Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Freeradius authentication - multiple instances (OVPN & wifi)

    Scheduled Pinned Locked Moved pfSense Packages
    7 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MarianHlusek
      last edited by

      Good afternoon,

      I am exploring the possibilities for FreeRADIUS implementation to authenticate OVPN users as well as wifi devices.
      Currently I use the FreeRADIUS for OVPN authentication and the interface is set on 127.0.0.1. Everything works fine.
      Additionally I am planning to implement the the FreeRADIUS authentication for my wifi APs. I suppose in that case the interface IP address cannot be 127.0.0.1 as this cannot be reached by the APs, right?
      I imagine I could run 2 FreeRADIUS servers on the same pfsense instance. One of them would authenticate the OVPN access, as done until now. The other one would authenticate devices connected to internal wifi via EAP-TLS.
      However when browsing the pfsense interface, I am finding just one general settings (e.g. FreeRADIUS -> EAP -> Certificates for TLS
      Not sure if my conclusions are right, but does that mean I can run just one FreeRADIUS server on one pfsense machine? I can't combine google OTP (OVPN) and EAP-TLS (wifi)?
      Is there any way how I could achieve running this concurrently, please?
      Thanks a lot.

      1 Reply Last reply Reply Quote 0
      • M
        MarianHlusek
        last edited by

        Hi All,

        anyone any good advice that could point me to the right direction?

        Thanks a lot!

        1 Reply Last reply Reply Quote 0
        • M
          MarianHlusek
          last edited by

          Hi there,
          does anyone have any other suggestion how could I solve this? Namely if I am using FreeRADIUS as OVPN authentication, what other solution could I use to solve the wifi authentication?
          Thanks.

          NogBadTheBadN 1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad @MarianHlusek
            last edited by NogBadTheBad

            @marianhlusek

            You can use the same instance for both, I bind to * in the Freeradius setup.

            I auth my IPsec VPN users with an additional check-item of the NAS-Identifier, that way people with a Freeradius IPsec login can't use it for the WiFi.

            NAS-Identifier == strongSwan

            Do a radsniff -x and see if you can see two distinct items to check against.

            Wi-Fi:-
            
            2021-05-03 21:02:26.157681 (23) Accounting-Request Id 75 igb0:172.16.1.11:43489 -> 172.16.0.1:1813 +9.665
            	User-Name = "andyk"
            	NAS-IP-Address = 172.16.1.11
            	Service-Type = Framed-User
            	Framed-IP-Address = 172.16.2.40
            	Class = 0x61646d696e73
            	Called-Station-Id = "92-2A-A8-98-9D-8C:L-Space RADIUS"
            	Calling-Station-Id = "40-9C-28-A2-E0-7E"
            	NAS-Identifier = "922aa8989d8c"
            	NAS-Port-Type = Wireless-802.11
            	Acct-Status-Type = Start
            	Acct-Delay-Time = 0
            	Acct-Session-Id = "703ABEA9DEAE0FE5"
            	Acct-Authentic = RADIUS
            	Acct-Multi-Session-Id = "C87635AFF234D368"
            	Event-Timestamp = "May  3 2021 21:02:26 BST"
            	Connect-Info = "CONNECT 0Mbps 802.11b"
            	WLAN-Pairwise-Cipher = 1027076
            	WLAN-Group-Cipher = 1027076
            	WLAN-AKM-Suite = 1027073
            	Authenticator-Field = 0xe586aa1ee22ca628977a554028cac278
            
            VPN:-
            	
            2021-05-03 21:05:29.503569 (11) Accounting-Request Id 2 lo0:127.0.0.1:38961 -> 127.0.0.1:1813 +2.353
            	User-Name = "andyk-iphone"
            	NAS-IP-Address = xx.xx.xx.xx
            	NAS-Port = 23
            	Service-Type = Framed-User
            	Framed-IP-Address = 172.16.8.1
            	Called-Station-Id = "xx.xx.xx.xx [4500]"
            	Calling-Station-Id = "82.132.185.76[24639]"
            	NAS-Identifier = "strongSwan"
            	NAS-Port-Type = Virtual
            	Acct-Status-Type = Stop
            	Acct-Input-Octets = 500
            	Acct-Output-Octets = 1368
            	Acct-Session-Id = "1619107685-23"
            	Acct-Session-Time = 3
            	Acct-Input-Packets = 7
            	Acct-Output-Packets = 7
            	Acct-Terminate-Cause = User-Request
            	NAS-Port-Id = "con-mobile"
            	Authenticator-Field = 0x2018ca67b8e56b3c97ae382c43ac3275
            

            Screenshot 2021-05-03 at 21.12.47.png

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            M 1 Reply Last reply Reply Quote 0
            • M
              MarianHlusek @NogBadTheBad
              last edited by

              @nogbadthebad
              May I ask you to elaborate on this a bit more, please? Is there any "howto" that could help me to set this up?
              If I get it right this part "I bind to * in the Freeradius setup" means, you have in Freeradius->NAS/Clients in the part Client IP Address and asterisk instead an IP address, am I right?
              How then I further setup the authentication? Just entering NAS-Identifier == strongSwan into "Additional RADIUS Attributes (CHECK-ITEM)? Or do I have to setup something else/additional as well?
              Does this work together with google one time password?
              Btw. if I do radsniff -x now, it says:

              radsniff: Failed opening pcap handle (stdin): truncated dump file; tried to read 4 file header bytes, only got 0
              Logging all events
              

              Thank you.

              NogBadTheBadN 1 Reply Last reply Reply Quote 0
              • NogBadTheBadN
                NogBadTheBad @MarianHlusek
                last edited by NogBadTheBad

                @marianhlusek said in Freeradius authentication - multiple instances (OVPN & wifi):

                radsniff: Failed opening pcap handle (stdin): truncated dump file

                Are you running radsniff from the pfsense web page or after a ssh to your router, it needs to be done via ssh and then try and connect via OVPN.

                The users with andyk-device have NAS-Identifier == strongSwan as a check item, andyk doesn't, this means if they tried to connect via WiFI using andyk-device it would fail.

                Screenshot 2021-05-04 at 21.56.44.png

                The NAS-Identifier is the application or device thats doing the radius request, in my case its the IPsec VPN server or the the MAC address of my Ubiquity access point.

                Screenshot 2021-05-04 at 22.05.08.png

                Screenshot 2021-05-04 at 22.06.16.png

                Your best bet would to be have a look here:-

                https://freeradius.org/

                https://freeradius.org/rfc/attributes.html/

                https://wiki.freeradius.org/config/Operators

                Not sure about OTP as I don't use it, but isn't the OTP setting per user, maybe create two accounts per user, one for wifi and the other for VPN.

                Andy

                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                M 1 Reply Last reply Reply Quote 0
                • M
                  MarianHlusek @NogBadTheBad
                  last edited by

                  @nogbadthebad
                  Cool, looks interesting. Thank you. I'll try.
                  Yes, the Google OTP is per user, so it looks like I'll have to create every user twice (not huge effort).

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.