Important

Netgate is offering COVID-19 aid for pfSense software users, learn more.

Testing the FreeRADIUS Package

Testing the FreeRADIUS Package on a pfSense® firewall.

Test Configuration

At a minimum, testing FreeRADIUS requires A User, an Interface, and a NAS/Client.

  • Add a User with the following configuration:

    Username

    testuser

    Password

    testpassword

  • Add a Client/NAS with the following configuration:

    IP Address

    127.0.0.1

    Shared Secret

    testing123

  • Add an Interface with the following configuration:

    IP Address

    127.0.0.1

    Interface Type

    Auth

    Port

    1812

GUI Test

The easiest way to test is by using Diagnostics > Authentication in the GUI.

First, add a RADIUS server entry to the user manager as described in Authentication Servers.

  • Navigate to System > User Manager, Authentication Servers tab

  • Fill in the settings to match the entry in FreeRADIUS:

    Descriptive Name

    FreeRADIUS

    Type

    RADIUS

    Hostname or IP Address

    127.0.0.1

    Shared Secret

    testing123

    Services Offered

    Authentication

    Authentication Port

    1812

  • Click Save

Next, perform the GUI test:

  • Navigate to Diagnostics > Authentication

  • Set Authentication Server to the RADIUS server in the user manager

  • Fill in the Username and Password

  • Click fa-wrench Test

If the test succeeds, the GUI prints a success message:

User testuser authenticated successfully.

The system log will also contain a message indicating a successful login:

radiusd[44793]: Login OK: [testuser/testpassword] (from client testing port 0)

If the test fails, the GUI prints a failure message:

Authentication failed.

The system log will also contain a message indicating failure:

radiusd[44793]: Login incorrect: [testser/testpassword] (from client testing port 0)

CLI Test

FreeRADIUS offers an easy to use command line tool to check if the server is running and listening to incoming requests.

SSH to the firewall, start a shell, and type in the following command:

radtest testuser testpassword 127.0.0.1:1812 0 testing123

The following output will appear if the test succeeds:

: radtest testuser testpassword 127.0.0.1:1812 10 testing123
Sending Access-Request of id 1 to 127.0.0.1 port 1812
       User-Name = "testuser"
       User-Password = "testpassword"
       NAS-IP-Address = 192.168.0.22
       NAS-Port = 10
       Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=1, length=20

The Access-Accept portion of the output is the most relevant.

Check the system log for the following output:

radiusd[44793]: Login OK: [testuser/testpassword] (from client testing port 10)

If a part of the test fails, such as incorrect username, then the test command output will look like the following:

: radtest testser testpassword 127.0.0.1:1812 10 testing123
Sending Access-Request of id 104 to 127.0.0.1 port 1812
       User-Name = "testser"
       User-Password = "testpassword"
       NAS-IP-Address = 192.168.0.22
       NAS-Port = 10
       Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=104, length=20

The Accesss-Reject packet indicates that the server rejected the attempt, and the system log will contain the following output:

radiusd[44793]: Login incorrect: [testser/testpassword] (from client testing port 10)