OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: senseivita on April 27, 2019, 05:06:50 pm

Title: Local (system) users for FreeRADIUS
Post by: senseivita on April 27, 2019, 05:06:50 pm
I've been trying without luck to setup FreeRADIUS with Active Directory for a while now, apparently that'll never happen for me. LDAP both OPNsense's FreeRADIUS and OPNsense itself is setup correctly; I tried starting in another system and learned in the documentation that LDAP is useless for the tunneled EAP types anyway.

But since the users from LDAP were imported into OPNsense itself, I'd be using local users, therefore tunneled EAP should work, right? That's what I hope for anyway. I don't know how exactly instruct FreeRADIUS to use the system userbase, I don't think it's automatic because I can't authenticate with any of the imported accounts.

I figured, maybe I need to add users into FreeRADIUS, but when I go there within the information I'm also asked for a password to proceed. I don't know if by entering this value the previous is going to be changed for the account in question, or if it's going to set a different password altogether which sort of defeats the purpose of the integration.

Is it doable? Are the settings elsewhere? Thanks!
Title: Re: Local (system) users for FreeRADIUS
Post by: hbc on April 27, 2019, 05:28:36 pm
Just one short question:

Is there a special reason not to use active directory LDAP or Radius directly? Why use FreeRadius as additional layer?
Title: Re: Local (system) users for FreeRADIUS
Post by: mimugmail on April 27, 2019, 07:04:10 pm
EAP requires password encryption which doesnt work with FR and LDAP. This would need NTLM bind.
Title: Re: Local (system) users for FreeRADIUS
Post by: senseivita on April 28, 2019, 07:54:33 pm
@hbc because as @mimugmail pointed out, LDAP (even though the domain controllers are actually using LDAPS)
doesn't work if the password's sent cleartext. This was my logic behind using the imported users; being already in the system I'd be circumventing the sending-credentials-in-the-clear part necessary for tunneled EAP. Apparently not, plus...I think it still queries for updates the upstream servers anyway, it's in the documentation I believe.

@mimugmail Yeah I know. Unfortunately I just can't quite get it to work: I deployed a separate dedicated FreeRADIUS server, joined AD and get it to authenticate to AD, users can log in to the system with their AD credentials and Kerberos works flawlessly, also using the FR CLI tools for testing pass all tests. However when it's time to FreeRADIUS to do it's thing with an actual client something fails. :( So far the only RADIUS server I've been able to get to work using the AD base it's NPS itself! I'm OK with that but it's missing some protocols and the extra attributes from the hotspot services that make it super useful, OPNsense's got those built-in.

This leaves me more confused as there's a tiny Nextcloud instance that also uses LDAP to connect to AD, in order for it to be able to let users modify their passwords LDAPS must be used so no cleartext credentials are flying around from server to server unprotected, pretty much the same concept of FreeRADIUS's. Just as OPNsense, Nextcloud works fine with AD through LDAPS, the actual directory not that ADAM decoy thing. Other non-MIcrosoft systems work fine too, like Synology, Univention...macOS Server even "Kerberizes" services.

Anyway, thank you both for getting your answers. I'll keep trying. Maybe I have better luck on an Ubuntu-based distro or something like that. I really like the OPNsense UI though, and I had just discovered the themes too! :(
Title: Re: Local (system) users for FreeRADIUS
Post by: mimugmail on April 28, 2019, 09:31:38 pm
Quite sure the password gets not imported, so this will travel around.
Title: Re: Local (system) users for FreeRADIUS
Post by: hbc on April 28, 2019, 10:01:11 pm
So far the only RADIUS server I've been able to get to work using the AD base it's NPS itself! I'm OK with that but it's missing some protocols and the extra attributes from the hotspot services that make it super useful, OPNsense's got those built-in.

I must admit, I do not understand your problem with LDAPS, but you definitely can add custom attributes to NPS.
Title: Re: Local (system) users for FreeRADIUS
Post by: senseivita on April 29, 2019, 03:09:33 am
@hbc, Yeah I know, that's on me. It's just zero straightforward and documentation is very hard to come by, most times you're thinking that's an hex value you should add when it's a string or the other way around. I found this one website with the technical details of the ChilliSpot attributes but they made no sense in an NPS environment--not to mention NPS is ambiguous AF.

I'll definitely keep trying, I'm well-rested again and I'll try to expand NPS, just after trying one more time with OPNsense's FreeRADIUS bc there's one (and only one) Android device that refuses to connect with EAP-TLS, the cert-only way, and it finally did with OPNsense. The good news is that proxying RADIUS from NPS is very easy. That's a rather unexpected twist for a Microsoft product. :) Thanks!