Troubleshoot freeradius2 user authentication



  • Hi, I am having a hard time working out what is wrong with my configuration and I'm hoping that someone can point me in the right direction.

    I have 2 pfsense servers:
    1. firewall pfsense; WAN on 10.0.0.0/8, LAN on 192.168.0.0/16, OPT1 on 172.16.0.0/16
    2. freeradius2 pfsense; WAN on 172.16.0.0/16, no other network interfaces
    I want my firewall to be able to authenticate users using radius: end state is an OpenVPN configuration - if I can ever get this to work for me…

    I have interfaces, nas clients and users setup in freeradius2.  I have an authentication server setup on the firewall.

    When I try Diagnostics->Authentication (on the firewall) I get an error: "The following input errors were detected: Authentication failed."  I can see the UDP connection in the firewall log on the radius server, however there are no system log entries (note: I have the radius logs going to the system log).

    When I try Diagnostics->Command Prompt with the radtest command (on the firewall) I get success: "rad_recv: Access-Accept"

    This is a little baffling.  I have a hunch my problem has something to do with having the radius server connected to the OPT interface but I don't know how to get any more information into the logs to help me diagnose the problem.

    btw. I can successfully do radius authentication for my WiFi that operates from an access point connected to a subnet of 192.168.0.0/16

    Any help is greatly appreciated


  • Banned

    @tyn:

    1. firewall pfsense; WAN on 10.0.0.0/8, LAN on 192.168.0.0/16, OPT1 on 172.16.0.0/16

    Hmmm… So, you have exhausted entire RFC1918 space on your single install. WTF. No, you won't get any OpenVPN configuration work with this. There is no space left for OpenVPN tunnnel network.



  • Stop the Radius service in your pfsense GUI and start it in debugging with radiusd -x in terminal.



  • Get to know your /24s better.  They are you friends (-:



  • @EMWEE:

    Stop the Radius service in your pfsense GUI and start it in debugging with radiusd -x in terminal.

    After starting freeradius with -xx I started getting a lot in the logs.  Unfortunately log entries only appear when using the radtest command.  Nothing seems is logged when I try the Diagnostics->Authentication approach.

    To try an narrow this down a bit I created a new virtual and only setup freeradius on it.  It is a single interface (WAN) system and I disabled all packet filtering (System->Advanced->Firewall/NAT->Disable Firewall).  This is about as minimal a configuration as I can think of.

    Sadly, same result.  I get a result for radtest and nothing for Diagnostics->Authentication.  Perhaps this is a bug in the software…

    I did come across something a little odd though.  When I first tried the radtest command I used the server IP address and it gave me an error "Failed to find IP address for [servername]".  I was surprised since I didn't give the command the server name.  I assume it resolved the name from the IP address but couldn't then resolve the address from the name.  So I added the name to the DNS resovler and the command started working (with IP address and with server name).


Log in to reply