OPNsense Forum
English Forums => General Discussion => Topic started by: olest on May 27, 2019, 10:47:39 am
-
Hi,
How do I configure FreeRadius plugin to authenticate against Windows Active Directory LDAP server.
I have setup LDAP:
Protocol type: LDAP
Server: IP of the LDAP server
Bind user: empty
Bind password: empty
Base DN: dc=company,DC=local
User Filter: (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
Group Filter: (objectClass=posixGroup)
I'm not sure what to put in User Filter and Group Filter.
Can anyone help?
-
I had this too and fixed it without using the group filter and put the search in user filter:
(&(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=CN=bli,OU=bla,OU=blub,DC=blub,DC=blub))
-
Hello @mimugmail
I would like to use FreeRadius 1.9.15 with LDAP against a Windows Server 2016 on OPNsense 21.1.9 for authentication.
The OPNsense is not joined to the Windows AD. Does this setup work for you?
EAP: PEAP
LDAP settings:
Protocol Type: LDAPS
Server: DNS Name of the AD server
Bind User: a valid AD user
Bind Password: valid password
Base DN: dc=company,DC=local
User Filter: (&(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=CN=bli,OU=bla,OU=blub,DC=blub,DC=blub))
Group Filter: empty
- A test ldapsearch is working from the OPNsense
- LDAPS bind also works --> if I enter a worng password, I get an error: Error: rlm_ldap (ldap): Bind credentials incorrect: Invalid credentials
- the error message for which I can't find a solution is:
-- Auth: (7) Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication)
-- Auth: (8) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.))
- Should this setup work in general?
- Any ideas?
Thank you for any help.
Best regards
Olk
-
This doesnt work with eap in general. There is a solution around I need to find again, maybe forums or github
-
Hello mimugmail
thank you so much for the answer. I read a lot about EAP, PAP and all other methods. I'm not sure if I understand it 100% correctly.
In my opinion, my setup would only work with EAP-TTLS/PAP, which is just secure, if the certificate is validated properly.
If I try to authenticate with EAP-TTLS/PAP, I get an error message on the OPNsense/radius.log (EAP Type "TTLS" configured):
Auth: (11) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject)
If I try to use the EAP Type "TTLS-GTC", the RADIUS daemon doesn't start:
Error: /usr/local/etc/raddb/mods-enabled/eap[15]: No dictionary definition for default EAP method 'ttls-gtc'.
Is ttls-gtc the same as ttls/pap?
Have a good day.
Olk
-
Hey all. As of 21.7 , this appears to be the required parameters for AD user search. The answers in this post helped me sort this out; thanks!
Bind User: CN=FreeRADIUS,CN=Managed Service Accounts,DC=AD,DC=EXAMPLE,DC=ORG
Base Domain: DC=AD,DC=EXAMPLE,DC=ORG
User Search: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
Group Search: (memberOf=CN=Users,DC=AD,DC=EXAMPLE,DC=ORG)
-
Hello mimugmail
thank you so much for the answer. I read a lot about EAP, PAP and all other methods. I'm not sure if I understand it 100% correctly.
In my opinion, my setup would only work with EAP-TTLS/PAP, which is just secure, if the certificate is validated properly.
If I try to authenticate with EAP-TTLS/PAP, I get an error message on the OPNsense/radius.log (EAP Type "TTLS" configured):
Auth: (11) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject)
If I try to use the EAP Type "TTLS-GTC", the RADIUS daemon doesn't start:
Error: /usr/local/etc/raddb/mods-enabled/eap[15]: No dictionary definition for default EAP method 'ttls-gtc'.
Is ttls-gtc the same as ttls/pap?
Have a good day.
Olk
There is a PR waiting which will allow this now
-
Hey all. As of 21.7 , this appears to be the required parameters for AD user search. The answers in this post helped me sort this out; thanks!
Bind User: CN=FreeRADIUS,CN=Managed Service Accounts,DC=AD,DC=EXAMPLE,DC=ORG
Base Domain: DC=AD,DC=EXAMPLE,DC=ORG
User Search: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
Group Search: (memberOf=CN=Users,DC=AD,DC=EXAMPLE,DC=ORG)
Sorry, not deep into it anymore, is there anything I need to adjust in the plugin?
-
I ran into some weird stuff with tying that FreeRADIUS setup to IPsec. EAP-RADIUS doesn't seem to work with it authenticating against LDAP/AD.
https://forum.opnsense.org/index.php?topic=26429.0
-
Hi All,
I was wondering if anyone got this working - I am trying to setup an always on VPN with Windows 11 and AzureAD - I can authenticate to AzureAD using the Radius server using the 'tester' page within the OpnSense GUI - however, if I try and authenticate via an IPSEC VPN connection using EAP-RADIUS and then set windows 11 to use logged in credentials - I get the following error (as seen further up this thread):
Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): [AzureAD\MyUserName/<via Auth-Type = eap>
Worth noting I am using the FreeRadius Plugin
There may very well be a better way around this to setup an always on VPN with OpnSense and Windows 11 - but this is the only way I could think of getting it working if anyone can advise on the above?
Thanks
Leacho