Messages

Hello mimugmail
thank you so much for the answer. I read a lot about EAP, PAP and all other methods. I'm not sure if I understand it 100% correctly.

In my opinion, my setup would only work with EAP-TTLS/PAP, which is just secure, if the certificate is validated properly.

If I try to authenticate with EAP-TTLS/PAP, I get an error message on the OPNsense/radius.log (EAP Type "TTLS" configured):
Auth: (11)   Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject)

If I try to use the EAP Type "TTLS-GTC", the RADIUS daemon doesn't start:
Error: /usr/local/etc/raddb/mods-enabled/eap[15]: No dictionary definition for default EAP method 'ttls-gtc'.

Is ttls-gtc the same as ttls/pap?

Have a good day.
Olk

[Auth: (7) Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication)]

Hello @mimugmail

I would like to use FreeRadius 1.9.15 with LDAP against a Windows Server 2016 on OPNsense 21.1.9 for authentication.
The OPNsense is not joined to the Windows AD. Does this setup work for you?

EAP: PEAP

LDAP settings:
Protocol Type: LDAPS
Server: DNS Name of the AD server
Bind User: a valid AD user
Bind Password: valid password
Base DN: dc=company,DC=local
User Filter: (&(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=CN=bli,OU=bla,OU=blub,DC=blub,DC=blub))
Group Filter: empty

- A test ldapsearch is working from the OPNsense
- LDAPS bind also works --> if I enter a worng password, I get an error: Error: rlm_ldap (ldap): Bind credentials incorrect: Invalid credentials
- the error message for which I can't find a solution is:
-- Auth: (7)   Login incorrect (mschap: FAILED: No NT-Password.  Cannot perform authentication)
-- Auth: (8) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.))

- Should this setup work in general?
- Any ideas?

Thank you for any help.
Best regards
Olk

Hi mrwizardno2

I have a similar issue or even the same.... I tested an OPNsense setup in February 2021 with the newest OPNsense version, if it's possible to create an IPSEC tunnel to Azure with BGP for dynamic routing. All worked like a charm (with the default Azure BGP peer IP address). In the phase2 of the IPSEC tunnel I used "Route-based", the local address 192.168.8.22 and the remote address 10.88.2.254 (the same as the default Azure BGP peer IP address) --> OPNsense sent the traffic to 10.88.2.254 successfully through the tunnel. Azure learned the routes from OPNsense and vice versa.

A few months later, I bought pyhsical OPNsense hardware and built the same configuration on the newest OPNsense version 21.1.8_1-amd64. I wasn't able to reach Azure with this configuration. OPNsense didn't create a route to Azure.

I tried the configuration with a Custom Azure APIPA BGP IP address. 169.254.21.89 on Azure and 169.254.21.88 on the OPNsense. I was able to ping the Azure IP 169.254.21.89 from the OPNsense. After configuring BGP, I also received the BGP routes from Azure. ICMP requests from an on-prem host to hosts within an Azure VNET found their target. But Azure does not learn the routes advertised by the OPNsense, so the way back doesn't work.

With tcpdump I saw, that the OPNsense does not send any BGP advertisements to Azure. I didn't spend to much time in this setup as I could solve it easily with static routes. But it would be interesting, if this hint helps you.

Best regards
olk