Is it possible to authenticate Windows client machine on IPsec VPN against Active Directory?
I tried this by setting up FreeRADIUS on my OPNsense but it`s not working. What I googled is that my FreeRADIUS expects cleartext password while my Windows machine is sending NThash. It seems that for this to work, I would also need to install samaba and join my OPNsense box to AD (I don't wand to go that way). Anyone tested similar setup?
I am really interested to hear how this is fixed, as I need to do this myself. I have not set it up yet, because this is my first firewall with OpnSense. I am a complete newbie at it. I was able to get it installed this weekend and I am having problems with port forwarding. It my be a problem with the version 18.1.6???? Not sure yet, just replied to someone else inquiry about that as well.
Looking forward to more learning experiences.
Scott
I think that the only way to do this at the moment is to use certificate authentication. I don`t have CA set up at the moment in my AD infrastructure so I can`t test this out.
Maybe it would be a solution to use Windows Radius, which uses AD to authenticate?
http://thesolving.com/server-room/configure-radius-server-windows-authenticate-cisco-vpn-users/
and then configure OPNSense to use that radius server:
https://wiki.opnsense.org/manual/how-tos/user-radius.html
You can bind to LDAP via Freeradius plugin, should work fine
Quote from: mimugmail on April 28, 2018, 08:36:30 PM
You can bind to LDAP via Freeradius plugin, should work fine
What do you mean by that? I have installed Freeradius plugin and bound it to my AD but it only accepts plain passwords and Windows desktops sends NT-Hash of password.
I will try to do what Kofl suggested - use Windows RADIUS server.