Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSense RADIUS - NPS Server (Access-Reject)

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 561 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AndersK
      last edited by AndersK

      I'm struggling with configurating pfSensefor OpenVPN auth with my NPS (RADUIS) Server (Server 2016 R2).

      I have followed configuration by article: https://docs.netgate.com/pfsense/en/latest/book/thirdparty/radius-authentication-with-windows-server.html

      Testing login from Pfsense: Diagnostics / Authentication, i get message "Authentication failed."

      Output from packet capture:

      14:45:49.735288 00:15:5d:f4:01:01 > 00:08:a2:11:46:18, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.255.253 (00:08:a2:11:46:18) tell 172.16.244.10, length 46
14:45:49.735298 00:08:a2:11:46:18 > 00:15:5d:f4:01:01, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply 172.16.255.253 is-at 00:08:a2:11:46:18, length 28
14:45:50.017083 00:08:a2:11:46:18 > 00:15:5d:f4:01:01, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 64, id 41953, offset 0, flags [none], proto UDP (17), length 68)
    172.16.255.253.4492 > 172.16.244.10.53: [udp sum ok] 9633+ AAAA? 2.pfsense.pool.ntp.org. (40)
14:45:50.093822 00:15:5d:f4:01:01 > 00:08:a2:11:46:18, ethertype IPv4 (0x0800), length 194: (tos 0x0, ttl 128, id 5217, offset 0, flags [none], proto UDP (17), length 180)
    172.16.244.10.53 > 172.16.255.253.4492: [udp sum ok] 9633 q: AAAA? 2.pfsense.pool.ntp.org. 4/0/0 2.pfsense.pool.ntp.org. AAAA 2606:4700:f1::123, 2.pfsense.pool.ntp.org. AAAA 2001:440:1880:5555::2, 2.pfsense.pool.ntp.org. AAAA 2606:4700:f1::1, 2.pfsense.pool.ntp.org. AAAA 2001:6c8:140:6d7::20 (152)
14:45:58.662805 00:08:a2:11:46:18 > 00:15:5d:f4:01:01, ethertype IPv4 (0x0800), length 210: (tos 0x0, ttl 64, id 20811, offset 0, flags [none], proto UDP (17), length 196)
    172.16.255.253.37797 > 172.16.244.10.1812: [udp sum ok] RADIUS, length: 168
	Access-Request (1), id: 0x59, Authenticator: 30a703608bdd8398f3e97f0c9fe76b10
	  Service-Type Attribute (6), length: 6, Value: Login
	    0x0000:  0000 0001
	  User-Name Attribute (1), length: 4, Value: ak
	    0x0000:  616b
	  Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
	    Vendor Attribute: 25, Length: 50, Value: ..?n.nl.....g.;............."..*R.\'.t0.JQT/..s..x
	    0x0000:  0000 0137 1934 0101 3f6e eb6e 6c07 14ee
	    0x0010:  b7b9 6701 3bf9 0d90 0000 0000 0000 0000
	    0x0020:  1fef 2289 b82a 520b 5c27 a874 30a7 4a51
	    0x0030:  542f e801 738f d378
	  Vendor-Specific Attribute (26), length: 24, Value: Vendor: Microsoft (311)
	    Vendor Attribute: 11, Length: 16, Value: .}.a...,B..(.. .
	    0x0000:  0000 0137 0b12 c67d c961 efc1 d32c 42a9
