Messages

Thanks for responding so quickly!

I do not have a working config example for mxchapv2, and actually am concerned that it's being inadvertently implemented (hence the demand for NT/LM password hashes).

Let me see if I can build a working instance of FreeRADIUS on another system and provide you the config.

One thing that would be very useful to add to the plugin would be in-GUI selection and feedback for the LDAP configuration page.  The System-Access-Servers configuration page for LDAP servers actually conducts a login to the server and lets the user select a Base DN.  Even better would be to let us check the validity of our User and Group Filters and show the list of users/groups available based on each filter.

My programming skills are not much to speak of, but I'm open to helping do this if you can point me to the right sections in the source.

Has anyone had success with using LDAP authentication for FreeRADIUS?  If I create FreeRADIUS users using the OPNSense GUI, then I can successfully authenticate to an IPSec VPN and WiFi.  However, if I configure FreeRADIUS to point to my OpenLDAP server, I receive the following error:

Code Select Expand


Auth: (5) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [user1]


Reviewing the configuration settings on OPNSense for FreeRADIUS, it appears that it may be configured to use MSCHAPv2 and NT or LM password hashes.  I'm exclusively using SSHA password hashes on my OpenLDAP server, so this may be the source of the problem.

Relevant contents of /usr/local/etc/raddb/mods-enabled/ldap

Code Select Expand


...
update {
    ...
    control: LM-Password                   := 'lmPassword'
    control: NT-Password                   := 'ntPassword'
    control: LM-Password                   := 'sambaLmPassword'
    control: NT-Password                   := 'sambaNtPassword'
    control: LM-Password                   := 'dBCSPwd'
    control: Password-With-Header          += 'userPassword'


It doesn't seem like there's any way to change these settings in the OPNSense GUI.

My OpenLDAP configuration works for authentication with OPNSense itself in the System-Access-Servers settings.  The detailed configurations for my OpenLDAP server are described here: https://github.com/johnstonjs/easyldap

The settings within the Services-FreeRADIUS-LDAP settings are (anonymized):

Code Select Expand


Protocol Type: LDAPS
Server: ldap.example.com
Bind User: cn=radius,ou=Clients,dc=example,dc=com
Base DN: ou=People,dc=example,dc=com
User Filter: (uid=%{%{Stripped-User-Name}:-%{User-Name}})
Group Filter: (objectClass=posixGroup)

Note: ou=Clients has the necessary permissions to read the LDAP database for Bind

I've spent a significant amount of time trying to understand the User Filter, and am concerned that may also be the source of the problem.  I've tried other filters used on my other LDAP authentication clients (Gitea, Nextcloud) that are more appropriate, such as:

Code Select Expand


(&(uid=%s)(memberOf=cn=radius,ou=Lists,dc=theshire,dc=me))

Where user1 is a member of cn=radius,ou=Lists.  Unfortunately, this filter (or variations on it) don't seem to work for FreeRADIUS.

Code Select Expand


Auth: (1) Invalid user (ldap: Unable to create filter): [user1]
Auth: (1) Login incorrect (ldap: Unable to create filter): [user1]


I'd greatly appreciate any insights, observations, or assistance.

Users in another thread identified the key Firewall entry that was causing my issue:

https://forum.opnsense.org/index.php?topic=14625.0

The fix was to have a Firewall Rule for IPSec that allows traffic to ANY.  Previously, I had separate entries for LAN and WAN.

Protocol   Source   Port   Destination   Port   Gateway   Schedule   Description
IPv4 *   *           *   *                   *   *           *           Allow IPSec traffic to ANY (*)

All,

Thank you for helping me resolve this!  In the post from Tubs, entry (3) was what made the difference.  I had separate firewall entries to allow IPSec traffic to LAN and WAN, and that did not work.  It seems to be absolutely essential to have an all IPv4 entry to * (all).

Thanks for replying.  I'm still using OPNSense, and satisfied with everything except the IPSec functionality.  I'll open a bug report on GitHub, thank you for the link.

I've continued to try troubleshooting this, but to not avail.  As I'll note on GitHub, I'm happy to share whatever config files/logs are needed to help resolve.

First, thank you for making such a fantastic firewall, keeping it updated, and enabling so many capabilities with it.

There's one function provided that I have been unable to get working as intended - IPSec Road-Warrior with Tunneled Internet Access.

I want mobile devices, including laptops, tablets, and phones, to be able to connect using IPSec VPN and have access to both the internal network [LAN] and route all internet traffic through the VPN [WAN].  So far I can get very effective access to the internal network [LAN], but depending on settings will either get non-tunneled access to the internet, or no access to the internet.

This seems to be a recurring issue, as resource [2] outlines the exact problem I'm currently having.  Unfortunately, I've attempted to implement all of the steps shown, including creation of a manual NAT rule for IPSec routing to no avail.

Following the Road-Warrior guide in resource [1], I'm able to connect to the internal network but the connection to any internet site is not routed through the VPN.  Previous form postings [3] and [4] show similar issues, while [2] and [5] provide guidance on how to resolve.  Unfortunately, none of this is working for me.

My ipsec.conf file is configured with (obscuring actual hostname):

Code Select Expand


# This file is automatically generated. Do not edit
config setup
  uniqueids = yes

conn con1
  aggressive = no
  fragmentation = yes
  keyexchange = ikev2
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = yes
  type = tunnel
 
  left = %any
  right = %any
 
  leftid = my.personal.domain
  ikelifetime = 1440s
  lifetime = 1440s
  rightsourceip = 192.168.2.0/24
  ike = aes256-sha256-modp2048!
  leftauth = pubkey
  rightauth = eap-radius
  rightsendcert = never
  eap_identity = %any
  leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
  leftsendcert = always
  leftsubnet = 0.0.0.0/0
  esp = aes256-sha256-modp2048!
  auto = add

include ipsec.opnsense.d/*.conf


Finding local domains seems to work fine.  Using Unbound DNS I have an override for the OPNSense domain name (my.personal.domain in ipsec.conf) which redirects to the local IP.  This lets me use LetsEncrypt on the OPNSense web interface.  Pointing a VPN-connected client to my.personal.domain brings up the OPNSense web interface, which is only accessible on LAN.  Unfortunately, attempting to access any other domain results in a timeout.

I've tried following the guidance in [2] and [5] below, but without success.  If anyone can help, please let me know.  I'm happy to provide additional configuration details as needed.

Thanks in advance!

Online resources used:
1: https://docs.opnsense.org/manual/how-tos/ipsec-road.html
2: https://forum.opnsense.org/index.php?topic=11340.0
3: https://forum.opnsense.org/index.php?topic=6842.0
4: https://forum.opnsense.org/index.php?topic=7341.0
5: https://forum.opnsense.org/index.php?topic=9478.0