• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Does Diagnostics -> Authentication actually work for testing RADIUS servers?

Scheduled Pinned Locked Moved webGUI
8 Posts 3 Posters 786 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Z
    zippydan
    last edited by Mar 27, 2024, 8:12 PM

    In System Manager -> Users -> Authentication Servers I have defined two authentication servers: one LDAP and one RADIUS both pointing to the same Windows 2022 domain controller managing my AD and also running NPAS.

    In Diagnostics -> Authentication, I have tested the EXACT SAME user and same password (in fact, I don't change them, I am just changing the server tested), and the LDAP test passes while the RADIUS test fails.

    Well, you might say I have my RADIUS server configured incorrectly... except that I have an OpenVPN server configured in VPN -> OpenVPN -> Servers that is set to use SSL/TLS + User Auth, where the Backend for authentication is the RADIUS server, and it successfully works to authenticate my incoming OpenVPN clients.

    It seems that using Diagnostics -> Authentication doesn't toss any info into Status -> System Logs (or I can't find it under the Authentication tab anyway), so I have no idea how I can investigate further why the Diagnostics is failing, and whether or not I should be concerned.

    N K 2 Replies Last reply Mar 28, 2024, 8:41 AM Reply Quote 0
    • N
      NogBadTheBad @zippydan
      last edited by Mar 28, 2024, 8:41 AM

      @zippydan ssh onto your router and run radsniff -x you should be able to debug from the output.

      Andy

      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

      1 Reply Last reply Reply Quote 0
      • K
        keyser Rebel Alliance @zippydan
        last edited by Mar 28, 2024, 10:35 PM

        @zippydan As far as I recall the “Authentication” test only works for PAP (cleartext) authentication setups using Radius.
        If your policies or needs requires CHAP or anything more advanced like Chapv2 or any kind of EAP, it won’t work because it has no “how to encrypt the test” settings.

        Love the no fuss of using the official appliances :-)

        Z 1 Reply Last reply Mar 29, 2024, 3:24 AM Reply Quote 0
        • Z
          zippydan @keyser
          last edited by zippydan Mar 29, 2024, 3:44 AM Mar 29, 2024, 3:24 AM

          @keyser If I recall correctly I am using CHAPv2 on my Windows Server RADIUS Server. It seems that including support for testing with encryption should be included...

          I mean, you have to select an already defined server when running an authentic test, so pfSense has all the information it needs about what encryption is used...

          K 2 Replies Last reply Mar 29, 2024, 8:42 AM Reply Quote 0
          • K
            keyser Rebel Alliance @zippydan
            last edited by Mar 29, 2024, 8:42 AM

            @zippydan Yeah - well at least for Chap/Chapv2 it does. EAP not so much :-)

            In Windows NPS its a simple tickbox to enable PAP temporarely on your policy, so it should be quite fast to do a simple test.

            Love the no fuss of using the official appliances :-)

            1 Reply Last reply Reply Quote 0
            • K
              keyser Rebel Alliance @zippydan
              last edited by Mar 29, 2024, 8:43 AM

              @zippydan But… Your domain policy needs to allow reversible encryption (not enabled by default). So if that policy is not enabled, then it won’t work regardless of PAP or not.

              Love the no fuss of using the official appliances :-)

              Z 1 Reply Last reply Mar 29, 2024, 11:02 PM Reply Quote 0
              • Z
                zippydan @keyser
                last edited by Mar 29, 2024, 11:02 PM

                @keyser My point is this... if pfSense can receive a connection request via the defined OpenVPN server and pass the supplied credentials through the defined pipeline for the defined RADIUS server with its defined security parameters within the defined Authentication servers, why can it not pass a manual authentication test through the same already defined pipeline?

                K 1 Reply Last reply Mar 29, 2024, 11:15 PM Reply Quote 0
                • K
                  keyser Rebel Alliance @zippydan
                  last edited by Mar 29, 2024, 11:15 PM

                  @zippydan I don’t think you understand how Radius works. The exchange with radius is done between the “authenticator” and the Radius server. The Authenticator in your setup is OpenVPN. Pfsense’ Radius setup knows nothing about how/what data is passed between Radius and OpeVPN - Nor does it know anything about what encryption it might have.
                  So what you are asking would require pfSense’s “test authentication” module to have a full authenticator featureset. Not a simple task, and certainly a lot of code for no real benefit. But it would be nice if it at least had a PAP/Chap/Chapv2 selectorbox for the test as the last two are standard hashmodules where all the code is readily available and would be easy to implement.

                  Love the no fuss of using the official appliances :-)

                  1 Reply Last reply Reply Quote 0
                  8 out of 8
                  • First post
                    8/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received