Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] Radius - Access WebUI

    Scheduled Pinned Locked Moved webGUI
    17 Posts 8 Posters 7.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      deba
      last edited by

      Hello everyone,

      I am trying to configure a pfsense cluster, clustering was simple enough, but I hang on the giving access to the WebUI to RADIUS users.

      In System> User Manager> Servers, I referenced my 2 Radius servers.
      In Diagnostics> Authentication, I selects one or other of the servers, I indicate my login / password -> Test
      And I have this message :

      User: a.baeza authenticated successfully.
      This user is a member of These groups:

      However, when I try to connect with the logins on the access page interface

      Username or Password Incorrect

      On the Users tab, it does not seem have a field to say "for the password will see the Radius server"

      Oh sorry I forgot to bring my actions on System> User Manager>Setting

      I set a session timeout 30min (for fun …)

      Then in Authentication Server when I put:

      • One of the servers: Save -> nothing special
                                    Save and test ->

      The test Performed Because It Was not is supported only for ldap based backends.

      I still test log with my login Radius and I return

      No page Assigned to this user! Click here to logout.

      • Local Database: Save or Save and Test -> return same as above
        I try to connect with login Radius

      Username or Password Incorrect

      My question is:
      How to create and add users with access to the WebUI based on Radius server?

      Thanks for your help.

      1 Reply Last reply Reply Quote 0
      • A
        aqueries
        last edited by

        What version of pfsense are you using ?

        1 Reply Last reply Reply Quote 0
        • D
          deba
          last edited by

          I'm on 2.2.5. I find this article https://redmine.pfsense.org/issues/935 but I dont find different files in /etc/

          1 Reply Last reply Reply Quote 0
          • D
            deba
            last edited by

            I found thanks to this link.
            https://redmine.pfsense.org/projects/pfsense/repository/revisions/709c2f99f1bf99022ee8ba670cfd8025e2c71592

            the files are in /etc/inc/ and not in /etc/

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Your RADIUS server needs to return the groups in the CLASS attribute as a string separated by semicolons (e.g. "admins;group2;group3")

              The same groups must exist on pfSense with identical names, and the groups must have privileges assigned to them for what they should be able to access.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • M
                mcrook
                last edited by

                I have tried this setup with my windows nps and have a test client to confirm that this is being passed via radius, but pfsense is still giving the no page assigned to user. Please help!

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  But how is it being passed from RADIUS? As a string? Or encoded in some way (Octal, binary, etc)?

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • M
                    mcrook
                    last edited by

                    As a string I believe. I can read it via the test client. I'll take a screen shot for ya.

                    1 Reply Last reply Reply Quote 0
                    • C
                      Cobham_cos
                      last edited by

                      I see this is set as solved but what was the actual resolution?

                      I can add the class attribute (25) but the attribute value is set as OctetString, I enter my AD group in as a String value. I also have the exact same group name set up on the pfsense. When I log in, I can see I get authenticated off my Radius server but it just says no pages for this user. So it's still not getting the groups from AD it appears.

                      What do I need to change to make it work?

                      1 Reply Last reply Reply Quote 0
                      • P
                        phillipah
                        last edited by

                        I have this same problem. I have verified that the radius server is sending class (25) as a string with the group name. Was this tested by the devs? What is the best way to debug this?

                        1 Reply Last reply Reply Quote 0
                        • P
                          phillipah
                          last edited by

                          After doing a packet capture. I can see that the packet actually contains 2 class 25 attribs… One with the name of the group and the other that contains accounting information.

                          After looking at https://tools.ietf.org/html/rfc4372 this seems to be a normal operation of the RADIUS server.

                          I suspect that pfSense has not taken this into account when it is looking at the attribs?... Can anyone confirm my findings?

                          1 Reply Last reply Reply Quote 0
                          • P
                            phillipah
                            last edited by

                            EDIT: See post by jimp below for proper fix

                            I ended up "fixing" it by switching to another attrib which is filter-id

                            I edited file:
                            /etc/inc/auth.inc

                            
                            /*
                                    $attributes must contain a "filter_id" key containing the groups and local
                                    groups must exist to match.
                            */
                            function radius_get_groups($attributes) {
                                    $groups = array();
                                    if (!empty($attributes) && is_array($attributes) && !empty($attributes['filter_id'])) {
                                            $groups = explode(";", $attributes['filter_id']);
                                            foreach ($groups as & $grp) {
                                                    $grp = trim($grp);
                                                    if (strtolower(substr($grp, 0, 3)) == "ou=") {
                                                            $grp = substr($grp, 3);
                                                    }
                                            }
                                    }
                                    return $groups;
                            }
                            
                            

                            filed bug: https://redmine.pfsense.org/issues/6086

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              We do testing for this but generally against FreeRADIUS only in the majority of cases (we prefer to keep things OSS where possible), and FreeRADIUS had been working.

                              Using the System Patches package you can apply the following commit to fix issues with the processing of the Class attribute from AD and some other servers.

                              https://github.com/pfsense/pfsense/commit/461bae6b08d883d232db853a21337e688c1defee.patch

                              With that patch in place, it works for me with FreeRADIUS and AD+NPS (2012).

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • P
                                phillipah
                                last edited by

                                Thank you jimp! I really appreciate you coming up with a fix so quickly.

                                1 Reply Last reply Reply Quote 0
                                • Y
                                  yrebrac
                                  last edited by

                                  Just confirming that using Class attribute is an issue with some RADIUS servers, possibly due to the extra Class attribute in the Access-Accept.

                                  By the way, Filter-ID is a more industry-standard way of applying a role via RADIUS so would be a better default choice.

                                  One other thing - NAS-IP address is always set to 0.0.0.0 in the Access-Request. This is not great practice, can we allow the user to choose one of the PFSense IP addresses for this field. Will assist with differentiating PFSense requests from others on busy RADIUS servers.

                                  Will try patch and provide feedback  :)

                                  1 Reply Last reply Reply Quote 0
                                  • Y
                                    yrebrac
                                    last edited by

                                    Patch works  :) :) :)

                                    v2.2.6

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      poma187
                                      last edited by

                                      @yrebrac - your patch to set the NAS-IP to a different value, was that merged into the project?  I am running into a problem where the RADIUS server I am using will not accept 0.0.0.0 as the NAS-IP.  I am running the latest 2.3.1 release.  Can you post the diff?

                                      Patch works  :) :) :)

                                      v2.2.6

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.