Radius Authentication



  • Hello, I am having issues with wireless client authentication via offsite radius server. This works perfectly when setup with Fortinet to Fortinet firewalls but does not work when using PFSENCE to Fortinet it appears the Radius Authentication is blocked at the PFSENCE firewall when the Radius server responds back to the wireless client we can see the traffic in the log go from the PFSENCE firewall to the radius server then get rejected on the response back

    We have the PFSENCE , Fortigate rules wide open to the Radius server no blocking rules at all

    Hardware: PFSENCE V 2.2.5  - Fortinet / Fortigate 240D V 5.2.0

    Scenerio: Client joins wireless network, authentication request is transmitted to offsite radius server, authentication request is sent back to wireless client but gets blocked at the PFSENCE firewall

    I have attached a screen shot of the PFSence log while the wireless client is trying to authenticate to the Radius server

    Thank You in advance for any assistance and please let me know if more information is required   
    ![PFSENCE Firewall .JPG](/public/imported_attachments/1/PFSENCE Firewall .JPG)
    ![PFSENCE Firewall .JPG_thumb](/public/imported_attachments/1/PFSENCE Firewall .JPG_thumb)



  • So what is being authenticated and with what? Are you using the PFS as a captive portal, or are you using an internal authentication system on the inside of the firewall? You should post a diagram of your network setup, showing all the relevant elements, where the Fortunate and where the PFS are and how they're communicating. If you can, include your firewall rules (screenshot, not text please).



  • Wireless client authenticates to Radius server client is authenticated with the following rules

    • Client must be a domain member
    • Client receives certificate from Radius server

    We have tried to authenticate the client with and without a certificate exchange from the Radius server

    We removed the PFS firewall the client is authenticated right away we put the PFS firewall back the client is not authenticated

    Fortinet to Fortinet firewall the client authenticates

    Fortinet to PFS Firewall the client does not authenticate

    ![PFS Radius Server Rule.JPG](/public/imported_attachments/1/PFS Radius Server Rule.JPG)
    ![PFS Radius Server Rule.JPG_thumb](/public/imported_attachments/1/PFS Radius Server Rule.JPG_thumb)
    ![Network TOPO.jpg](/public/imported_attachments/1/Network TOPO.jpg)
    ![Network TOPO.jpg_thumb](/public/imported_attachments/1/Network TOPO.jpg_thumb)



  • You're trying to authenticate to a Radius server over your WAN connection? Two things: First, your WAN rule shows any-to-any ports. You have to define a port forward on a WAN rule. It doesn't work the same way as a LAN rule, so you have to specify the Radius port as the target. Secondly, I don't see why you are authenticating to a Radius server across the internet. At best, you should prohibit access to Radius to only trusted hosts. Or better yet, establish a VPN between the two sites and then the need to port forward your Radius traffic becomes redundant. And your setup will be far more secure.



  • So the firewalls are all transparent, because we are a school district on a government WAN, and we have all public IP numbers (I know it's crazy). We aren't doing NAT.  Some of our Radius traffic does cross the firewall but the one that uses a certificate gets blocked


Log in to reply