Freeradius authentication over IPSEC



  • Hi, I am trying centralized Radius Authentication for all my PFboxes,

    currently every box has its own freeradius installation, with its own set of Users and Devices,

    I plan to centralize it by having 1 PFbox authenticate all users and devices, over ipsec, openvpn and captive portal etc.

    to test this i added an interface to the central pfbox (pfbox A), and added an NAS/ Devices (remote pfbox) (pfbox B)  which uses it for authentication

    The interface on Pfbox A is set to listen on 10.0.1.1

    After adding the authentication server to Pfbox B i tried the Authentication test from Diagnostics menu but the authentication failed.

    Please advise if i need to add some sort of firewall rule on the IPSEC Tab? and what will this rule look like.

    Thanks.



  • i cannot find a log for authentication issue on the pfbox B,

    Checked the Pfbox A's /var/log/radius.log and it doesnt show any errors.

    any Idea how i can check the log on pfbox B? thanks



  • Hi,

    sorry that I cannot help you directly with your question. But I would suggest to run freeradius on both pfsense machines.
    This makes you independent if your VPN or IPsec tunnel is down.

    I would suggesto to sync the freeradius config from pfsense-A to pfsense-B. So you can manage all users on one box but they will be synced to your other box but when the tunnel is down both sites can authenticate against their local server.

    With your problem:
    I would try to run freeradius from CLI with radius -X and check if the authentication request arrives and will be sent back. And on pfsense box-B you can do a packet capture to check if the response arrives.



  • Hi thanks for your reply,
    Syncing the I'd and pass won't be a problem if they are not encrypted.
    Maybe I can work out something on a windows machine to auto download and upload the config to a  separate machine.

    Thabks


  • Banned

    This won't work out of the box with IPSec for reasons documented here: Why can't I query SNMP, use syslog, NTP, or other services initiated by the firewall itself over IPsec VPN


Log in to reply