	    0x0010:  df28 ef0f 20eb
	  NAS-IP-Address Attribute (4), length: 6, Value: 172.16.255.253
	    0x0000:  ac10 fffd
	  NAS-Identifier Attribute (32), length: 16, Value: XG-7100.xyzdomain.com
	    0x0000:  5847 2d37 3130 302e 6968 6d2e 646b
	  Called-Station-Id Attribute (30), length: 34, Value: 00:08:a2:11:46:18:XG-7100.xyzdomain.com
	    0x0000:  3030 3a30 383a 6132 3a31 313a 3436 3a31
	    0x0010:  383a 5847 2d37 3130 302e 6968 6d2e 646b
14:45:59.992102 00:15:5d:f4:01:01 > 00:08:a2:11:46:18, ethertype IPv4 (0x0800), length 122: (tos 0x0, ttl 128, id 5218, offset 0, flags [none], proto UDP (17), length 108)
    172.16.244.10.1812 > 172.16.255.253.37797: [udp sum ok] RADIUS, length: 80
	Access-Reject (3), id: 0x59, Authenticator: ccb233604ef84cd8fca5f741c9643982
	  Vendor-Specific Attribute (26), length: 60, Value: Vendor: Microsoft (311)
	    Vendor Attribute: 2, Length: 52, Value: .E=691 R=0 C=560d0000496200006c5c0000bf600000 V=3 M=
	    0x0000:  0000 0137 0236 0145 3d36 3931 2052 3d30
	    0x0010:  2043 3d35 3630 6430 3030 3034 3936 3230
	    0x0020:  3030 3036 6335 6330 3030 3062 6636 3030
	    0x0030:  3030 3020 563d 3320 4d3d
14:45:59.992167 00:08:a2:11:46:18 > 00:15:5d:f4:01:01, ethertype IPv4 (0x0800), length 210: (tos 0x0, ttl 64, id 11393, offset 0, flags [none], proto UDP (17), length 196)
    172.16.255.253.37797 > 172.16.244.10.1812: [udp sum ok] RADIUS, length: 168
	Access-Request (1), id: 0x59, Authenticator: 30a703608bdd8398f3e97f0c9fe76b10
	  Service-Type Attribute (6), length: 6, Value: Login
	    0x0000:  0000 0001
	  User-Name Attribute (1), length: 4, Value: ak
	    0x0000:  616b
	  Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
	    Vendor Attribute: 25, Length: 50, Value: ..?n.nl.....g.;............."..*R.\'.t0.JQT/..s..x
	    0x0000:  0000 0137 1934 0101 3f6e eb6e 6c07 14ee
	    0x0010:  b7b9 6701 3bf9 0d90 0000 0000 0000 0000
	    0x0020:  1fef 2289 b82a 520b 5c27 a874 30a7 4a51
	    0x0030:  542f e801 738f d378
	  Vendor-Specific Attribute (26), length: 24, Value: Vendor: Microsoft (311)
	    Vendor Attribute: 11, Length: 16, Value: .}.a...,B..(.. .
	    0x0000:  0000 0137 0b12 c67d c961 efc1 d32c 42a9
	    0x0010:  df28 ef0f 20eb
	  NAS-IP-Address Attribute (4), length: 6, Value: 172.16.255.253
	    0x0000:  ac10 fffd
	  NAS-Identifier Attribute (32), length: 16, Value: XG-7100.xyzdomain.com
	    0x0000:  5847 2d37 3130 302e 6968 6d2e 646b
	  Called-Station-Id Attribute (30), length: 34, Value: 00:08:a2:11:46:18:XG-7100.xyzdomain.com
	    0x0000:  3030 3a30 383a 6132 3a31 313a 3436 3a31
	    0x0010:  383a 5847 2d37 3130 302e 6968 6d2e 646b
14:46:00.081256 00:15:5d:f4:01:01 > 00:08:a2:11:46:18, ethertype IPv4 (0x0800), length 122: (tos 0x0, ttl 128, id 5219, offset 0, flags [none], proto UDP (17), length 108)
