Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
Tunneled EAP, IPsec, FreeRADIUS, et al + directory sync (LDAPS)
« previous
next »
Print
Pages: [
1
]
Author
Topic: Tunneled EAP, IPsec, FreeRADIUS, et al + directory sync (LDAPS) (Read 1818 times)
senseivita
Newbie
Posts: 33
Karma: 0
Tunneled EAP, IPsec, FreeRADIUS, et al + directory sync (LDAPS)
«
on:
March 18, 2021, 04:02:41 pm »
Playing with the FreeRADIUS plugin I discovered it was accepting just about every device that would connect to the test wireless network configured with it for auth, or so I thought. As it turns out I had [absentmindedly] configured every possible setting I could use at some point, including remote MySQL database and LDAPS.
When I unchecked the LDAP boxes the devices stopped connecting to the MAC-based authenticated network. As that was sorted out a million questions replaced it though, like why isn't the FreeRADIUS plugin able to use the users synced from Active Directory (over secure LDAP). It'd be nice to use the built-in users with the same pasword and just augment their profiles with just the needed settings*. I also noticed that even while making its own LDAPS connection to the servers, it would still fail to authenticate supplicants requiring the more secure methods, like the tunnel within a tunnel PEAP, TTLS, all that.
I know that this is basically because LDAP is insecure so it doesn't work with the tunneled EAPs, but by that logic, shouldn't LDAPS work? It is encrypted so nothing is in the clear at any stage. Furthermore, since the users are synced, the authentication is local anyway, therefore, it
is
secure.
Then there's the actual tunnels, IPsec, Is IPsec able to use the synced users for authentication or is it limited as well? It's got its own section for secrets, two actually, it already hints at
No
.
What packages/areas (first and/or third party) can use the local directory service
fully
besides the system's auth and the cert manager?
Thanks!
*: a little later I discovered this can't be done even with the manually addded users anyway.
I tried settings IP addreses, routing info, VLANs... Only VLANs work. Thankfully this works great on pfSense's FreeRADIUS (where ironically LDAP, secure or not, ain't much of a success) and I can keep that only for my MAC-based auth which is much nicer to manage in either of the two firewalls than in AD Users and Computers or AD Administrative Center or Windows Admin Center.
Logged
I'm a bit dyslexic and it makes me forgo letters at the end of words. What gets written is written correctly though, I have good orthography in one or two languages, ironically. It's messed up, I know, I'm sorry. Just pretend you're my auto-complete.
mimugmail
Hero Member
Posts: 6704
Karma: 474
Re: Tunneled EAP, IPsec, FreeRADIUS, et al + directory sync (LDAPS)
«
Reply #1 on:
March 18, 2021, 08:58:35 pm »
Why doesnt Users in Radius plugin work? I would just enable NPS role on DC and so it on windows
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Patrick M. Hausen
Hero Member
Posts: 5011
Karma: 425
Re: Tunneled EAP, IPsec, FreeRADIUS, et al + directory sync (LDAPS)
«
Reply #2 on:
March 18, 2021, 09:03:54 pm »
To paraphrase @mimugmail:
The RADIUS server needs access to Windows domain specific $things so you regularly run it on your Windows DC. There is a service in Windows server, formerly known as IAS (Internet Authentication Server), now NPS (Network Policy Server) that you need to add and activate via "features and ... something, I forget
". Then point your OPNsense at that RADIUS server.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
mimugmail
Hero Member
Posts: 6704
Karma: 474
Re: Tunneled EAP, IPsec, FreeRADIUS, et al + directory sync (LDAPS)
«
Reply #3 on:
March 19, 2021, 05:57:26 am »
Thx, the differences between writing on mobile and Computer
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
Tunneled EAP, IPsec, FreeRADIUS, et al + directory sync (LDAPS)