=NAS-Identifier(32): myradiusserver.example.com
            AVP: l=10 t=User-Name(1): derelict
            AVP: l=18 t=User-Password(2): Encrypted

    RADIUS Protocol
        Code: Access-Reject (3)
        Packet identifier: 0xd0 (208)
        Length: 20
        Authenticator: d99636900f29588598c6f80d0e6dd368
        [This is a response to a request in frame 1]



  • Thank you for your answer,
    I managed to get it fixed by using the IP address of the VLAN on the authenticator in the active directory.