• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[Solved] Radius - Access WebUI

Scheduled Pinned Locked Moved webGUI
17 Posts 8 Posters 7.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    deba
    last edited by Nov 19, 2015, 8:10 AM Nov 18, 2015, 9:43 AM

    Hello everyone,

    I am trying to configure a pfsense cluster, clustering was simple enough, but I hang on the giving access to the WebUI to RADIUS users.

    In System> User Manager> Servers, I referenced my 2 Radius servers.
    In Diagnostics> Authentication, I selects one or other of the servers, I indicate my login / password -> Test
    And I have this message :

    User: a.baeza authenticated successfully.
    This user is a member of These groups:

    However, when I try to connect with the logins on the access page interface

    Username or Password Incorrect

    On the Users tab, it does not seem have a field to say "for the password will see the Radius server"

    Oh sorry I forgot to bring my actions on System> User Manager>Setting

    I set a session timeout 30min (for fun โ€ฆ)

    Then in Authentication Server when I put:

    • One of the servers: Save -> nothing special
                                  Save and test ->

    The test Performed Because It Was not is supported only for ldap based backends.

    I still test log with my login Radius and I return

    No page Assigned to this user! Click here to logout.

    • Local Database: Save or Save and Test -> return same as above
      I try to connect with login Radius

    Username or Password Incorrect

    My question is:
    How to create and add users with access to the WebUI based on Radius server?

    Thanks for your help.

    1 Reply Last reply Reply Quote 0
    • A
      aqueries
      last edited by Nov 19, 2015, 5:49 AM

      What version of pfsense are you using ?

      1 Reply Last reply Reply Quote 0
      • D
        deba
        last edited by Nov 19, 2015, 7:52 AM

        I'm on 2.2.5. I find this article https://redmine.pfsense.org/issues/935 but I dont find different files in /etc/

        1 Reply Last reply Reply Quote 0
        • D
          deba
          last edited by Nov 19, 2015, 8:09 AM

          I found thanks to this link.
          https://redmine.pfsense.org/projects/pfsense/repository/revisions/709c2f99f1bf99022ee8ba670cfd8025e2c71592

          the files are in /etc/inc/ and not in /etc/

          1 Reply Last reply Reply Quote 0
          • J
            jimp Rebel Alliance Developer Netgate
            last edited by Nov 24, 2015, 5:45 PM

            Your RADIUS server needs to return the groups in the CLASS attribute as a string separated by semicolons (e.g. "admins;group2;group3")

            The same groups must exist on pfSense with identical names, and the groups must have privileges assigned to them for what they should be able to access.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • M
              mcrook
              last edited by Dec 3, 2015, 12:15 AM

              I have tried this setup with my windows nps and have a test client to confirm that this is being passed via radius, but pfsense is still giving the no page assigned to user. Please help!

              1 Reply Last reply Reply Quote 0
              • J
                jimp Rebel Alliance Developer Netgate
                last edited by Dec 4, 2015, 3:13 AM

                But how is it being passed from RADIUS? As a string? Or encoded in some way (Octal, binary, etc)?

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • M
                  mcrook
                  last edited by Dec 5, 2015, 6:56 AM

                  As a string I believe. I can read it via the test client. I'll take a screen shot for ya.

                  1 Reply Last reply Reply Quote 0
                  • C
                    Cobham_cos
                    last edited by Feb 10, 2016, 9:55 PM

                    I see this is set as solved but what was the actual resolution?

                    I can add the class attribute (25) but the attribute value is set as OctetString, I enter my AD group in as a String value. I also have the exact same group name set up on the pfsense. When I log in, I can see I get authenticated off my Radius server but it just says no pages for this user. So it's still not getting the groups from AD it appears.

                    What do I need to change to make it work?

                    1 Reply Last reply Reply Quote 0
                    • P
                      phillipah
                      last edited by Apr 7, 2016, 5:07 AM

                      I have this same problem. I have verified that the radius server is sending class (25) as a string with the group name. Was this tested by the devs? What is the best way to debug this?

