Hi Christian and Fabricio, Thanks for your hints. I followed (most of) them, and now, IAS answers the RADIUS requests correctly. (RADIUS auth log on pfsense shows Login and Logout activity correctly, IAS event log shows successful/unsuccessful RADIUS requests)
BUT: now I struggle with the CP login page + redirection to browser home page after successful authentication! --> see my forum post http://forum.pfsense.org/index.php/topic,4562.0.html EVEN if the logins are judged ok, the user is dropped back to the CP login page 1 second later (and only for a split second showing the 'Redirecting to <browser homepage>...' page). The logout pop-up box is still there, and for pfsense (according to syslog), the user is still deemed logged in. When logging on again, it shows the concurrent logged in log message. Clicking the logout pop-up window produces the logout log entry. There seems to be no way I can keep the CP login page from disappearing! Thanks for helping me! Regards, Markus Strickler -----Original Message----- From: Fabricio Ferreira [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 25. April 2007 21:13 To: support@pfsense.com Subject: RES: [pfSense Support] RE: Using pfsense together with Microsoft IAS Importance: High Hi Markus and Christian, I had the same problems weeks ago...(including the same error messages) I just configured the PFSENSE CAPTIVE PORTAL and SQUID to authenticate at IAS (windows 2003), After a painfull check-up, i found that.. It was the IAS POLICY that was wrong.. Both, captive portal and SQUID, send authentication information to IAS in PAP format with no encryption at all :( So i just changed some features at IAS POLICY and it worked! Things to check at Microsoft IAS: 1. At IAS-> RADIUS CLIENT: be sure that you have the PFSENSE IP address here! 2. at IAS, after creating the PFSENSE address, enter in the properties of it and check if the CLIENT VENDOR is set to use RADIUS STANDARD. I'm supposing that your shared-key is OK, as you said... 3. at IAS, REMOTE ACCESS POLICY, check at the AUTHENTICATION TAB if Unencrypted authentication is lit. 4. at IAS, at the ENCRYPTION TAB, check if the NO ENCRYPTION is Lit. Well, i hope it can help you guys... Sincerely, Hugs. Fabrício Guzzy. |||| Fabrício Ferreira |||| Espec. T.I. e Segurança Digital. MCP* - Microsoft Certified Professional ConnectCom - São Paulo - Brasil Tel: (011) 5095-1234 Cel: (011) 9937-6605 E-mail: [EMAIL PROTECTED] O conteúdo deste documento está restrito ao interesse das partes e não devera ser divulgado,transcrito ou modificado sem a autorização do seu emitente. The content of this document is restricted to the interest of the parts and can not be divulged,transcript or modified without the authorization of the sender -----Mensagem original----- De: Christian Veith [mailto:[EMAIL PROTECTED] Enviada em: quarta-feira, 25 de abril de 2007 15:40 Para: support@pfsense.com Assunto: Re: [pfSense Support] RE: Using pfsense together with Microsoft IAS Hi Markus, it´s long time ago i wrote that tutorial, but maybe i could help you. Could you verify some things ? 1. Are there any checked values except PAP in the "New remote Access Profile Policy Wizard / Edit Profile" Dialog Box ? 2. Is the User allowed to do Ras Dial-in (in the User Preferences) ? 3. Could you post some of the Eventlog Entries from the Windows Server and the Syslogs from pfsense ? 4. Are you using the Active Directory in Native 2003 Mode or in Mixed Mode with pre 2000 Domain Controllers ? 5. Do you have registered the IAS in Active Directory ? Kind regards Christian Veith Strickler, Markus schrieb: > > Hello, > > We just configured pfsense as a RADIUS client for a Microsoft IAS > (Windows 2003), in order to provide some hotspot-like WLAN > environment. > > On the matching IAS access profile, we specified PAP as authentication > type, and confirmed several times that the shared secret is right. > > Authentication requests are passed on to IAS alright - but IAS event > id 2, reason code 16 (unknown username / password) are logged all the > time, even if the user/password combinations are 100% correct. > > The usernames are recognized - no matter whether entered as > <username>, <domain>\<username> or <username>@<domain> , and the > policy is matched, but the credentials are judged incorrect by IAS. > > What am I missing here? Do I have to flag the Message Authenticator, > for RADIUS? > >>> I followed the tutorial on > http://pfsense.loquefaltaba.com/tutorials/cp_config/radius_win2k3.htm > precisely, but can't find any hints on authentication/encryption... > > Thank you for your help, > > Best regards, > Markus Strickler > > ---------------------------------------------------------------------- > -- > _Legal Notice:_ > The information in this electronic transmission may contain confidential > or legally privileged information and is intended solely for the > individual(s) named above. If you are not an intended recipient or an > authorized agent, you are hereby notified that reading, distributing, or > otherwise disseminating, copying or taking any action based on the > contents of this transmission is strictly prohibited. Any unauthorized > interception of this transmission is illegal under law. If you have > received this transmission in error, please notify the sender by > telephone [at the number indicated above/on +41 44 928 0101] as soon as > possible and then destroy all copies of this transmission. > ------------------------------------------------------------------------ > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ******************** Legal Notice: The information in this electronic transmission may contain confidential or legally privileged information and is intended solely for the individual(s) named above. If you are not an intended recipient or an authorized agent, you are hereby notified that reading, distributing, or otherwise disseminating, copying or taking any action based on the contents of this transmission is strictly prohibited. Any unauthorized interception of this transmission is illegal under law. If you have received this transmission in error, please notify the sender by telephone [at the number indicated above/ on +41 44 928 0101] as soon as possible and then destroy all copies of this transmission. ******************** --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]