    172.16.244.10.1812 > 172.16.255.253.37797: [udp sum ok] RADIUS, length: 80
	Access-Reject (3), id: 0x59, Authenticator: ccb233604ef84cd8fca5f741c9643982
	  Vendor-Specific Attribute (26), length: 60, Value: Vendor: Microsoft (311)
	    Vendor Attribute: 2, Length: 52, Value: .E=691 R=0 C=560d0000496200006c5c0000bf600000 V=3 M=
	    0x0000:  0000 0137 0236 0145 3d36 3931 2052 3d30
	    0x0010:  2043 3d35 3630 6430 3030 3034 3936 3230
	    0x0020:  3030 3036 6335 6330 3030 3062 6636 3030
	    0x0030:  3030 3020 563d 3320 4d3d
14:46:00.081313 00:08:a2:11:46:18 > 00:15:5d:f4:01:01, ethertype IPv4 (0x0800), length 210: (tos 0x0, ttl 64, id 7079, offset 0, flags [none], proto UDP (17), length 196)
    172.16.255.253.37797 > 172.16.244.10.1812: [udp sum ok] RADIUS, length: 168
	Access-Request (1), id: 0x59, Authenticator: 30a703608bdd8398f3e97f0c9fe76b10
	  Service-Type Attribute (6), length: 6, Value: Login
	    0x0000:  0000 0001
	  User-Name Attribute (1), length: 4, Value: ak
	    0x0000:  616b
	  Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
	    Vendor Attribute: 25, Length: 50, Value: ..?n.nl.....g.;............."..*R.\'.t0.JQT/..s..x
	    0x0000:  0000 0137 1934 0101 3f6e eb6e 6c07 14ee
	    0x0010:  b7b9 6701 3bf9 0d90 0000 0000 0000 0000
	    0x0020:  1fef 2289 b82a 520b 5c27 a874 30a7 4a51
	    0x0030:  542f e801 738f d378
	  Vendor-Specific Attribute (26), length: 24, Value: Vendor: Microsoft (311)
	    Vendor Attribute: 11, Length: 16, Value: .}.a...,B..(.. .
	    0x0000:  0000 0137 0b12 c67d c961 efc1 d32c 42a9
	    0x0010:  df28 ef0f 20eb
	  NAS-IP-Address Attribute (4), length: 6, Value: 172.16.255.253
	    0x0000:  ac10 fffd
	  NAS-Identifier Attribute (32), length: 16, Value: XG-7100.xyzdomain.com
	    0x0000:  5847 2d37 3130 302e 6968 6d2e 646b
	  Called-Station-Id Attribute (30), length: 34, Value: 00:08:a2:11:46:18:XG-7100.xyzdomain.com
	    0x0000:  3030 3a30 383a 6132 3a31 313a 3436 3a31
	    0x0010:  383a 5847 2d37 3130 302e 6968 6d2e 646b
14:46:00.141648 00:15:5d:f4:01:01 > 00:08:a2:11:46:18, ethertype IPv4 (0x0800), length 122: (tos 0x0, ttl 128, id 5220, offset 0, flags [none], proto UDP (17), length 108)
    172.16.244.10.1812 > 172.16.255.253.37797: [udp sum ok] RADIUS, length: 80
	Access-Reject (3), id: 0x59, Authenticator: ccb233604ef84cd8fca5f741c9643982
	  Vendor-Specific Attribute (26), length: 60, Value: Vendor: Microsoft (311)
	    Vendor Attribute: 2, Length: 52, Value: .E=691 R=0 C=560d0000496200006c5c0000bf600000 V=3 M=
	    0x0000:  0000 0137 0236 0145 3d36 3931 2052 3d30
	    0x0010:  2043 3d35 3630 6430 3030 3034 3936 3230
	    0x0020:  3030 3036 6335 6330 3030 3062 6636 3030
	    0x0030:  3030 3020 563d 3320 4d3d

