Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Freeradius authentication over IPSEC

    pfSense Packages
    3
    5
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      abidkhanhk
      last edited by

      Hi, I am trying centralized Radius Authentication for all my PFboxes,

      currently every box has its own freeradius installation, with its own set of Users and Devices,

      I plan to centralize it by having 1 PFbox authenticate all users and devices, over ipsec, openvpn and captive portal etc.

      to test this i added an interface to the central pfbox (pfbox A), and added an NAS/ Devices (remote pfbox) (pfbox B)  which uses it for authentication

      The interface on Pfbox A is set to listen on 10.0.1.1

      After adding the authentication server to Pfbox B i tried the Authentication test from Diagnostics menu but the authentication failed.

      Please advise if i need to add some sort of firewall rule on the IPSEC Tab? and what will this rule look like.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • A
        abidkhanhk
        last edited by

        i cannot find a log for authentication issue on the pfbox B,

        Checked the Pfbox A's /var/log/radius.log and it doesnt show any errors.

        any Idea how i can check the log on pfbox B? thanks

        1 Reply Last reply Reply Quote 0
        • N
          Nachtfalke
          last edited by

          Hi,

          sorry that I cannot help you directly with your question. But I would suggest to run freeradius on both pfsense machines.
          This makes you independent if your VPN or IPsec tunnel is down.

          I would suggesto to sync the freeradius config from pfsense-A to pfsense-B. So you can manage all users on one box but they will be synced to your other box but when the tunnel is down both sites can authenticate against their local server.

          With your problem:
          I would try to run freeradius from CLI with radius -X and check if the authentication request arrives and will be sent back. And on pfsense box-B you can do a packet capture to check if the response arrives.

          1 Reply Last reply Reply Quote 0
          • A
            abidkhanhk
            last edited by

            Hi thanks for your reply,
            Syncing the I'd and pass won't be a problem if they are not encrypted.
            Maybe I can work out something on a windows machine to auto download and upload the config to a  separate machine.

            Thabks

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              This won't work out of the box with IPSec for reasons documented here: Why can't I query SNMP, use syslog, NTP, or other services initiated by the firewall itself over IPsec VPN

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.