Project

General

Profile

Actions
Copy link

Bug #14852

closed

SSH authentification with Radius backend is not working

Added by Lev Prokofev almost 2 years ago. Updated almost 2 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

On an attempt to ssh using the Radius user credentials I get 

"(lev@172.21.100.1) RADIUS Password:
Radius rejection"

This user can log in to the GUI but not ssh.

Tested with FreeRadius package.
Standard config, user attributes set to

Class := "admin;ssh;"

Logs:

Oct 7 08:10:19    sshd    51810    Invalid user lev from 172.21.100.10 port 49339
Oct 7 08:10:19    sshguard    68179    Attack from "172.21.100.10" on service SSH with danger 10.
Oct 7 08:10:19    sshd    51810    Postponed keyboard-interactive for invalid user lev from 172.21.100.10 port 49339 ssh2 [preauth]
Oct 7 08:10:23    radiusd    75454    (1) Login incorrect (Failed retrieving values required to evaluate condition): [lev] (from client pfSense port 0 cli 172.21.100.10)
Oct 7 08:10:24    sshd    51810    Postponed keyboard-interactive/pam for invalid user lev from 172.21.100.10 port 49339 ssh2 [preauth]
Oct 7 08:10:24    sshd    51810    Failed keyboard-interactive/pam for invalid user lev from 172.21.100.10 port 49339 ssh2
Oct 7 08:10:24    sshd    51810    Postponed keyboard-interactive for invalid user lev from 172.21.100.10 port 49339 ssh2 [preauth]
Oct 7 08:10:25    sshd    51810    Connection reset by invalid user lev 172.21.100.10 port 49339 [preauth]
Oct 7 08:10:25    sshguard    68179    Attack from "172.21.100.10" on service SSH with danger 2.
Oct 7 08:11:38    radiusd    75454    (2) Login OK: [lev] (from client pfSense port 0) lev

The last message (Oct 7 08:11:38) is an authentication test in GUI (Diagnostics=>Authentification)

Files

clipboard-202310070922-ixssl.png (41.3 KB) clipboard-202310070922-ixssl.png Lev Prokofev, 10/07/2023 05:22 AM
Actions
Copy link
 #1

Updated by Lev Prokofev almost 2 years ago

Tested on 

23.05.1-RELEASE (amd64)
built on Wed Jun 28 03:57:27 UTC 2023
FreeBSD 14.0-CURRENT

Actions
Copy link
 #2

Updated by Jim Pingle almost 2 years ago

  • Status changed from New to Not a Bug

Works for me here. Make sure there is a local user with the correct privileges already on the pfSense side. It doesn't need a matching password since RADIUS handles the auth, but it needs a user account present. The need for a local account is noted in the settings at System > User Manager on the Settings tab.

The only way I get the errors you get is if there isn't a local user.

Actions
Copy link

Also available in: Atom PDF