      From (NPS Server) Wireshark i get below output:

      193496	17148.315796	172.16.244.10	172.16.255.253	RADIUS	122	Access-Reject id=89

Frame 193482: 210 bytes on wire (1680 bits), 210 bytes captured (1680 bits) on interface \Device\NPF_{F8C60B1C-D944-4972-9FC3-EA6F384FAD31}, id 0
    Interface id: 0 (\Device\NPF_{F8C60B1C-D944-4972-9FC3-EA6F384FAD31})
        Interface name: \Device\NPF_{F8C60B1C-D944-4972-9FC3-EA6F384FAD31}
        Interface description: LAN
    Encapsulation type: Ethernet (1)
    Arrival Time: May  1, 2020 14:45:57.457505000 Romance Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1588337157.457505000 seconds
    [Time delta from previous captured frame: 0.007550000 seconds]
    [Time delta from previous displayed frame: 496.607875000 seconds]
    [Time since reference or first frame: 17146.989823000 seconds]
    Frame Number: 193482
    Frame Length: 210 bytes (1680 bits)
    Capture Length: 210 bytes (1680 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:radius]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]


Ethernet II, Src: ADIEngin_11:46:18 (00:08:a2:11:46:18), Dst: Microsof_f4:01:01 (00:15:5d:f4:01:01)
    Destination: Microsof_f4:01:01 (00:15:5d:f4:01:01)
        Address: Microsof_f4:01:01 (00:15:5d:f4:01:01)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: ADIEngin_11:46:18 (00:08:a2:11:46:18)
        Address: ADIEngin_11:46:18 (00:08:a2:11:46:18)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)


Internet Protocol Version 4, Src: 172.16.255.253, Dst: 172.16.244.10
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 196
    Identification: 0x514b (20811)
    Flags: 0x0000
        0... .... .... .... = Reserved bit: Not set
        .0.. .... .... .... = Don't fragment: Not set
        ..0. .... .... .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (17)
    Header checksum: 0xdcb4 [validation disabled]
    [Header checksum status: Unverified]
    Source: 172.16.255.253
    Destination: 172.16.244.10


User Datagram Protocol, Src Port: 37797, Dst Port: 1812
    Source Port: 37797
    Destination Port: 1812
    Length: 176
    Checksum: 0x5fb2 [unverified]
    [Checksum Status: Unverified]
    [Stream index: 1839]
    [Timestamps]
        [Time since first frame: 0.000000000 seconds]
        [Time since previous frame: 0.000000000 seconds]


RADIUS Protocol
    Code: Access-Request (1)
    Packet identifier: 0x59 (89)
    Length: 168
    Authenticator: 30a703608bdd8398f3e97f0c9fe76b10
    [The response to this request is in frame 193496]
    Attribute Value Pairs
        AVP: t=Service-Type(6) l=6 val=Login(1)
            Type: 6
            Length: 6
            Service-Type: Login (1)
        AVP: t=User-Name(1) l=4 val=ak
            Type: 1
            Length: 4
            User-Name: ak
        AVP: t=Vendor-Specific(26) l=58 vnd=Microsoft(311)
            Type: 26
            Length: 58
            Vendor ID: Microsoft (311)
            VSA: t=MS-CHAP2-Response(25) l=52 val=01013f6eeb6e6c0714eeb7b967013bf90d90000000000000…
                Type: 25
                Length: 52
                MS-CHAP2-Response: 01013f6eeb6e6c0714eeb7b967013bf90d90000000000000…
        AVP: t=Vendor-Specific(26) l=24 vnd=Microsoft(311)
            Type: 26
            Length: 24
            Vendor ID: Microsoft (311)
            VSA: t=MS-CHAP-Challenge(11) l=18 val=c67dc961efc1d32c42a9df28ef0f20eb
                Type: 11
                Length: 18
                MS-CHAP-Challenge: c67dc961efc1d32c42a9df28ef0f20eb
        AVP: t=NAS-IP-Address(4) l=6 val=172.16.255.253
            Type: 4
            Length: 6
            NAS-IP-Address: 172.16.255.253
        AVP: t=NAS-Identifier(32) l=16 val=XG-7100.xyzdomain.com
            Type: 32
            Length: 16
            NAS-Identifier: XG-7100.xyzdomain.com
        AVP: t=Called-Station-Id(30) l=34 val=00:08:a2:11:46:18:XG-7100.xyzdomain.com
            Type: 30
            Length: 34
            Called-Station-Id: 00:08:a2:11:46:18:XG-7100.xyzdomain.com

      I have found different post about it could cause NTLMv2 support, however it has been tried and no success.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.