Troubleshoot freeradius2 user authentication

tyn

Hi, I am having a hard time working out what is wrong with my configuration and I'm hoping that someone can point me in the right direction.

I have 2 pfsense servers:
1. firewall pfsense; WAN on 10.0.0.0/8, LAN on 192.168.0.0/16, OPT1 on 172.16.0.0/16
2. freeradius2 pfsense; WAN on 172.16.0.0/16, no other network interfaces
I want my firewall to be able to authenticate users using radius: end state is an OpenVPN configuration - if I can ever get this to work for me…

I have interfaces, nas clients and users setup in freeradius2.  I have an authentication server setup on the firewall.

When I try Diagnostics->Authentication (on the firewall) I get an error: "The following input errors were detected: Authentication failed."  I can see the UDP connection in the firewall log on the radius server, however there are no system log entries (note: I have the radius logs going to the system log).

When I try Diagnostics->Command Prompt with the radtest command (on the firewall) I get success: "rad_recv: Access-Accept"

This is a little baffling.  I have a hunch my problem has something to do with having the radius server connected to the OPT interface but I don't know how to get any more information into the logs to help me diagnose the problem.

btw. I can successfully do radius authentication for my WiFi that operates from an access point connected to a subnet of 192.168.0.0/16

Any help is greatly appreciated

doktornotor

@tyn:

1. firewall pfsense; WAN on 10.0.0.0/8, LAN on 192.168.0.0/16, OPT1 on 172.16.0.0/16

Hmmm… So, you have exhausted entire RFC1918 space on your single install. WTF. No, you won't get any OpenVPN configuration work with this. There is no space left for OpenVPN tunnnel network.

EMWEE

Stop the Radius service in your pfsense GUI and start it in debugging with radiusd -x in terminal.

kejianshi

Get to know your /24s better.  They are you friends (-:

tyn

@EMWEE:

Stop the Radius service in your pfsense GUI and start it in debugging with radiusd -x in terminal.

After starting freeradius with -xx I started getting a lot in the logs.  Unfortunately log entries only appear when using the radtest command.  Nothing seems is logged when I try the Diagnostics->Authentication approach.

To try an narrow this down a bit I created a new virtual and only setup freeradius on it.  It is a single interface (WAN) system and I disabled all packet filtering (System->Advanced->Firewall/NAT->Disable Firewall).  This is about as minimal a configuration as I can think of.

Sadly, same result.  I get a result for radtest and nothing for Diagnostics->Authentication.  Perhaps this is a bug in the software…

I did come across something a little odd though.  When I first tried the radtest command I used the server IP address and it gave me an error "Failed to find IP address for [servername]".  I was surprised since I didn't give the command the server name.  I assume it resolved the name from the IP address but couldn't then resolve the address from the name.  So I added the name to the DNS resovler and the command started working (with IP address and with server name).