Troubleshoot freeradius2 user authentication
-
Hi, I am having a hard time working out what is wrong with my configuration and I'm hoping that someone can point me in the right direction.
I have 2 pfsense servers:
1. firewall pfsense; WAN on 10.0.0.0/8, LAN on 192.168.0.0/16, OPT1 on 172.16.0.0/16
2. freeradius2 pfsense; WAN on 172.16.0.0/16, no other network interfaces
I want my firewall to be able to authenticate users using radius: end state is an OpenVPN configuration - if I can ever get this to work for me…I have interfaces, nas clients and users setup in freeradius2. I have an authentication server setup on the firewall.
When I try Diagnostics->Authentication (on the firewall) I get an error: "The following input errors were detected: Authentication failed." I can see the UDP connection in the firewall log on the radius server, however there are no system log entries (note: I have the radius logs going to the system log).
When I try Diagnostics->Command Prompt with the radtest command (on the firewall) I get success: "rad_recv: Access-Accept"
This is a little baffling. I have a hunch my problem has something to do with having the radius server connected to the OPT interface but I don't know how to get any more information into the logs to help me diagnose the problem.
btw. I can successfully do radius authentication for my WiFi that operates from an access point connected to a subnet of 192.168.0.0/16
Any help is greatly appreciated
-
@tyn:
1. firewall pfsense; WAN on 10.0.0.0/8, LAN on 192.168.0.0/16, OPT1 on 172.16.0.0/16
Hmmm… So, you have exhausted entire RFC1918 space on your single install. WTF. No, you won't get any OpenVPN configuration work with this. There is no space left for OpenVPN tunnnel network.
-
Stop the Radius service in your pfsense GUI and start it in debugging with radiusd -x in terminal.
-
Get to know your /24s better. They are you friends (-:
-
Stop the Radius service in your pfsense GUI and start it in debugging with radiusd -x in terminal.
After starting freeradius with -xx I started getting a lot in the logs. Unfortunately log entries only appear when using the radtest command. Nothing seems is logged when I try the Diagnostics->Authentication approach.
To try an narrow this down a bit I created a new virtual and only setup freeradius on it. It is a single interface (WAN) system and I disabled all packet filtering (System->Advanced->Firewall/NAT->Disable Firewall). This is about as minimal a configuration as I can think of.
Sadly, same result. I get a result for radtest and nothing for Diagnostics->Authentication. Perhaps this is a bug in the software…
I did come across something a little odd though. When I first tried the radtest command I used the server IP address and it gave me an error "Failed to find IP address for [servername]". I was surprised since I didn't give the command the server name. I assume it resolved the name from the IP address but couldn't then resolve the address from the name. So I added the name to the DNS resovler and the command started working (with IP address and with server name).