RADIUS authentication: Thinking abut

[msi]

Hi

A colleague and I have mostly migrated from pfSense to OPNsense since summer and besides of some human habits that need to change a bit, the migration has been very smooth. (and we definitely plan on getting a business subscription).

While migrating the remaining OpenVPN service to it, my colleague and I ran into an issue that is due to the divergence between OPNsense and pfSense: Our 3 OpenVPN instances (that have different access policies) are currently authenticated against RADIUS backend and therein lies the issue:

Currently we are not able to clearly identify if a RADIUS Access-Requests coming from the OpenVPN server, nor which instance it is.

• On pfSense NAS-Identifier is "openVPN" while NAS-Port contains the port on which the OpenVPN server is running (i.e. 1194, 1195 etc.).
• On OPNsense NAS-Port seems to always be 0 while NAS-Identifier is a random string per RADIUS server backend defined in OPNsense (as <refid></refi> on config.xml)

Technically we can move that to LDAP, but we have been quite happy with the fact that we delegated the authorization part to our FreeRADIUS servers instead of implementing this logic on the Firewall side.

Based on checking both source code repos, this differentiation in RADIUS requests was only added after the split between both projects. And that code was only added when pfSense has switched their license and has diverged quite a bit by now.

It seems that expanding some bits in https://github.com/opnsense/core/blob/96214877bef00c196903a9ec8b4e1afac75b7a18/src/opnsense/mvc/app/library/OPNsense/Auth/Radius.php#L106