RADIUS user can't log in to webGUI



  • I'm using pfsense version 2.4.4-p3 with the freeradius3 0.15.7_6 package.

    I followed a few tutorials on setting up RADIUS for webGUI authentication, including this one:
    https://forum.netgate.com/topic/135424/solved-two-factor-authentication-for-admin-login/18

    I have not been successful in logging in with a RADIUS user even though the RADIUS user can pass the Diagnostics / Authentication test with the appropriate (admins) group membership.

    I get the following error from the pfsense console:
    pfSense php-fpm[10285]: /index.php: webConfigurator authentication error for user

    And on the webGUI I get:
    Username or Password incorrect

    When logging into the webGUI with a RADIUS user and watching radiusd -X output, I only get the webConfigurator authentication error message.

    Also, radtest gives an Access-Accept message when run on the pfsense console using the local loopback address.

    Any help is greatly appreciated.



  • Have you added the router itself as a nas ?

    Screenshot 2019-12-10 at 19.29.23.png



  • Yes, I have. Does the computer I'm using to access the webGUI need a RADIUS profile?



  • @purple

    No need to do the PC you’re trying to connect to the web gui from.



  • Can you post the output from radsniff -x, you should see something like this:-

    [2.4.4-RELEASE][admin@pfsense]/root: radsniff -x
    Logging all events
    Defaulting to capture on all interfaces
    Sniffing on (igb0 pppoe0 igb1 ovpnc1 igb0.2 ovpnc2 igb0.3 ovpnc3 igb0.4 igb0.5 igb0.6 igb0.7 igb0.9 igb0.11 lo0 pflog0 igb2 igb3 igb4 igb5)
    2019-12-11 13:44:00.284515 (1) Access-Request Id 83 lo0:127.0.0.1:48339 -> 127.0.0.1:1812 +0.000
    	User-Name = "andy"
    	NAS-IP-Address = 172.16.0.1
    	Service-Type = Login-User
    	NAS-Identifier = "pfsense"
    	MS-CHAP-Challenge = 0xa32ac614148ecadb89e307a02437a142
    	MS-CHAP2-Response = 0x0101562df25e78a75af3bc4f6e950d625f750000000000000000f8c09de6c2cdaf818c228c248333eb258ab18c53cc787a41
    	Authenticator-Field = 0xbe350167349920546a5dfc401fc4e2b5
    2019-12-11 13:44:00.285487 (2) Access-Accept Id 83 lo0:127.0.0.1:48339 <- 127.0.0.1:1812 +0.000 +0.000
    	Service-Type = Administrative-User
    	Class = 0x61646d696e73
    	MS-MPPE-Encryption-Policy = Encryption-Allowed
    	MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
    	MS-CHAP2-Success = 0x01533d46423631444539313832364444413230303634443737443036303744394537303542303337413837
    	Attr-26.311.17 = 0x804d5544b47493751c6f89a0deba54ad2bb9d7fff4e028f6629b4a97a29bb9bc236e
    	Attr-26.311.16 = 0x8bc931710bfe5454b38c79f2b995734ef2f72e82859cc28e698c30e58f8ab8683ed8
    	Authenticator-Field = 0x61bb09cc4e01d003dfcf838eb451fe59
    
    Message from syslogd@pfsense at Dec 11 13:44:00 ...
    pfsense php-fpm[99209]: /index.php: Successful login for user 'andy from: 172.16.2.20 (RADIUS/Local RADIUS Database)
    2019-12-11 13:44:05.485487 (1) Cleaning up request packet ID 8
    

    Also does the top of your virtual-server-default look like this:-

    server default {
    listen {
    	type = auth
    	ipaddr = *
    	port = 1812
    }
    listen {
    	type = acct
    	ipaddr = *
    	port = 1813
    }
    listen {
    	type = auth
    	ipv6addr = *
    	port = 1812
    }
    listen {
    	type = acct
    	ipv6addr = *
    	port = 1813
    }
    


  • My virtual-server-default looks like what you posted.

    When I run radsniff -x and try to authenticate on the webGUI, I get:
    pfSense php-fpm[333]: /index.php: webConfigurator authentication error for user 'test' from: xx.xx.xx.xx

    It's as if the webGUI will not even try to use the RADIUS database for logins, even though I set the RADIUS server under Authentication Servers (I am using 127.0.0.1 for the Host Name there).

    I've tried this on my default setup and on a new VM with the same results.



  • @purple said in RADIUS user can't log in to webGUI:

    My virtual-server-default looks like what you posted.

    Screenshot 2019-12-11 at 17.57.13.png

    Screenshot 2019-12-11 at 17.56.59.png



  • I got it to work finally.

    I added NAS Clients, with matching Client Shortnames, for the IP address of my router and the machine I use to connect to the webGUI.

    I also forgot to set that last bit you just posted when I was testing on my fresh install VM.

    Thank you so much for your responses!



  • Youe welcome ☺


Log in to reply