Hello community,
OPNsense 24.1.9_4-amd64
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.14
on proxmox 8.2.4
Plugin:
os-freeradius (installed) 1.9.23
I have the following question: In normal Freeradius, I can authorize users using Microsoft Active Directory or EAP-TLS using certificates.
Is Authentication using AD also possible using OPNsense?
If so, please give me a hint on how to deal with this issue.
I have System -> Servers -> configured
Desc: AD
USER DN, Containers etc.
User naming attribute: sAMAccountName,
Port value: 389,
TCP Standard,
Protocol ver: 3.
Everything works fine here, in System - Tester I receive the following message:
User: piotr authenticated successfully.
This user is a member of these groups (...).
And now the whole problem starts in Services -> Freeradius.
Logging in using local users works. However, I cannot force it to be authorized in AD.
Enable LDAP
EAP - MSCHAPv2
Prime256v1
use own cert - no
rootCA - no
Server certificate - web ui
crl - none
tls CN - no
tls min ver 1.2
LDAP
Inner Tunnel Yes
Protocol type: LDAP
server: my Domain Controller IP
Port 389
Certificate: none
TLS start: no
Bind User and Base DN = same as system -> Servers
User filter: (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
Group Filter: (objectClass=posixGroup)
IN LOG: Auth: (45) Login OK: [piotr/<via Auth-Type = Accept>] (from client UAP port 0 cli A2-DD-5F-XX-XX-XX)
but my Android devices don't connect to the network...
I have no idea what I'm doing wrong anymore.
Please give me some advice!
Kind regards :)
Piotr
Hello, did you manage to fix your issue?
I'm not even getting an Auth: OK with my similar setup.
Instead I'm getting this "No NT-Password" error.
Auth: (14) Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): [exu/<via Auth-Type = eap>] (from client Unifi APs port 0 via TLS tunnel)
What settings (EAP and Phase-2) are you using on the client side to authenticate?
What about running RADIUS on your DC if you need AD integration?
https://learn.microsoft.com/en-us/windows/win32/nps/ias-radius-authentication-and-accounting
HTH,
Patrick
I wasn't aware of this Windows server role.
I'll have a look at using this.