OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • Windows IPsec VPN authetication with Active Directory and FreeRADIUS
« previous next »
  • Print
Pages: [1]

Author Topic: Windows IPsec VPN authetication with Active Directory and FreeRADIUS  (Read 4887 times)

Bisti

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Windows IPsec VPN authetication with Active Directory and FreeRADIUS
« on: April 20, 2018, 03:35:41 pm »
Is it possible to authenticate Windows client machine on IPsec VPN against Active Directory?
I tried this by setting up FreeRADIUS on my OPNsense but it`s not working. What I googled is that my FreeRADIUS expects cleartext password while my Windows machine is sending NThash. It seems that for this to work, I would also need to install samaba and join my OPNsense box to AD (I don't wand to go that way). Anyone tested similar setup?
Logged

ScottSenffner

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
Re: Windows IPsec VPN authetication with Active Directory and FreeRADIUS
« Reply #1 on: April 23, 2018, 02:43:28 pm »
I am really interested to hear how this is fixed, as I need to do this myself.  I have not set it up yet, because this is my first firewall with OpnSense.  I am a complete newbie at it. I was able to get it installed this weekend and I am having problems with port forwarding. It my be a problem with the version 18.1.6???? Not sure yet, just replied to someone else inquiry about that as well.

Looking forward to more learning experiences.

Scott
Logged

Bisti

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Re: Windows IPsec VPN authetication with Active Directory and FreeRADIUS
« Reply #2 on: April 27, 2018, 11:08:22 pm »
I think that the only way to do this at the moment is to use certificate authentication. I don`t have CA set up at the moment in my AD infrastructure so I can`t test this out.
Logged

Kofl

  • Newbie
  • *
  • Posts: 27
  • Karma: 5
    • View Profile
Re: Windows IPsec VPN authetication with Active Directory and FreeRADIUS
« Reply #3 on: April 28, 2018, 07:22:49 pm »
Maybe it would be a solution to use Windows Radius, which uses AD to authenticate?
http://thesolving.com/server-room/configure-radius-server-windows-authenticate-cisco-vpn-users/

and then configure OPNSense to use that radius server:
https://wiki.opnsense.org/manual/how-tos/user-radius.html



Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6292
  • Karma: 432
    • View Profile
Re: Windows IPsec VPN authetication with Active Directory and FreeRADIUS
« Reply #4 on: April 28, 2018, 08:36:30 pm »
You can bind to LDAP via Freeradius plugin, should work fine
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

Bisti

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Re: Windows IPsec VPN authetication with Active Directory and FreeRADIUS
« Reply #5 on: April 28, 2018, 10:46:44 pm »
Quote from: mimugmail on April 28, 2018, 08:36:30 pm
You can bind to LDAP via Freeradius plugin, should work fine
What do you mean by that? I have installed Freeradius plugin and bound it to my AD but it only accepts plain passwords and Windows desktops sends NT-Hash of password.
I will try to do what Kofl suggested - use Windows RADIUS server.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • Windows IPsec VPN authetication with Active Directory and FreeRADIUS
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2