[Solved] Get PfSense to send 'correct' password to Radius



  • Hello.

    I am using L2TP+Ipsec.
    I followed this guide to setup radis with google authenticator.
    http://www.supertechguy.com/help/security/freeradius-google-auth
    I got the testing to work locally on the radius machine.

    The problem is, it seems that PfSense sends some sort of "Chap" password to the radius machine.
    I want pfsense to send the password exactly as it is entered!

    This is what I get when debugging freeradius:
    rad_recv: Access-Request packet from host 192.168.1.1 port 61227, id=236, length=141
            NAS-Identifier = "pfSense.localdomain"
            NAS-Port = 0
            NAS-Port-Type = Virtual
            Service-Type = Framed-User
            Framed-Protocol = PPP
            Calling-Station-Id = "79…...."
            User-Name = "vpnuser"
            CHAP-Password = 0x0165460e3083xxxxxxxxxxxxxxxxx
            CHAP-Challenge = 0xbb1e6865afef087bd121aa2f16xxxxxxxxxxxxxx

    Why isnt the password there?

    Error:
    Tue Feb  3 15:50:34 2015 : Auth: rlm_pam: Attribute "User-Password" is required for authentication.  Cannot use "CHAP-Password".

    This is how the testing is done:
    radtest test test123696720 localhost 18120 testing123

    This is what I do when I connect:
    The bold above is the password for the user + gauth token. This is also what I enter from where i try to connect.
    How to I get PfSense to send that raw-password to the radius machine instead of the CHAP things?



  • Ok this is driving me crazy.
    I added a my radius server under System->User manager > Servers
    Then I go to Diagnostics -> Authentication, and it works.
    Thru this way, pfsense sends the correct authentication parameters to the radius server:

    But as soon as I enter the Radius server in the L2TP config, it sends the CHAP-crap istead. WHY?
    It says:

    When set, all users will be authenticated using the RADIUS server specified below. The local user database will not be used.

    And the local user database under the "users" tab is using "normal" user passwords.
    So why doesnt the L2TP flow send the users password to RADIUS?!

    The only thing I can think of is the "authentication type" which is CHAP, but changing that to PAP does not help.



  • Ok I found the issue. Due to a bug in the gui-code, the PAP-setting wasn't written to disk.
    After fixing this, everything now works.

    https://github.com/pfsense/pfsense/pull/1472

    /Basse