RADIUS authentication to WebGUI



  • I'm interested in pfSense authenticating users against radius when they attempt to access the web gui for administering rules, etc. I've spent some time looking into this, but…

    It doesn't appear that lighttpd supports PAM, so that may be the end of the story.

    I would appreciate any ideas on how to accomplish this, or confirmation that this is not reasonably do-able.

    Running 2.0-BETA3.

    Thanks!
    Brett



  • Just delete

    139                                                        if ($auth_server['type'] == 'radius')
        140                                                                continue;

    on /system_usermanager_settings.php page and it should work AFAIK.



  • Thank you for your response. The change you suggested did allow me to select my radius server for authentication rather than local files.

    However, I receive this error, after entering a username/password on the login screen for the web gui:

    "Fatal error: Class 'Auth_RADIUS_PAP' not found in /etc/inc/auth.inc on line 937"

    Simply returning the /system_usermanager_settings.php file to the original does not return authentication against local files, so I'm sort of stuck on authenticating against radius, which is erroring out.

    I will do some research, but would appreciate all insight on getting radius authentication to work and/or getting back to allowing for local authentication.

    Thanks,
    Brett



  • Just try latest snapshot and report if it works or not.



  • OK. Same result using pfSense-2.0-BETA3-20100727-0812.

    I am able to select my server called 'radius' within User Manager > Settings, but when I attempt to login to the web gui I get the following message:

    "Fatal error: Class 'Auth_RADIUS_PAP' not found in /etc/inc/auth.inc on line 976"

    Testing to my radius server from Diagnostics > Authentication indicates that the actual configuration of my radius client/server is OK.

    Thanks,
    Brett



  • Thought installing 'pear-Auth_RADIUS' might help, but this failed with a lot of messages like this:

    PHP Warning:  PHP Startup: radius: Unable to initialize module
    Module compiled with module API=20060613
    PHP    compiled with module API=20090626
    These options need to match
    in Unknown on line 0
    ….
    Notice: Undefined index: config_vars in Role.php on line 49
    ....
    Warning: Invalid argument supplied for foreach() in PEAR/Command.php on line 259
    ....

    Appears this messed with PHP in general. The pfSense CLI menu seems broken now.....

    Might make sense to someone familiar with PHP (not me. yet!).



  • No you do not need that.
    Can you try the latest snapshot again.



  • Thanks! Looks like release 20100728-2234 is closer to working. I no longer need to go into that php file and delete the lines, and the response to logging in does not error out any more.

    However, it doesn't appear that pfSense is actually going out to my radius server to authenticate. It uses 'local database' even though I have selected 'radius' (my radius server) as the authentication server (user manager > settings > authentication server).

    As part of having radius authentication, it would also be beneficial to fall back to local database if radius was not available.

    Brett



  • Well than its failing your radius attempt and falling back to radius autmatically.



  • Here are a couple of things that I've done that lead me to believe that something is going wrong with web gui access authentication:

    (1) When I go to Diagnostics > Authentication and run a test against radius, the response says that everything is OK with radius; the username and password are validated. The 'Save and Test' from the 'server' tab within User Manager, seems a bit off because it indicates it is trying to connect to an LDAP server even though I am trying to 'Save and Test' my radius server at the authentication server. So, I just 'Save' the setting and don't 'Save and Test'.

    (2) If I create a user account on pfSense, called john, give it a password (local database) and do the same on radius except give john a different password, the only way to successfully login through the web gui is to provide the password in the local database; giving the password stored in radius does not work.

    I appreciate your help.

    Brett



  • I never tested that case but it would authenticate through the radius user first, this is what code does at least, and the allowed pages and other features might be taken against the local user.
    though as i said i never tested such situation.



  • Yes, that is the way I was expecting it to work; radius first. However, from that test I mentioned in the previous posting, it appears that this feature is not working. It seems that radius authentication is not being attempted for web gui authentication.

    Regards,
    Brett



  • I just verified that radius authentication to the web gui is working. It is also falling back to local database is radius authentication fails.

    Thanks very much ermal, for your support on this!
    Brett


Log in to reply