• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[Solved] Get PfSense to send 'correct' password to Radius

Scheduled Pinned Locked Moved General pfSense Questions
3 Posts 1 Posters 2.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    basse
    last edited by Feb 5, 2015, 11:08 AM Feb 3, 2015, 3:10 PM

    Hello.

    I am using L2TP+Ipsec.
    I followed this guide to setup radis with google authenticator.
    http://www.supertechguy.com/help/security/freeradius-google-auth
    I got the testing to work locally on the radius machine.

    The problem is, it seems that PfSense sends some sort of "Chap" password to the radius machine.
    I want pfsense to send the password exactly as it is entered!

    This is what I get when debugging freeradius:
    rad_recv: Access-Request packet from host 192.168.1.1 port 61227, id=236, length=141
            NAS-Identifier = "pfSense.localdomain"
            NAS-Port = 0
            NAS-Port-Type = Virtual
            Service-Type = Framed-User
            Framed-Protocol = PPP
            Calling-Station-Id = "79…...."
            User-Name = "vpnuser"
            CHAP-Password = 0x0165460e3083xxxxxxxxxxxxxxxxx
            CHAP-Challenge = 0xbb1e6865afef087bd121aa2f16xxxxxxxxxxxxxx

    Why isnt the password there?

    Error:
    Tue Feb  3 15:50:34 2015 : Auth: rlm_pam: Attribute "User-Password" is required for authentication.  Cannot use "CHAP-Password".

    This is how the testing is done:
    radtest test test123696720 localhost 18120 testing123

    This is what I do when I connect:
    The bold above is the password for the user + gauth token. This is also what I enter from where i try to connect.
    How to I get PfSense to send that raw-password to the radius machine instead of the CHAP things?

    1 Reply Last reply Reply Quote 0
    • B
      basse
      last edited by Feb 5, 2015, 11:08 AM Feb 4, 2015, 12:14 PM

      Ok this is driving me crazy.
      I added a my radius server under System->User manager > Servers
      Then I go to Diagnostics -> Authentication, and it works.
      Thru this way, pfsense sends the correct authentication parameters to the radius server:

      But as soon as I enter the Radius server in the L2TP config, it sends the CHAP-crap istead. WHY?
      It says:

      When set, all users will be authenticated using the RADIUS server specified below. The local user database will not be used.

      And the local user database under the "users" tab is using "normal" user passwords.
      So why doesnt the L2TP flow send the users password to RADIUS?!

      The only thing I can think of is the "authentication type" which is CHAP, but changing that to PAP does not help.

      1 Reply Last reply Reply Quote 0
      • B
        basse
        last edited by Feb 5, 2015, 11:07 AM

        Ok I found the issue. Due to a bug in the gui-code, the PAP-setting wasn't written to disk.
        After fixing this, everything now works.

        https://github.com/pfsense/pfsense/pull/1472

        /Basse

        1 Reply Last reply Reply Quote 0
        1 out of 3
        • First post
          1/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received