RADIUS Authentication Servers¶
Remote Authentication Dial-In User Service (RADIUS) is a protocol commonly supported by a wide variety of networking equipment for user authentication, authorization, and accounting (AAA).
Servers are commonly available as well, including FreeRADIUS and Active Directory via NPS.
Though most areas on pfSense® software which support RADIUS now integrate their RADIUS settings via the user manager, a few remain which use separate settings, such as the PPPoE and L2TP servers.
Warning
Secure the link between the firewall and the RADIUS server. If the server is local, use a trusted management network. If the server is remote, communicate only over VPN tunnels.
Some RADIUS protocols transmit passwords in plain text, and though others attempt to protect the password in other ways, other aspects of the protocol are not encrypted and may contain sensitive information.
RADIUS Configuration¶
- Descriptive name:
The name for this RADIUS server. This name will be used to identify the server throughout the GUI.
- Protocol:
The protocol used by the firewall when performing RADIUS requests. May be one of:
- PAP:
Password Authentication Protocol. Sends passwords unencrypted, and is considered weak. It is more widely supported than other methods, and may be required by specific features (e.g. mOTP).
Warning
Due to its security deficiencies, avoid using PAP where possible.
- MD5-CHAP:
Challenge-Handshake Authentication Protocol using MD5 hashing. The RADIUS server sends a challenge value and the client responds with a hash of the challenge value and the password together. More secure than PAP as it does not transmit passwords in the clear, but both parties must know the plain text of the password.
- MS-CHAPv1:
A Microsoft variation of CHAP where neither side needs to know the plain text of the password. Though it is generally more secure, it has other known weaknesses which make it vulnerable to attack.
- MS-CHAPv2:
An updated variation of MS-CHAPv1. It is used in EAP as well as 802.1x/WPA Enterprise for wireless. However, it also has known weaknesses.
Note
Certain RADIUS features may require specific modes. For example, mOTP typically requires PAP since it reads the password in the clear to separate the PIN and OTP code. Services utilizing EAP typically use MS-CHAPv2.
- Hostname or IP address:
The address of the RADIUS server. This can be a fully qualified domain name or an IPv4 IP address.
Warning
The RADIUS client on the firewall does not currently support IPv6.
- Shared Secret:
The password established for this firewall on the RADIUS server software.
- Services offered:
This selector sets which services are offered by this RADIUS server.
- Authentication:
The firewall will use this RADIUS server to authenticate users.
- Accounting:
The firewall will send RADIUS start/stop accounting packet data for login sessions if supported in the area where it is used.
- Authentication and Accounting:
The server will be used for both types of actions.
- Authentication port:
Only appears if an Authentication mode is chosen. Sets the UDP port where RADIUS authentication will occur. The default RADIUS authentication port is
1812
.- Accounting port:
Only appears if an Accounting mode is chosen. Sets the UDP port where RADIUS accounting will occur. The default RADIUS accounting port is
1813
.- Authentication Timeout:
Controls how long, in seconds, that the RADIUS server may take to respond to an authentication request. If left blank, the default value is
5
seconds. If an interactive two-factor authentication system is in use, increase this timeout to account for how long it will take the user to receive and enter a token, which can be 60-120 seconds or more if it must wait for an external action such as a phone call, SMS message, etc.Note
The system will retry authentication three times before giving up, and the timeout applies to each attempt individually. Thus, authentication may take up to 3x this value to terminate if the server is unreachable.
- RADIUS NAS IP Attribute:
Sets the value the firewall will send in the RADIUS request
NAS-IP-Address
attribute. This value is used by the RADIUS server to identify this firewall. The server can use this value to make authentication decisions, or to denote which node users were authenticated by in accounting data.In most cases, the
NAS-IP-Address
value does not matter so long as it is unique to this firewall. However, more complicated RADIUS environments may use this attribute to let the server make more informed decisions about users logging into different services. For example, if there are multiple Captive Portal instances on the firewall, multiple RADIUS server entries can be created, each using the specific interface address for a given portal. The RADIUS server could then choose to only let certain sets of users login to each portal.
Adding a RADIUS Server¶
To add a new RADIUS server:
Add the firewall as a client on the RADIUS server
Navigate to System > User Manager, Authentication Servers tab
Click Add
Set the Type selector to RADIUS
The GUI will change the form to display RADIUS Server Settings
Fill in the fields as described in RADIUS Configuration
Click Save to create the server
Navigate to Diagnostics > Authentication to test the RADIUS server using a valid account.
RADIUS Groups¶
There are two requirements for RADIUS groups to function properly:
The RADIUS server must return a list of groups in the
Class
RADIUS reply attribute as a string.The same groups must exist locally (Manage Local Groups)
Multiple groups returned by the RADIUS server in the Class
attribute must be
separated by a semicolon. For example, in FreeRADIUS, to return the admins
and VPNUsers
groups, use the following Reply-Item RADIUS Attribute:
Class := "admins;VPNUsers"
If the RADIUS server returns the group list properly for a user, and the groups exist locally, then the groups will be listed on the results when using the Diagnostics > Authentication page to test an account.
If the groups do not show up when testing, ensure the groups exist in the
Group Manager with matching names and that the server is
returning the Class
attribute as a string, not binary.