Testing the FreeRADIUS Package

Testing the FreeRADIUS Package on a firewall running pfSense® software.

Test Configuration

At a minimum, testing FreeRADIUS requires A User, an Interface, and a NAS/Client.

  • Add a User with the following configuration:

    Username:

    testuser

    Password:

    testpassword

  • Add a Client/NAS with the following configuration:

    IP Address:

    127.0.0.1

    Shared Secret:

    testing123

  • Add an Interface with the following configuration:

    IP Address:

    127.0.0.1

    Interface Type:

    Auth

    Port:

    1812

GUI Test

The easiest way to test is by using Diagnostics > Authentication in the GUI.

First, add a RADIUS server entry to the user manager as described in Authentication Servers.

  • Navigate to System > User Manager, Authentication Servers tab

  • Fill in the settings to match the entry in FreeRADIUS:

    Descriptive Name:

    FreeRADIUS

    Type:

    RADIUS

    Hostname or IP Address:

    127.0.0.1

    Shared Secret:

    testing123

    Services Offered:

    Authentication

    Authentication Port:

    1812

  • Click Save

Next, perform the GUI test:

  • Navigate to Diagnostics > Authentication

  • Set Authentication Server to the RADIUS server in the user manager

  • Fill in the Username and Password

  • Click fa-wrench Test

If the test succeeds, the GUI prints a success message:

User testuser authenticated successfully.

The system log will also contain a message indicating a successful login:

radiusd[44793]: Login OK: [testuser/testpassword] (from client testing port 0)

If the test fails, the GUI prints a failure message:

Authentication failed.

The system log will also contain a message indicating failure:

radiusd[44793]: Login incorrect: [testser/testpassword] (from client testing port 0)

CLI Test

FreeRADIUS offers an easy-to-use command line tool to check if the server is running and listening to incoming requests.

SSH to the firewall, start a shell, and type in the following command:

radtest testuser testpassword 127.0.0.1:1812 0 testing123

The following output will appear if the test succeeds:

: radtest testuser testpassword 127.0.0.1:1812 10 testing123
Sending Access-Request of id 1 to 127.0.0.1 port 1812
       User-Name = "testuser"
       User-Password = "testpassword"
       NAS-IP-Address = 192.168.0.22
       NAS-Port = 10
       Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=1, length=20

The Access-Accept portion of the output is the most relevant.

Check the system log for the following output:

radiusd[44793]: Login OK: [testuser/testpassword] (from client testing port 10)

If a part of the test fails, such as incorrect username, then the test command output will look like the following:

: radtest testser testpassword 127.0.0.1:1812 10 testing123
Sending Access-Request of id 104 to 127.0.0.1 port 1812
       User-Name = "testser"
       User-Password = "testpassword"
       NAS-IP-Address = 192.168.0.22
       NAS-Port = 10
       Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=104, length=20

The Accesss-Reject packet indicates that the server rejected the attempt, and the system log will contain the following output:

radiusd[44793]: Login incorrect: [testser/testpassword] (from client testing port 10)