We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

OPNsense firewall can't authenticate against radius in Azure

Medium Priority
214 Views
Last Modified: 2020-06-15
Hi,

I'm in the process of moving my radius server used for authenticating VPN clients from my local network to Azure. I've migrated the IAS settings and added the new server in System -> Servers, but when I test the authentication against the server in Azure, I get this error:

"The following input errors were detected:
Authentication failed."

I can authenticate against the local radius server.

Setup:
OPNsense firewall
v. 18.7.10_4-amd64
IP address 172.16.12.2

Radius
Windows Server 2012 R2
IP address 10.100.10.11

I can't ping 10.100.10.11 from the firewall, so it must have something to do with the communication from the local firewall to Azure and maybe a missing firewall rule, but what am I missing in the process? Should I create a new server here VPN: OpenVPN: Servers with another IPv4 Tunnel Network pointing to the 10.100.11.x network? I'm also uncertain if it has something to do with certificates.

There is no problem communicating from my local machine and servers to the network in Azure.

Thanks in advance,
Ronnie
Firewall_rules_OpenVPN.JPG
VPN_OpenVPN_Servers.JPG
Firewall_Rules_WAN.JPG
Comment
Watch Question

Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Hi,

There is no Azure MFA server in this setup.

Regards,
Ronnie
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Hey Ronnie, thanks for your reply, Are you implementing on top of Azure VM
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Also check, if required inbound ports are allowed in NSG (Network Security Group)?
The server in Azure is an Azure VM if that's what you're asking.

Can you elaborate on the inbound ports and the NSG?
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Hi Ronnie, My question was to understand, How you planning to change the authentication used for VPN to Azure?

Secondly, Based on your Issue description, I thought might be required ports are not allowed on Azure Virtual network

A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

So might be you need to allow certain ports for the Vnet which you have deployed in Azure
Hi Rohit,

we're using a group in AD to allow VPN access right now. I've read through the link you sent me, but can you elaborate on where and how to allow access through the rquired ports?

Thanks,
Ronnie
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Hi Ronnie,

Whenever you deploy any solution on Azure Virtual network, they associated with network subnet group which contains the security rules that allow or deny inbound and outbound traffic for that resources. Please check the site to site connectivity which you have created is associated with which subnet and that subnet be having NSG and do check if in that all required ports are allowed.

Capture42.JPG
Hi Rohit,

thanks a lot for the update. The Azure environment has been setup by an external company. I've attached screen dumps of the settings you mention. Can you by looking at these tell me if they should be changed? It doesn't look like there are any subnets.

Thanks,
Ronnie
NSG.JPG
Subnets.JPG
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Hi Ronnie, What port do your OPNSense firewall use.. You can add same and alternatively, do add below port as well
Capture46.JPG
and associate the required subnet as well, incase if you have any
Capture47.JPG
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
And also please let me know, if you want to connect with live to work on same
Let's connect with Live tomorrow. Since I can ping from my local machine on the 172.16.2.x network but not from the firewall 172.16.12.2 then I believe it's an issue with the firewall and not in Azure, but let's look at it tomorrow. What time will be good for you? I can likely free up the time between 9 AM and 15 PM DK time.
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Hi Ronnie,

Are you in Denmark? I am in India. what does DK time means?

When I use converter, it looks, I can be available between 6:30 AM to 11:30 AM DK Time

However, if it is UK time, i will be available between

4:30 AM - 12:30 PM UK Time

Do let me know, If I am wrong

and also, Check what is the time between 8 AM IST to 5PM IST
Hi Rohit,

it looks like Istanbul is one hour ahead of Copenhagen. Can we do it 10.30 IST? That's about one hour from now. I'm available for one hour at that time.
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Hi Ronnie, I am available now also.

Is this 10:30 AM IST? If it's 10:30 AM, I am ok
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Answered via private session. Duration 00:00:04
I'm busy for about the next 50 minutes. Can we do it then?
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Sure
I'm available now.
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I am in chat
Ok. Just let me know when you're available.
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I will connect back with you at 2:30 M IST. Let me know, if suits well
Is that about 4 hours and 15 minutes from now?
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
It is 14:30 IST.. it will be 2 hours from now
Ok that will be fine.
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
hey Ronnie, I am live now. Let me know, if we can start session
In about 35 minutes
Are you free now?
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Hey Ronnie, I have joined the session. Can you please connect

Capture53.JPG
Where can I join the session?
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Answered via private session. Duration 00:00:07
It said that you had left the session
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Yes, you was went offline. Please be online to connect
I'm online
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Answered via private session. Duration 00:00:09
again it says that you have left the session
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Not sure, seems  there is a problem.. Same at my side..
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Can you go to my profile and request a live session for me.
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Answered via private session. Duration 00:00:04
The expert has left the session.
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Answered via private session. Duration 00:00:03
again The expert has left the session.
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Hey Ronnie, Please send me your email ID, i will send skype invite to connect
raz@politiforbundet.dk
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Please check your email, You will receive shortly. Join it, by click on "Join Skype Meeting"
Hi Rohit,

the issue still isn't solved. Do you have any ideas?

Regards,
Ronnie
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Hey Ronnie,

As per the last discussion, You mentioned that you will be following steps suggested in below URL..
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html

Did you get the opportunity to work on all those steps?
Some of them was already implemented but with some changes from the guide. However, I still couldn't get it to work.
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Lets work on this tomorrow. Do let me know, if you are free between anytime 2 PM IST to 5 PM IST?
Ok. Let's work on it at 2.30 PM IST.
So when can we look at this?
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Hey Ronnie,
We tried to get connected but it seems the timezone is not working well for both of us.

Can you tell me if 8 PM IST on Thursday works well for you?
Hi,

That will not work. I'm available between 11.30 AM and 3 PM IST.
Hi Rohit,

I didn't hear from you. How about Monday between 10 AM and 15 PM IST?
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Hey Ronnie, Seems, I missed it. Ok, will work on coming Monday 10 AM IST... will send you invite
Rohit, I didn’t hear from you Yesterday. I’m out of the office for the next three weeks, but I need to know if I can expect your help with this or not.
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
sorry, I sent you invite.. Lets connect tomorrow
I’m sorry but did you read my comment? I’m away for the next three weeks.
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Yeah, I missed the last sentence... Yes, I can work out with you for all settings configuration. Need to check all those steps one by one
Hi Rohit, when can we look at this?
Rohit AnandCloud Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Sure, Do let me know when we can work on this
Wednesday 21st. How about 10 AM GMT+2.
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.