Pfsense as radius server for multiple pfsense portals



  • I am trying to find an inexpensive solution to provide a solution for an office with 8 locations.  Each location will have a pfsense.  Can I use a vmware pfsense at a colocation facility to provide radius auth with the 8 remote pfsense with portal?

    Would they have to do so via VPN or could they connect via public IP to the VM pfsense?

    Any feedback would be appreciated.



  • @kapara:

    I am trying to find an inexpensive solution to provide a solution for an office with 8 locations.  Each location will have a pfsense.  Can I use a vmware pfsense at a colocation facility to provide radius auth with the 8 remote pfsense with portal?

    Sure, FreeRADIUS package.

    @kapara:

    Would they have to do so via VPN or could they connect via public IP to the VM pfsense?

    Either/or. Personally I'd run it over a VPN, but I know of many who just use a public IP.



  • Ok.  I am going to try.

    FreeRadius will be installed on Virtual pfSense at remote colocation.

    8 offices will point to radius at colo for auth.

    Is there a problem if one of the sites has dynamic IP?  I noticed that clients fields request an ip to be assigned.  Is that mandatory?



  • @kapara:

    Is there a problem if one of the sites has dynamic IP?  I noticed that clients fields request an ip to be assigned.  Is that mandatory?

    Depends on your RADIUS config, usually the IP must be static. May need to setup an OpenVPN server at the main end and have the remote locations with an OpenVPN client into it. Don't need any routing (blank local and remote networks), just the tun IP that will be assigned when it connects. I would do that with a PKI server, with a static IP client override for each location. The book (http://pfsense.org/book) details how to do that.



  • Hi. 
    So having issues.  Not as easy as I was hoping…

    Configured Virtual pfSense.
    Left WAN rules open for testing.
    Installed Radius

    On Virtual pfSense with Radius installed.
    Added Client:
    Client IP: (My WAN on Home_pfSense)
    Shortname: MHDHOME
    Shared password: abc123
    Desc: Test

    3.
    On pfSense Firewall at Datacenter
    Add port forwarding to port TCP 1812 to pfSense Virtual WAN port 10.20.30.210 from external IP
    Add port forwarding to port TCP 80 (HTTP) to pfSense Virtual WAN port 10.20.30.210 from external IP
    Successfully connected to port 80 via public IP confirming access.

    4.
    On Home_pfSense.
    Assigned OPT1 10.20.10.1/24
    Enabled DHCP and set dns to 10.20.10.1
    Enabled Captive Portal on OPT1
    Selected radius
    Primary RADIUS server: entered public IP assigned to virtual pfSense for ports 1812 and 80.
    Entered shared password: abc123
    Created custom pages.

    When logging on I am redirected to portal page.  After entering username and password for user I get:

    http://10.20.10.1:8000/

    500 - Internal Server Error

    When I look at the logs for radius:

    Tue Jan  4 05:01:08 2011 : Info: Using deprecated naslist file.  Support for this will go away soon.
    Tue Jan  4 05:01:08 2011 : Info: Using deprecated naslist file.  Support for this will go away soon.
    Tue Jan  4 05:01:08 2011 : Error: There appears to be another RADIUS server running on the authentication port 1812
    Tue Jan  4 05:01:08 2011 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none?
    Tue Jan  4 04:57:23 2011 : Info: Ready to process requests.
    Tue Jan  4 07:48:29 2011 : Info: Using deprecated naslist file.  Support for this will go away soon.
    Tue Jan  4 07:48:29 2011 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none?
    Tue Jan  4 07:48:29 2011 : Info: Ready to process requests.
    Tue Jan  4 07:49:32 2011 : Info: Using deprecated naslist file.  Support for this will go away soon.
    Tue Jan  4 07:49:32 2011 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none?
    Tue Jan  4 07:49:32 2011 : Info: Ready to process requests.
    Tue Jan  4 07:58:16 2011 : Info: Using deprecated naslist file.  Support for this will go away soon.
    Tue Jan  4 07:58:16 2011 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none?
    Tue Jan  4 07:58:16 2011 : Info: Ready to process requests.


Locked