Freeradius2 and wifi controller



  • Hi

    I try to setup freeradius2 on a pfsense as a radius server for my wifi controller

    Locally all works fine, I mean when using pfsense vlans

    When I try log in through my wifi and check logs I see that (both IPs are on the same subnet)

    radiusd[11880]: Ignoring request to authentication address IP-WAN-on-pfsense port 1812 from unknown client IP-of-my-controller port 41978

    Here is result of test

    $ radtest michal abc IP-WAN-on-pfsense 10 klucz
    Sending Access-Request of id 8 to 66.234.240.134 port 1812
    User-Name = "michal"
    User-Password = "abc"
    NAS-IP-Address = 192.168.1.1
    NAS-Port = 10
    Message-Authenticator = 0x00000000000000000000000000000000
    rad_recv: Access-Accept packet from host 66.234.240.134 port 1812, id=8, length=70
    WISPr-Bandwidth-Max-Up = 1536000
    WISPr-Bandwidth-Max-Down = 1024000
    WISPr-Redirection-URL = "http://www.cnn.com"

    That is what I have on my controller side



  • I think you need to enable 802.1x since your ap don't appear to have wpa2 enterprise.



  • Would be interesting to see your freeradius2 configuration at least your "NAS/Clients" configuration.

    The message "from unknown client IP-of-my-controller port 41978" looks like you haven't configured the "client IP-of-my-controller" not on freeradius "NAS/Clients".
    Or misconfigured shared secret (or special character which is not allowed/misinterpredted).
    If you have NAT between your wifi controller and pfsense this could be a problem, too.



  • That is test enviroment so I will share real info.

    Key is 100% correct, you can even try.

    There is no NAT, both are on the same subnet with public IP.

    I am listening only on 66.234.240.134 on ports 1812 and 1813

    "client IP-of-my-controller" is different than radius sitting on pfsense (using the same IP for both)

    /usr/pbi/freeradius-amd64/local/etc/raddb/clients.conf

    client "klucz" {
    ipaddr = 66.234.240.134
    proto = udp
    secret = klucz
    require_message_authenticator = no
    max_connections = 16
    shortname = klucz
    nastype = other

    login = !root

    password = someadminpass

    }



  • I am not sure if I understand you correct.

    Is your freeradius listening on the same IP than the IP of the NAS ? (66.234.240.134) ?
    Then for me it looks like if the NAS is on pfsense itself !?!? Then use loopback ip (127.0.0.1).

    What looks a little bit strange ist this from your first post:

    NAS-IP-Address = 192.168.1.1

    which is different than your public NAS IP.



  • I must have messed up sth. Correct I dont know why is NAS-IP-Address = 192.168.1.1 showing that, I can't find that in my config files. That IP is a gateway form default pfsense's LAN interface.

    What I want to achieve is authorization using WAN interface between pfsense radius plugin and wifi controller which is also in the same subnet. Everything else should be disabled.



  • Then it seems to be NAT somewhere in your network.



  • Not sure what to change,  just to recap

    66.234.240.134 is my WAN address
    66.234.240.132 is my controller

    192.168.1.1 is my LAN gateway that I dont want to involve in this setup at all and it shows up as my address during the radtest

    I belive my setup should be

    client "klucz" {
      ipaddr = 66.234.240.132
      proto = udp
      secret = klucz
      require_message_authenticator = no
      max_connections = 16
      shortname = klucz
      nastype = other
      ### login = !root ###
      ### password = someadminpass ###
    }

    Currently I listen on * ports 1812 and 1813

    There is a rule on my WAN interface

    IPv4 TCP/UDP 66.234.240.132 * WAN address 1812 (RADIUS) * none   radius

    I have one user for test that works

    How can I get rid of that wrong NAS IP playing with the NAT?