Playing with the FreeRADIUS plugin I discovered it was accepting just about every device that would connect to the test wireless network configured with it for auth, or so I thought. As it turns out I had [absentmindedly] configured every possible setting I could use at some point, including remote MySQL database and LDAPS.
When I unchecked the LDAP boxes the devices stopped connecting to the MAC-based authenticated network. As that was sorted out a million questions replaced it though, like why isn't the FreeRADIUS plugin able to use the users synced from Active Directory (over secure LDAP). It'd be nice to use the built-in users with the same pasword and just augment their profiles with just the needed settings*. I also noticed that even while making its own LDAPS connection to the servers, it would still fail to authenticate supplicants requiring the more secure methods, like the tunnel within a tunnel PEAP, TTLS, all that.
I know that this is basically because LDAP is insecure so it doesn't work with the tunneled EAPs, but by that logic, shouldn't LDAPS work? It is encrypted so nothing is in the clear at any stage. Furthermore, since the users are synced, the authentication is local anyway, therefore, it is secure.
Then there's the actual tunnels, IPsec, Is IPsec able to use the synced users for authentication or is it limited as well? It's got its own section for secrets, two actually, it already hints at No.
What packages/areas (first and/or third party) can use the local directory service fully besides the system's auth and the cert manager?
Thanks!
*: a little later I discovered this can't be done even with the manually addded users anyway. :( I tried settings IP addreses, routing info, VLANs... Only VLANs work. Thankfully this works great on pfSense's FreeRADIUS (where ironically LDAP, secure or not, ain't much of a success) and I can keep that only for my MAC-based auth which is much nicer to manage in either of the two firewalls than in AD Users and Computers or AD Administrative Center or Windows Admin Center.
Why doesnt Users in Radius plugin work? I would just enable NPS role on DC and so it on windows
To paraphrase @mimugmail:
The RADIUS server needs access to Windows domain specific $things so you regularly run it on your Windows DC. There is a service in Windows server, formerly known as IAS (Internet Authentication Server), now NPS (Network Policy Server) that you need to add and activate via "features and ... something, I forget ;)". Then point your OPNsense at that RADIUS server.
Thx, the differences between writing on mobile and Computer :)