Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    RADIUS user can't log in to webGUI

    webGUI
    2
    9
    215
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      purple last edited by purple

      I'm using pfsense version 2.4.4-p3 with the freeradius3 0.15.7_6 package.

      I followed a few tutorials on setting up RADIUS for webGUI authentication, including this one:
      https://forum.netgate.com/topic/135424/solved-two-factor-authentication-for-admin-login/18

      I have not been successful in logging in with a RADIUS user even though the RADIUS user can pass the Diagnostics / Authentication test with the appropriate (admins) group membership.

      I get the following error from the pfsense console:
      pfSense php-fpm[10285]: /index.php: webConfigurator authentication error for user

      And on the webGUI I get:
      Username or Password incorrect

      When logging into the webGUI with a RADIUS user and watching radiusd -X output, I only get the webConfigurator authentication error message.

      Also, radtest gives an Access-Accept message when run on the pfsense console using the local loopback address.

      Any help is greatly appreciated.

      1 Reply Last reply Reply Quote 0
      • NogBadTheBad
        NogBadTheBad last edited by NogBadTheBad

        Have you added the router itself as a nas ?

        Screenshot 2019-12-10 at 19.29.23.png

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • P
          purple last edited by

          Yes, I have. Does the computer I'm using to access the webGUI need a RADIUS profile?

          NogBadTheBad 1 Reply Last reply Reply Quote 0
          • NogBadTheBad
            NogBadTheBad @purple last edited by

            @purple

            No need to do the PC you’re trying to connect to the web gui from.

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 0
            • NogBadTheBad
              NogBadTheBad last edited by NogBadTheBad

              Can you post the output from radsniff -x, you should see something like this:-

              [2.4.4-RELEASE][admin@pfsense]/root: radsniff -x
              Logging all events
              Defaulting to capture on all interfaces
              Sniffing on (igb0 pppoe0 igb1 ovpnc1 igb0.2 ovpnc2 igb0.3 ovpnc3 igb0.4 igb0.5 igb0.6 igb0.7 igb0.9 igb0.11 lo0 pflog0 igb2 igb3 igb4 igb5)
              2019-12-11 13:44:00.284515 (1) Access-Request Id 83 lo0:127.0.0.1:48339 -> 127.0.0.1:1812 +0.000
              	User-Name = "andy"
              	NAS-IP-Address = 172.16.0.1
              	Service-Type = Login-User
              	NAS-Identifier = "pfsense"
              	MS-CHAP-Challenge = 0xa32ac614148ecadb89e307a02437a142
              	MS-CHAP2-Response = 0x0101562df25e78a75af3bc4f6e950d625f750000000000000000f8c09de6c2cdaf818c228c248333eb258ab18c53cc787a41
              	Authenticator-Field = 0xbe350167349920546a5dfc401fc4e2b5
              2019-12-11 13:44:00.285487 (2) Access-Accept Id 83 lo0:127.0.0.1:48339 <- 127.0.0.1:1812 +0.000 +0.000
              	Service-Type = Administrative-User
              	Class = 0x61646d696e73
              	MS-MPPE-Encryption-Policy = Encryption-Allowed
              	MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
              	MS-CHAP2-Success = 0x01533d46423631444539313832364444413230303634443737443036303744394537303542303337413837
              	Attr-26.311.17 = 0x804d5544b47493751c6f89a0deba54ad2bb9d7fff4e028f6629b4a97a29bb9bc236e
              	Attr-26.311.16 = 0x8bc931710bfe5454b38c79f2b995734ef2f72e82859cc28e698c30e58f8ab8683ed8
              	Authenticator-Field = 0x61bb09cc4e01d003dfcf838eb451fe59
              
              Message from syslogd@pfsense at Dec 11 13:44:00 ...
              pfsense php-fpm[99209]: /index.php: Successful login for user 'andy from: 172.16.2.20 (RADIUS/Local RADIUS Database)
              2019-12-11 13:44:05.485487 (1) Cleaning up request packet ID 8
              

              Also does the top of your virtual-server-default look like this:-

              server default {
              listen {
              	type = auth
              	ipaddr = *
              	port = 1812
              }
              listen {
              	type = acct
              	ipaddr = *
              	port = 1813
              }
              listen {
              	type = auth
              	ipv6addr = *
              	port = 1812
              }
              listen {
              	type = acct
              	ipv6addr = *
              	port = 1813
              }
              

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • P
                purple last edited by

                My virtual-server-default looks like what you posted.

                When I run radsniff -x and try to authenticate on the webGUI, I get:
                pfSense php-fpm[333]: /index.php: webConfigurator authentication error for user 'test' from: xx.xx.xx.xx

                It's as if the webGUI will not even try to use the RADIUS database for logins, even though I set the RADIUS server under Authentication Servers (I am using 127.0.0.1 for the Host Name there).

                I've tried this on my default setup and on a new VM with the same results.

                1 Reply Last reply Reply Quote 0
                • NogBadTheBad
                  NogBadTheBad last edited by

                  @purple said in RADIUS user can't log in to webGUI:

                  My virtual-server-default looks like what you posted.

                  Screenshot 2019-12-11 at 17.57.13.png

                  Screenshot 2019-12-11 at 17.56.59.png

                  Andy

                  1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                  1 Reply Last reply Reply Quote 0
                  • P
                    purple last edited by

                    I got it to work finally.

                    I added NAS Clients, with matching Client Shortnames, for the IP address of my router and the machine I use to connect to the webGUI.

                    I also forgot to set that last bit you just posted when I was testing on my fresh install VM.

                    Thank you so much for your responses!

                    1 Reply Last reply Reply Quote 0
                    • NogBadTheBad
                      NogBadTheBad last edited by

                      Youe welcome ☺

                      Andy

                      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post