OpenVPN with RADIUS via Active Direcotry Authentication failed



  • Hello - I'm new to pfSense and trying to get OpenVPN with RADIUS via Active Directory to work.

    I had pfSense v2.3.x and we just upgraded to 2.4.0 yesterday. That upgrade did not help the issue. I have a Windows Server 2016 Active Directory Domain Controller server with the NPS (RADIUS) role installed.

    I followed this guide to the letter.

    https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory

    FYI - I got the OpenVPN Local Database vpn working initially. Now I'm trying with RADIUS.

    After going to Diagnostics –> Authentication I change auth server to RADIUS and type user/pass. I get an Authentication failed error.

    After doing that, I get an event log on the DC. Event ID: 6273. Authentication Details reason code: 49. Reason: The RADIUS request did not match any configured connection request policy (CRP).

    After a bunch of googling, someone recommended I change the shared secret to something a little smaller. It's currently a 3 letter word.

    Someone else mentioned that you have to make sure you have a policy added in NPS (RADIUS) which I did when following the above guide.

    I'm not sure where to go from here to troubleshoot.

    Any ideas? Thank you!


  • Rebel Alliance Developer Netgate

    What else is in your NPS profile for the firewall as a client? Or in the policies themselves?

    Maybe the NAS ID or some other property sent by the firewall has changed and no longer matches what NPS expects.



  • It seems like a pretty basic setup and profile. Attached is a screen shot of it's settings. One condition based on a windows security group and then the settings. For the Authentication Method, I have even checked all boxes to allow all methods.

    ![nps profile.JPG](/public/imported_attachments/1/nps profile.JPG)
    ![nps profile.JPG_thumb](/public/imported_attachments/1/nps profile.JPG_thumb)


  • Rebel Alliance Developer Netgate

    Does the NPS log show you the IP address that the firewall used to send the RADIUS request?
    What does the NPS config look like for the firewall under NPS Clients?



  • Here are the NPS Logs from my last two entries. One check from router A and one from router B.

    "DC(Radius)","IAS",10/19/2017,09:07:31,1,"username",,,,,,"RouterA.localdomain","0.0.0.0",,0,"10.10.x.x","pfSense VPN Router A",,,,,,,,,0,"311 1 10.10.x.x10/17/2017 15:50:52 39",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
    "DC(Radius)","IAS",10/19/2017,09:07:31,3,,,,,,,,,,0,"10.10.x.x","pfSense VPN Router A",,,,,,,,,49,"311 1 10.10.x.x 10/17/2017 15:50:52 39",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
    "DC(Radius)","IAS",10/19/2017,09:08:26,1,"username",,,,,,"RouterB.localdomain","0.0.0.0",,0,"10.10.x.x","pfSense VPN Router B",,,,,,,,,0,"311 1 10.10.x.x 10/17/2017 15:50:52 40",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
    "DC(Radius)","IAS",10/19/2017,09:08:26,3,,,,,,,,,,0,"10.10.x.x","pfSense VPN Router B",,,,,,,,,49,"311 1 10.10.x.x 10/17/2017 15:50:52 40",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

    Attached are the radius clients. IP's in the logs match the IP's for the clients.

    ![RADIUS Clients.JPG](/public/imported_attachments/1/RADIUS Clients.JPG)
    ![RADIUS Clients.JPG_thumb](/public/imported_attachments/1/RADIUS Clients.JPG_thumb)



  • Something I'm looking at….

    The event viewer error I'm getting is:

    The RADIUS request did not match any configured connection request policy (CRP).

    Looking more closely at the NPS options, the instructions had me setup a "Network Policies" policy but not a "Connection Request Policies" policy. Since this error is mentioning that the RADIUS request didn't find a matching CRP, I'm thinking that the instructions I followed may have been from Server 2008 or older? Maybe the CRP didn't exist when it was created?

    I'm new to RADIUS setup as well so I don't know.

    But this is starting to make sense why it's not working. There is no CRP policy.

    Last night, I created a CRP policy and then I started getting a different reason code: 70 - The network access method used by the access client to connect to the network does not match the value of the NAS-Port-Type attribute that is configured in the constraints of the matching network policy.

    I didn't touch anything between last night and this morning and now I'm getting the old reason code 49 again.

    Perhaps I'm on to something?


Log in to reply