Admin Login via RADIUS using Active Directory Accounts
I got this setup on the new version 2.4.2 and authentication diagnostic via the NPS server seems to be working show this message "User xxxxxxx authenticated successfully. This user is a member of groups:
However when I try to log in it show this error message "No page assigned to this user! Click here to logout."
I follow this step by step instruction - https://community.spiceworks.com/how_to/128944-pfsense-admin-logins-via-radius-using-active-directory-accounts
Even tried to change from "Class" to "Filter-Id" with the same string value but to no avail.
Would really want to get this working to make life easy to remote manage
Hope someone can help out
Anyone out there who can help out ?
You have to see a group in the list from Diagnostics > Authentication or it won't work. Your problem is right there, it isn't seeing the groups.
Make sure you are passing back the group names in the Class attribute and also make sure that you have a group with identical names locally (System > User Manager, Groups tab) and that group needs privileges assigned to it that allow access.
Take a packet capture of the RADIUS traffic to the AD server and load it in wireshark and see what it's passing back.
radsniff is quite handy too.
2.4.2-RELEASE][admin@pfsense]/: radsniff -h
Usage: radsniff [options][stats options] – [pcap files]
-a List all interfaces available for capture.
-c <count>Number of packets to capture.
-C Enable UDP checksum validation.
-d <directory>Set dictionary directory.
-d <raddb>Set configuration directory (defaults to /usr/local/etc/raddb).
-D <dictdir>Set main dictionary directory (defaults to /usr/local/share/freeradius).
-e <event>[,<event>] Only log requests with these event flags.
Event may be one of the following:
- received - a request or response.
- norsp - seen for a request.
- rtx - of a request that we've seen before.
- noreq - could be matched with the response.
- reused - ID too soon.
- error - decoding the packet.
-f <filter>PCAP filter (default is 'udp port <port>or <port 1="" +="">or 3799')
-h This help message.
-i <interface>Capture packets from interface (defaults to all if supported).
-I <file>Read packets from file (overrides input of -F).
-l <attr>[,<attr>] Output packet sig and a list of attributes.
-L <attr>[,<attr>] Detect retransmissions using these attributes to link requests.
-m Don't put interface(s) into promiscuous mode.
-p <port>Filter packets by port (default is 1812).
-P <pidfile>Daemonize and write out <pidfile>.
-q Print less debugging information.
-r <filter>RADIUS attribute request filter.
-R <filter>RADIUS attribute response filter.
-s <secret>RADIUS secret.
-S Write PCAP data to stdout.
-v Show program version information.
-w <file>Write output packets to file.
-x Print more debugging information.
-W <interval>Periodically write out statistics every <interval>seconds.
-T <timeout>How many milliseconds before the request is counted as lost (defaults to 5200).
@jimp, Ive got the right group name in the Class attribute and also identical local group name (System > User Manager, Groups tab) with the right privileges. I moved the policy 1 step up and it worked but it goes back to error message "No page assigned to this user! Click here to logout."
Ive captured traffic on my RADIUS server and I notice this when the my pfsense does an access request to the RADIUS server:
Attribute Value Pairs
AVP: l=6 t=NAS-IP-Address(4): 0.0.0.0
And the reply from my RADIUS server is showing attributes from the Network policy below the policy created for pfsense admin access. SOmething else Im missig I beleive on my pfsense configuration
By the way, does the group name format makes matters ? My group name is ROLE_pfSense on my AD and thats the same name I use for the Class attribute and the pfsense local group name
This was sorted out. I found out my issue. On my RADIUS server I was was trying to use the same network policy but just add in different ip address of my pfsense in the network policy Conditions
Removing the other IP address and adding its own network policy seems to fix that ;D 8)