                      1 Reply Last reply Reply Quote 0
                      • P
                        phillipah
                        last edited by Apr 7, 2016, 7:07 AM Apr 7, 2016, 5:58 AM

                        After doing a packet capture. I can see that the packet actually contains 2 class 25 attribsโ€ฆ One with the name of the group and the other that contains accounting information.

                        After looking at https://tools.ietf.org/html/rfc4372 this seems to be a normal operation of the RADIUS server.

                        I suspect that pfSense has not taken this into account when it is looking at the attribs?... Can anyone confirm my findings?

                        1 Reply Last reply Reply Quote 0
                        • P
                          phillipah
                          last edited by Apr 7, 2016, 4:59 PM Apr 7, 2016, 7:01 AM

                          EDIT: See post by jimp below for proper fix

                          I ended up "fixing" it by switching to another attrib which is filter-id

                          I edited file:
                          /etc/inc/auth.inc

                          
                          /*
                                  $attributes must contain a "filter_id" key containing the groups and local
                                  groups must exist to match.
                          */
                          function radius_get_groups($attributes) {
                                  $groups = array();
                                  if (!empty($attributes) && is_array($attributes) && !empty($attributes['filter_id'])) {
                                          $groups = explode(";", $attributes['filter_id']);
                                          foreach ($groups as & $grp) {
                                                  $grp = trim($grp);
                                                  if (strtolower(substr($grp, 0, 3)) == "ou=") {
                                                          $grp = substr($grp, 3);
                                                  }
                                          }
                                  }
                                  return $groups;
                          }
                          
                          

                          filed bug: https://redmine.pfsense.org/issues/6086

                          1 Reply Last reply Reply Quote 0
                          • J
                            jimp Rebel Alliance Developer Netgate
                            last edited by Apr 7, 2016, 4:40 PM

                            We do testing for this but generally against FreeRADIUS only in the majority of cases (we prefer to keep things OSS where possible), and FreeRADIUS had been working.

                            Using the System Patches package you can apply the following commit to fix issues with the processing of the Class attribute from AD and some other servers.

                            https://github.com/pfsense/pfsense/commit/461bae6b08d883d232db853a21337e688c1defee.patch

                            With that patch in place, it works for me with FreeRADIUS and AD+NPS (2012).

                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • P
                              phillipah
                              last edited by Apr 7, 2016, 4:53 PM

                              Thank you jimp! I really appreciate you coming up with a fix so quickly.

                              1 Reply Last reply Reply Quote 0
                              • Y
                                yrebrac
                                last edited by May 5, 2016, 5:36 AM

                                Just confirming that using Class attribute is an issue with some RADIUS servers, possibly due to the extra Class attribute in the Access-Accept.

                                By the way, Filter-ID is a more industry-standard way of applying a role via RADIUS so would be a better default choice.

                                One other thing - NAS-IP address is always set to 0.0.0.0 in the Access-Request. This is not great practice, can we allow the user to choose one of the PFSense IP addresses for this field. Will assist with differentiating PFSense requests from others on busy RADIUS servers.

                                Will try patch and provide feedback  :)

                                1 Reply Last reply Reply Quote 0
                                • Y
                                  yrebrac
                                  last edited by May 5, 2016, 5:51 AM

                                  Patch works  :) :) :)

                                  v2.2.6

                                  1 Reply Last reply Reply Quote 0
                                  • P
                                    poma187
                                    last edited by Jun 10, 2016, 6:12 PM

                                    @yrebrac - your patch to set the NAS-IP to a different value, was that merged into the project?  I am running into a problem where the RADIUS server I am using will not accept 0.0.0.0 as the NAS-IP.  I am running the latest 2.3.1 release.  Can you post the diff?

                                    Patch works  :) :) :)

                                    v2.2.6

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                      This community forum collects and processes your personal information.
                                      consent.not_received