Testing the FreeRADIUS Package

Testing the FreeRADIUS Package on a firewall running pfSense® software.

Test Configuration

At a minimum, testing FreeRADIUS requires A User, an Interface, and a NAS/Client.

  • Add a User with the following configuration:

    Username:

    testuser

    Password:

    testpassword

  • Add a Client/NAS with the following configuration:

    IP Address:

    127.0.0.1

    Shared Secret:

    testing123

  • Add an Interface with the following configuration:

    IP Address:

    127.0.0.1

    Interface Type:

    Auth

    Port:

    1812

GUI Test

The easiest way to test is by using Diagnostics > Authentication in the GUI.

First, add a RADIUS server entry to the user manager as described in Authentication Servers.

  • Navigate to System > User Manager, Authentication Servers tab

  • Fill in the settings to match the entry in FreeRADIUS:

    Descriptive Name:

    FreeRADIUS

    Type:

    RADIUS

    Hostname or IP Address:

    127.0.0.1

    Shared Secret:

    testing123

    Services Offered:

    Authentication

    Authentication Port:

    1812

  • Click Save

Next, perform the GUI test:

  • Navigate to Diagnostics > Authentication

  • Set Authentication Server to the RADIUS server in the user manager

  • Fill in the Username and Password

  • Click fa-wrench Test

If the test succeeds, the GUI prints a success message:

User testuser authenticated successfully.

The system log will also contain a message indicating a successful login:

radiusd[44793]: Login OK: [testuser/testpassword] (from client testing port 0)

If the test fails, the GUI prints a failure message:

Authentication failed.

The system log will also contain a message indicating failure:

radiusd[44793]: Login incorrect: [testser/testpassword] (from client testing port 0)

CLI Test

FreeRADIUS offers an easy to use command line tool to check if the server is running and listening to incoming requests.

SSH to the firewall, start a shell, and type in the following command:

radtest testuser testpassword 127.0.0.1:1812 0 testing123

The following output will appear if the test succeeds:

: radtest testuser testpassword 127.0.0.1:1812 10 testing123
Sending Access-Request of id 1 to 127.0.0.1 port 1812
       User-Name = "testuser"
       User-Password = "testpassword"
       NAS-IP-Address = 192.168.0.22
       NAS-Port = 10
       Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=1, length=20

The Access-Accept portion of the output is the most relevant.

Check the system log for the following output:

radiusd[44793]: Login OK: [testuser/testpassword] (from client testing port 10)

If a part of the test fails, such as incorrect username, then the test command output will look like the following:

: radtest testser testpassword 127.0.0.1:1812 10 testing123
Sending Access-Request of id 104 to 127.0.0.1 port 1812
       User-Name = "testser"
       User-Password = "testpassword"
       NAS-IP-Address = 192.168.0.22
       NAS-Port = 10
       Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=104, length=20

The Accesss-Reject packet indicates that the server rejected the attempt, and the system log will contain the following output:

radiusd[44793]: Login incorrect: [testser/testpassword] (from client testing port 10)