OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: penley on November 10, 2017, 07:05:17 pm

Title: OPNsense vpn -> FreeRadius -> authenticate to AD
Post by: penley on November 10, 2017, 07:05:17 pm

We have a single FreeRadius server we want to use to consolidate user authentication with VPN, wireless, etc.
I have the wireless authenticating against AD through FreeRadius, but I cannot get it to work with the vpn.
The information I'm struggling to find is does it work differently when using VPN, for example do I have to configure the ldap module in FreeRadius?
I have OPNsense vpn pointed at FreeRadius, but each attempt to login produces the Error:
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available

(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

I've tested this using the PAP module and it works, but I'm not sure how to make it authenticate to AD instead.

The OPNsense version is 17.7 and the FreeRadius version is 3.0.


Kind regards,
penley

Title: Re: OPNsense vpn -> FreeRadius -> authenticate to AD
Post by: mimugmail on November 10, 2017, 07:10:57 pm

You need to proxy Radius to LDAP? I can have a look.
But why don't you just setup NPS/IAS on Windows?

Title: Re: OPNsense vpn -> FreeRadius -> authenticate to AD
Post by: mimugmail on November 11, 2017, 08:49:47 am

LDAP support has to be compiled in, I think we can start mid december integrating it:

https://github.com/opnsense/tools/issues/58

Title: Re: OPNsense vpn -> FreeRadius -> authenticate to AD
Post by: franco on November 11, 2017, 11:09:37 am

I don’t know, if you want to auth against AD use LDAP connector, if the tester works for the server it will work for a properly configured VPN, too.