Troubleshoot freeradius2 user authentication

  • Hi, I am having a hard time working out what is wrong with my configuration and I'm hoping that someone can point me in the right direction.

    I have 2 pfsense servers:
    1. firewall pfsense; WAN on, LAN on, OPT1 on
    2. freeradius2 pfsense; WAN on, no other network interfaces
    I want my firewall to be able to authenticate users using radius: end state is an OpenVPN configuration - if I can ever get this to work for me…

    I have interfaces, nas clients and users setup in freeradius2.  I have an authentication server setup on the firewall.

    When I try Diagnostics->Authentication (on the firewall) I get an error: "The following input errors were detected: Authentication failed."  I can see the UDP connection in the firewall log on the radius server, however there are no system log entries (note: I have the radius logs going to the system log).

    When I try Diagnostics->Command Prompt with the radtest command (on the firewall) I get success: "rad_recv: Access-Accept"

    This is a little baffling.  I have a hunch my problem has something to do with having the radius server connected to the OPT interface but I don't know how to get any more information into the logs to help me diagnose the problem.

    btw. I can successfully do radius authentication for my WiFi that operates from an access point connected to a subnet of

    Any help is greatly appreciated

  • Banned


    1. firewall pfsense; WAN on, LAN on, OPT1 on

    Hmmm… So, you have exhausted entire RFC1918 space on your single install. WTF. No, you won't get any OpenVPN configuration work with this. There is no space left for OpenVPN tunnnel network.

  • Stop the Radius service in your pfsense GUI and start it in debugging with radiusd -x in terminal.

  • Get to know your /24s better.  They are you friends (-:

  • @EMWEE:

    Stop the Radius service in your pfsense GUI and start it in debugging with radiusd -x in terminal.

    After starting freeradius with -xx I started getting a lot in the logs.  Unfortunately log entries only appear when using the radtest command.  Nothing seems is logged when I try the Diagnostics->Authentication approach.

    To try an narrow this down a bit I created a new virtual and only setup freeradius on it.  It is a single interface (WAN) system and I disabled all packet filtering (System->Advanced->Firewall/NAT->Disable Firewall).  This is about as minimal a configuration as I can think of.

    Sadly, same result.  I get a result for radtest and nothing for Diagnostics->Authentication.  Perhaps this is a bug in the software…

    I did come across something a little odd though.  When I first tried the radtest command I used the server IP address and it gave me an error "Failed to find IP address for [servername]".  I was surprised since I didn't give the command the server name.  I assume it resolved the name from the IP address but couldn't then resolve the address from the name.  So I added the name to the DNS resovler and the command started working (with IP address and with server name).

Log in to reply