Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Troubleshoot freeradius2 user authentication

    Scheduled Pinned Locked Moved pfSense Packages
    5 Posts 4 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tyn
      last edited by

      Hi, I am having a hard time working out what is wrong with my configuration and I'm hoping that someone can point me in the right direction.

      I have 2 pfsense servers:
      1. firewall pfsense; WAN on 10.0.0.0/8, LAN on 192.168.0.0/16, OPT1 on 172.16.0.0/16
      2. freeradius2 pfsense; WAN on 172.16.0.0/16, no other network interfaces
      I want my firewall to be able to authenticate users using radius: end state is an OpenVPN configuration - if I can ever get this to work for me…

      I have interfaces, nas clients and users setup in freeradius2.  I have an authentication server setup on the firewall.

      When I try Diagnostics->Authentication (on the firewall) I get an error: "The following input errors were detected: Authentication failed."  I can see the UDP connection in the firewall log on the radius server, however there are no system log entries (note: I have the radius logs going to the system log).

      When I try Diagnostics->Command Prompt with the radtest command (on the firewall) I get success: "rad_recv: Access-Accept"

      This is a little baffling.  I have a hunch my problem has something to do with having the radius server connected to the OPT interface but I don't know how to get any more information into the logs to help me diagnose the problem.

      btw. I can successfully do radius authentication for my WiFi that operates from an access point connected to a subnet of 192.168.0.0/16

      Any help is greatly appreciated

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        @tyn:

        1. firewall pfsense; WAN on 10.0.0.0/8, LAN on 192.168.0.0/16, OPT1 on 172.16.0.0/16

        Hmmm… So, you have exhausted entire RFC1918 space on your single install. WTF. No, you won't get any OpenVPN configuration work with this. There is no space left for OpenVPN tunnnel network.

        1 Reply Last reply Reply Quote 0
        • E
          EMWEE
          last edited by

          Stop the Radius service in your pfsense GUI and start it in debugging with radiusd -x in terminal.

          1 Reply Last reply Reply Quote 0
          • K
            kejianshi
            last edited by

            Get to know your /24s better.  They are you friends (-:

            1 Reply Last reply Reply Quote 0
            • T
              tyn
              last edited by

              @EMWEE:

              Stop the Radius service in your pfsense GUI and start it in debugging with radiusd -x in terminal.

              After starting freeradius with -xx I started getting a lot in the logs.  Unfortunately log entries only appear when using the radtest command.  Nothing seems is logged when I try the Diagnostics->Authentication approach.

              To try an narrow this down a bit I created a new virtual and only setup freeradius on it.  It is a single interface (WAN) system and I disabled all packet filtering (System->Advanced->Firewall/NAT->Disable Firewall).  This is about as minimal a configuration as I can think of.

              Sadly, same result.  I get a result for radtest and nothing for Diagnostics->Authentication.  Perhaps this is a bug in the software…

              I did come across something a little odd though.  When I first tried the radtest command I used the server IP address and it gave me an error "Failed to find IP address for [servername]".  I was surprised since I didn't give the command the server name.  I assume it resolved the name from the IP address but couldn't then resolve the address from the name.  So I added the name to the DNS resovler and the command started working (with IP address and with server name).

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.