Important

Netgate is offering COVID-19 aid for pfSense software users, learn more.

RADIUS Authentication Servers

Remote Authentication Dial-In User Service (RADIUS) is a protocol commonly supported by a wide variety of networking equipment for user authentication, authorization, and accounting (AAA).

Servers are commonly available as well, including FreeRADIUS and Active Directory via NPS.

Though most areas on pfSense® software which support RADIUS now integrate their RADIUS settings via the user manager, a few remain which use separate settings, such as the PPPoE and L2TP servers.

Warning

Secure the link between the firewall and the RADIUS server. If the server is local, use a trusted management network. If the server is remote, communicate only over VPN tunnels.

Some RADIUS protocols transmit passwords in plain text, and though others attempt to protect the password in other ways, other aspects of the protocol are not encrypted and may contain sensitive information.

RADIUS Configuration

Descriptive name

The name for this RADIUS server. This name will be used to identify the server throughout the GUI.

Protocol

The protocol used by the firewall when performing RADIUS requests. May be one of:

PAP

Password Authentication Protocol. Sends passwords unencrypted, and is considered weak. It is more widely supported than other methods, and may be required by specific features (e.g. mOTP).

Warning

Due to its security deficiencies, avoid using PAP where possible.

MD5-CHAP

Challenge-Handshake Authentication Protocol using MD5 hashing. The RADIUS server sends a challenge value and the client responds with a hash of the challenge value and the password together. More secure than PAP as it does not transmit passwords in the clear, but both parties must know the plain text of the password.

MS-CHAPv1

A Microsoft variation of CHAP where neither side needs to know the plain text of the password. Though it is generally more secure, it has other known weaknesses which make it vulnerable to attack.

MS-CHAPv2

An updated variation of MS-CHAPv1. It is used in EAP as well as 802.1x/WPA Enterprise for wireless. However, it also has known weaknesses.

Note

Certain RADIUS features may require specific modes. For example, mOTP typically requires PAP since it reads the password in the clear to separate the PIN and OTP code. Services utilizing EAP typically use MS-CHAPv2.

Hostname or IP address

The address of the RADIUS server. This can be a fully qualified domain name or an IPv4 IP address.

Warning

The RADIUS client on the firewall does not currently support IPv6.

Shared Secret

The password established for this firewall on the RADIUS server software.

Services offered

This selector sets which services are offered by this RADIUS server.

Authentication

The firewall will use this RADIUS server to authenticate users.

Accounting

The firewall will send RADIUS start/stop accounting packet data for login sessions if supported in the area where it is used.

Authentication and Accounting

The server will be used for both types of actions.

Authentication port

Only appears if an Authentication mode is chosen. Sets the UDP port where RADIUS authentication will occur. The default RADIUS authentication port is 1812.

Accounting port

Only appears if an Accounting mode is chosen. Sets the UDP port where RADIUS accounting will occur. The default RADIUS accounting port is 1813.

Authentication Timeout

Controls how long, in seconds, that the RADIUS server may take to respond to an authentication request. If left blank, the default value is 5 seconds. If an interactive two-factor authentication system is in use, increase this timeout to account for how long it will take the user to receive and enter a token, which can be 60-120 seconds or more if it must wait for an external action such as a phone call, SMS message, etc.

RADIUS NAS IP Attribute

Sets the value the firewall will send in the RADIUS request NAS-IP-Address attribute. This value is used by the RADIUS server to identify this firewall. The server can use this value to make authentication decisions, or to denote which node users were authenticated by in accounting data.

In most cases, the NAS-IP-Address value does not matter so long as it is unique to this firewall. However, more complicated RADIUS environments may use this attribute to let the server make more informed decisions about users logging into different services. For example, if there are multiple Captive Portal instances on the firewall, multiple RADIUS server entries can be created, each using the specific interface address for a given portal. The RADIUS server could then choose to only let certain sets of users login to each portal.

Adding a RADIUS Server

To add a new RADIUS server:

  • Add the firewall as a client on the RADIUS server

  • Navigate to System > User Manager, Authentication Servers tab

  • Click fa-plus Add

  • Set the Type selector to RADIUS

    The GUI will change the form to display RADIUS Server Settings

  • Fill in the fields as described in RADIUS Configuration

  • Click Save to create the server

  • Navigate to Diagnostics > Authentication to test the RADIUS server using a valid account.

RADIUS Groups

There are two requirements for RADIUS groups to function properly:

  • The RADIUS server must return a list of groups in the Class RADIUS reply attribute as a string.

  • The same groups must exist locally (Manage Local Groups)

Multiple groups groups returned by the RADIUS server in the Class attribute must be separated by a semicolon. For example, in FreeRADIUS, to return the admins and VPNUsers groups, use the following Reply-Item RADIUS Attribute:

Class := "admins;VPNUsers"

If the RADIUS server returns the group list properly for a user, and the groups exist locally, then the groups will be listed on the results when using the Diagnostics > Authentication page to test an account.

If the groups do not show up when testing, ensure the groups exist in the Group Manager with matching names and that the server is returning the Class attribute as a string, not binary.