RADIUS Authentication method

bdjackson

Hello,

I have a Netgate 1100. I have setup OpenVPN using a RADIUS authentication server. The server in question is a Windows 2025 server. When attempting to connect, it tells me that my user credentials are incorrect. However, they are not.

The Network Policy Server logs gives an error of: "The user attempted to use an authentication method that is not enabled on the matching network policy."

Not really sure where to check or change the authentication method in RADIUS or the firewall, whichever.

Help?

Brent Jackson

stephenw10

Did you follow the doc here? https://docs.netgate.com/pfsense/en/latest/recipes/radius-windows.html

bdjackson

I followed those instructions, yes.

I did get it to work. What worked was to use a less secure authentication method on my Windows Server Network Policy. I don't understand why I needed to make a change on my Windows server to satisfy a "less secure" method of authentication to work.

This started with a hardware replacement from a failed Netgate 2100 to a Netgate 1100. And about 7 years between A and B.

I guess, I am questioning the RADIUS authentication protocol that the Netgate device uses. There seems to be no location to set/verify/view that particular optic and/or status of the handshake.

BD

stephenw10

Anything logged at the server end?

Which EAP types did you select?

bdjackson

said in RADIUS Authentication method:

The user attempted to use an authentication method that is not enabled on the matching network policy.

Yes. Windows NPS Log says: The user attempted to use an authentication method that is not enabled on the matching network policy.

See attached screenshot.

bdjackson

stephenw10

EAP-MSCHAPv2 should work without allowing less secure types. Is it set in pfSense?

bdjackson

Is EAP-MSCHAPv2 the same as MSCHAPv2?

Brent Jackson

stephenw10

Yes. I would expect it to use that if it's selected. Unless it's not top of the list in NPS maybe.

keyser

@bdjackson said in RADIUS Authentication method:

Is EAP-MSCHAPv2 the same as MSCHAPv2?

Brent Jackson

EDIT - sorry that was not quite correct.

Yes and No. Pure MSChapv2 is just sending a radius packet with the MSchapv2 password hash directly.
EAP-MSchapv2 is a still an open session but the client and the radius uses a protocol framework that allow many different auth methods to encapsulate the MSchapv2 packet - still unencrypted though.
PEAP-MSchapv2 = Protected Extensible Authentication Protocol = an SSL encrypted “tunnel” between the Client and the Radius Server where the password hash is transmitted within the encrypted session.

stephenw10

Hmm, this seems familiar....