Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - exu

#1
I wasn't aware of this Windows server role.

I'll have a look at using this.
#2
EDIT: I decided to use the Windows Radius role as suggested here: https://forum.opnsense.org/index.php?topic=41472.msg222357#msg222357

Hello community

I'm trying to set up FreeRADIUS with the LDAP backend to Active Directory.
Radius in turn is configured on the Unifi access points.

I can authenticate without issue using a local test user. However, authenticating with any Active Directory user does not work.

I'm getting this errror message:
Auth: (14) Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): [mfi/<via Auth-Type = eap>] (from client Unifi APs port 0 via TLS tunnel)
EAP Settings
EAP Type: MSCHAPv2
Curve: prime256v1
Own Certs: no
Root Cert: none
Server Cert: Default
CRL: none
Check TLS CN: no
TLS min. Ver: 1.2

LDAP Settings
Inner Tunnel: yes
Protocol: LDAP
Srv. Port: empty (default)
Cert: none
Start TLS: no
Bind User: <my admin CN>
Bind PW: <my pw>
Base DN: <AD DN>
User Filter:  (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
Group Filter: empty

On the client side (Android) I tried these combinations:
PEAP + MS-CHAP v2
TTLS + MS-CHAP
TTLS + MS-CHAP v2

The one working combination I found (TTLS + PAP) is not ideal, as Passwords within the TLS connection are sent in plain text.

Based on my research, the ntlm_auth utility and its supporting packages from Samba are not missing for this functionality.
https://github.com/opnsense/plugins/issues/2834
https://github.com/opnsense/plugins/issues/3126
https://ask.linuxmuster.net/t/opnsense-freeradius-fehler-ueber-eap/6074/5 (German)

Has anyone managed to include the relevant files to get FreeRADIUS fully working?

Samba does have an up to date port on FreeBSD, so it should theoretically be possible to add the files. I don't have the makefile skils required unfortunately.
https://www.freshports.org/net/samba419
#3
Hello, did you manage to fix your issue? 

I'm not even getting an Auth: OK with my similar setup.

Instead I'm getting this "No NT-Password" error.

Auth: (14) Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): [exu/<via Auth-Type = eap>] (from client Unifi APs port 0 via TLS tunnel)

What settings (EAP and Phase-2) are you using on the client side to authenticate?