RADIUS captive portal running over OpenVPN
-
I have a working RADIUS server going to a freshly loaded PFSense version 2.0.1 box. If I use a public IP of the RADIUS server and set the RADIUS NAS IP attribute to the WAN interface it works fine. I can get client authentication through captive portal no problems. I have a VPN tunnel to the same network that the RADIUS server is on. So I put in the LOCAL IP of the RADIUS server into captive portal. Changing the RADIUS NAS IP attribute to LAN or WAN doesnt work. I can never get the RADIUS server to communicate to captive portal RADIUS request. I can "ping" the RADIUS server with a local IP ONLY if I set it to LAN interface. So I am assuming that captive portal wants to send the request out the WAN interface and not hit the default routing table first? Or am I missing something else?
So everything works fine unless I try and use LAN IPs to get to the RADIUS server via the OpenVPN tunnel.
Thanks in advance
-
I have no experience with configuring any RADIUS servers.
I have a working RADIUS server going to a freshly loaded PFSense version 2.0.1 box. If I use a public IP of the RADIUS server and set the RADIUS NAS IP attribute to the WAN interface it works fine.
I presume you mean you configure the RADIUS server to accept requests from the IP address of the pfSense WAN interface.
I can get client authentication through captive portal no problems. I have a VPN tunnel to the same network that the RADIUS server is on. So I put in the LOCAL IP of the RADIUS server into captive portal. Changing the RADIUS NAS IP attribute to LAN or WAN doesnt work.
I would expect you would need to change the NAS IP attribute of the RADIUS server to the IP address of the pfSense end of the OpenVPN tunnel since that will be the source IP address in the requests sent to the RADIUS server. Dependng on the server it might be necessary to restart it so it notices the change.
So I am assuming that captive portal wants to send the request out the WAN interface and not hit the default routing table first? Or am I missing something else?
You possibly just configured the incorrect NAS IP address in the RADIUS server. If the server is appropriately configured it might report access from unexpected IP address in its log.
So everything works fine unless I try and use LAN IPs to get to the RADIUS server via the OpenVPN tunnel.
Not sure what you mean by LAN IPs here.
-
Let me rephrase it. if I have to I can take screenshots from the PF GUI.
The RADIUS server itself is configured and working. It will accept RADIUS request from the WAN IP as well as the local IP of the pfsense box.
Now on the PFsense server if you go to Captive portal down to the Authentication section you put in an IP address. The working configuration is IP 75.149.xxx.xxx which is a public IP. It works fine. Now if I put in an IP of 10.10.1.2 which is the RADIUS servers local IP which is reachable via OpenVPN tunnel it does NOT work.
OpenVPN tunnel is not at fault there are no rules blocking it. I can connect on many ports, ping each other etc. The connection itself is good.
Why I think captive portal is set to use the WAN interface only is becuase if you go to PING utility in PFsense and try pinging 10.10.1.2 on the WAN interface it cant resolve. If I ping 10.10.1.2 from LAN it obviously hits openVPN and works fine. So I think it may be an interface binding issue perhaps?
If you want more info and screenshots let me know
-
Solved ;D
Ok I watched the states table. When the request goes to my radius server it is going by the VPN tunneling IP NOT the local IP of the PFsense. So the PFsense IP according to my RADIUS server is 172.16.50.90 the OpenVPN tunneling IP. Seems wierd but thats all it was.
-
Solved ;D
Ok I watched the states table. When the request goes to my radius server it is going by the VPN tunneling IP NOT the local IP of the PFsense. So the PFsense IP according to my RADIUS server is 172.16.50.90 the OpenVPN tunneling IP. Seems wierd but thats all it was.
Are you using freeradius1 or freeradius2 package on pfsense ?
If you are using freeradius2 package and you enabled logging then there should be an output in the syslog that RADIUS isn't accepting requests from client with IP A.B.X.Y.
-
Using freeradius2 I am launching it via -X so I can see all debug info. There still is a problem. So in clients.conf I have to specify not only my WAN Ip address of the PFsense server but also the tunnel IP of the PFsense box. This is because in PFsense captive portal you have to specifcy RADIUS NAS IP attribute as either WAN or LAN. Theres no way to type in a value. Thats what I got the issue narrowed down too.
-
Sorry I am using a fresh load of PFSense 2.0.1 no additional packages installed on that client end. The FREERADIUS serer I am using is a custom built CentOS 5 server with built from source FreeRADIUS2
-
I am not sure what you mean, but every NAS has an IP address. You have to enter this IP address in clients.conf.
If there is NAT between the NAS and the RADIUS server then there should be an output in radiusd -X that freeradius is not accepting packets from this IP. then just add it to clients.conffurther freeradius2 is able to listen on different interfaces for requests. you just have to configure this in a seperate "listen { }" section in radiusd.conf.
That are all general information which I am sure you all know about.
But I do not know the difference between "RADIUS NAS IP = WAN" or "RADIUS NAS IP = LAN".PS: If you find some time it would be nice if you could post a feedback if the new FreeRADIUS2 package from pfsense can help you in your environment or you could test some features :-)
-
Nachtfalke I will post some screen shots and give some feedback.
I have 2 PFsense firewalls connected via OpenVPN. PF1 has a RADIUS server behind it on a CentOS5 box. PF2 is a Captive Portal server servicing clients. On PF2 I can not choose an identifier IP other then LAN or WAN as per the captive portal configuration page. What is happening is RADIUS server is seeing PF2 request coming from OpenVPNs tunneling IPs then also the identifier IP. So in my RADIUS server clients.conf I have to specifiy the tunneling IP as well as the identifier IP.
Hope this helps a bit more. I been busy on projects I will get more feedback as I weed out issues on my end or something I may have mis configured.
-
Working with PFsense commercial support…. heres the rough fix.
If you go to FIrewall > Virtual IP and put in the OpenVPN Tunnel IP as a OTHER type it will create a placeholder. Make sure its your tunnel IP so if my tunnel network for my VPN is 172.16.50.88/30 my tunnel IP for the server is 172.16.50.90
Once that is done you can go to Captive portal down to your RADIUS NAS IP attribute and specify that virtual IP you created.
This works and test well. If you are like me and have a backup RADIUS server over a seperate OpenVPN you are out of luck. You cant have a seperate RADIUS NAS IP attribute for each RADIUS server connection. So on the secondary RADIUS server you will have to specify both your tunneling IP and RADIUS NAS IP attribute in your clients.conf for it to process correctly
Other then that test have been working well. I plan to put a larger site in production use as a final test phase within a week or so.
PFsense support was very quick and help as usual thanks again guys!
-
Thanks for your feedback. Now I know what your problem was like. Thanks for sharing this info!