OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: michaelsage on January 29, 2018, 10:16:58 am
-
Hi,
I have recently moved across to OPNSense from pfSense. It's a bit of a learning curve, but so far everything is going ok. I do, however, have a bit of an odd issue.
I am using DUO for 2FA on my OpenVPN setup, this works by proxying the LDAP connection through a DUO proxy authenticator. What is suppose to happen is the OPNSense box makes the LDAP call to the DUO box that then checks the username / password combo and then pushes authentication to the users mobile device.
What happens at the moment is OPNSense is making the initial LDAP connection (i.e. the proxy connection), then the user is authenticated, the DUO proxy doesn't appear to get passed anything else and the user is logged in using just their username / password and certificate.
I am at a bit of a loss as to where to start, I have raised an issue on the DUO community support too.
It looks like OPNSense LDAP is making some kind of tunnel through the proxy to the LDAP server. Does this make any sense?
Any pointers?
-
I fixed this with a bit of help from DUO.
Firstly in the LDAP connection make sure you are using the DN rather than the domain\user. Then in your DUO proxy config you need to add the following lines:
[ldap_server_auto]
...
exempt_primary_bind=false
exempt_ou_1=DN of service account
Hope this helps someone!