Unable to authenticate using raidus+hostap

Snailkhan · Nov 27, 2015, 9:11 PM

hi
i have my pfsense broadcasting 4 ssids.
i want authentication for one of them to be done via freeradius installed on same box which is broadcasting 4 ssids
i have configured freeradius and radtest works fine ..

i have also setup one of the ssid to use 802.1x but when i try to connect to it though my android recognizes it as radius type of authentication and asks for username and password but it never goes past connecting… phase

when i check system logs i see below

Nov 28 02:04:12 radiusd[29417]: Ignoring request to authentication address 192.168.11.1 port 1812 from unknown client x.x.x.x port 51828
Nov 28 02:04:06 radiusd[29417]: Ignoring request to authentication address 192.168.11.1 port 1812 from unknown client x.x.x.x port 51828
Nov 28 02:04:00 radiusd[29417]: Ignoring request to authentication address 192.168.11.1 port 1812 from unknown client x.x.x.x port 51828
Nov 28 02:03:57 radiusd[29417]: Ignoring request to authentication address 192.168.11.1 port 1812 from unknown client x.x.x.x port 51828
Nov 28 02:03:48 radiusd[29417]: Ignoring request to authentication address 192.168.11.1 port 1812 from unknown client x.x.x.x port 51828
Nov 28 02:03:36 radiusd[29417]: Ignoring request to authentication address 192.168.11.1 port 1812 from unknown client x.x.x.x port 51828
Nov 28 02:03:30 radiusd[29417]: Ignoring request to authentication address 192.168.11.1 port 1812 from unknown client x.x.x.x port 51828
Nov 28 02:03:27 radiusd[29417]: Ignoring request to authentication address 192.168.11.1 port 1812 from unknown client x.x.x.x port 51828
Nov 28 02:02:52 radiusd[29417]: Ignoring request to authentication address 192.168.11.1 port 1812 from unknown client x.x.x.x port 51828
Nov 28 02:02:49 radiusd[29417]: Ignoring request to authentication address 192.168.11.1 port 1812 from unknown client x.x.x.x port 51828

where x.x.x.x is my wan ip…. 192.168.11.1 is the ip of interface which is hosting ssid 1. this is gateway for clients of ssid 1.

it seems that the address if fist NATed then sent to radius server ? :-[
relevant screenshots are attached.

i want users connecting to ssid Clone 1 (192.168.11.0/24) to be authetnicated via radius.

192.168.4.0/24 is the lan ip subnet to which my wired pc is connected..
192.168.4.10 is the gateway for my pc.

however i have no issue in implementing radius authentication on my ddwrt router. i just selected wpa2 enterprise , aes+tkip and diretect towards my pfsense lan interface for radius authentication gave it shared secret and my android prompted for username and password and it connected swiftly.

but i do not see an optino for wpa2 enterprise in the wireless interface of pfsense..

[quote]

[2.2.5-RELEASE][admin@sed2.local]/root: radtest test test123 192.168.11.1:1812 10 ssecret
Sending Access-Request of id 41 to 192.168.11.1 port 1812
User-Name = "test"
User-Password = "test123"
NAS-IP-Address = 192.168.4.10
NAS-Port = 10
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.11.1 port 1812, id=41, length=20

![wifi settnigs.PNG](/public/imported_attachments/1/wifi settnigs.PNG)
![wifi settnigs.PNG_thumb](/public/imported_attachments/1/wifi settnigs.PNG_thumb)
![freeradius users.PNG](/public/imported_attachments/1/freeradius users.PNG)
![freeradius users.PNG_thumb](/public/imported_attachments/1/freeradius users.PNG_thumb)
![freeradius nas clients.PNG](/public/imported_attachments/1/freeradius nas clients.PNG)
![freeradius nas clients.PNG_thumb](/public/imported_attachments/1/freeradius nas clients.PNG_thumb)
![freeradius interfaces.PNG](/public/imported_attachments/1/freeradius interfaces.PNG)
![freeradius interfaces.PNG_thumb](/public/imported_attachments/1/freeradius interfaces.PNG_thumb)
![ap1 settings.PNG](/public/imported_attachments/1/ap1 settings.PNG)
![ap1 settings.PNG_thumb](/public/imported_attachments/1/ap1 settings.PNG_thumb)

Snailkhan · Nov 29, 2015, 3:42 PM

I verified it ..

it seems that the address is fist NATed then sent to radius server hosted on local pfsense ?

the address apparently is first nated before entering free radius. after i allowd my wan interface in the nas/client i was able to authenticate devices connecting via the ssid broadcasted via one of the pfsense virtual ap

seems a bug :( ? when source and destination were local address residing on the subnets defined on pfsene it shouldnt nat it ..
I am saying that nat has happened because when I allowed live Wan ip I got an accept response on local ip.
Or might be traffic originated from router is sourced from public /Wan ip ? reminds of router ID in OSPF

Since my ddwrt in ap mode hanging on LAN subnet doesn't suffers this behavior.
i have 5 subnets defined on pfsense . 4 are virtual aps and fifth is the wired lan via second ethernet .. first ethernet is for ppoe wan.

Snailkhan · Nov 29, 2015, 6:03 PM

is above ok or bug ?
i have made a video screencast .. i will share it to demonstrate/reproduce above problem .. (hardly 7 minute video )
i cannot share it here in open due to the fact that that contains live ips.. but will upload and share via pm ..
just pm me i will share it.