Show posts

Hi all,

I'm having issues getting groups to work via Microsoft NPS server...

Configuration:
opnsense > System > Access > Groups > Create Group VPNUsers1
opnsense > System > Access > Groups > Create Group VPNUsers2
opnsense > System > Access > Servers > RADIUS Server > sync groups ON, auto user creation ON
AD User: vpn.user1
AD Group: VPNUsers1
NPS Class = VPNUsers1 (as per docs)
AD User: vpn.user2
AD Group: VPNUsers2
NPS Class = VPNUsers2 (as per docs)

If I run the tester tool, the user is authenticated OK but the 'user is a member of these groups' is NULL, so it's not mapping
If I change the NPS class to 'CN=VPNUsers1', I get the response that the user is a member of the VPNUsers1 group and the user is created and added to the group, same for VPNUsers2, it appears the class field needs to be "CN=" to function.

So the second option seems to work in the tester, when I do it that way, accounts are created locally and added to the appropriate group. I can see the group name and the username are both created in opnsense.... lets move on...

I setup the ikev2 configuration:

VPN > IPSEC > Connections > Pools

IPPool_VPNUsers1 = 192.168.2.32/27
IPPool VPNUSers2 = 192.168.2.64/27

VPN > IPSEC > Connections > Add

Create a new connection, IKEv2, VPNUsers1 Pool
Local Auth: Public Key (I've created the CA and imported the cert etc..)
Remote Auth: EAP-RADIUS, Group VPNUsers1
Children: A-LOCAL-SUBNET

I've repeated this configuration for VPNUsers2 (entire new connection, selecting VPNUsers2 Pool in the P1 connection and changing the group to VPNUsers2 in 'Remote Auth')

So as I understand it the remote client should attempt login, be parsed and get access, however I get this:

vpn.user1 or vpn.user2
--------
2025-10-03T18:19:39Informationalcharon12[NET1] <2d217cd3-5e93-4f42-a548-2e917000500f|29> sending packet: from x.x.x.x[4500] to 101.168.52.123[4500] (80 bytes)
2025-10-03T18:19:39Informationalcharon12[ENC1] <2d217cd3-5e93-4f42-a548-2e917000500f|29> generating IKE_AUTH response 5 [ N(AUTH_FAILED) ]
2025-10-03T18:19:39Informationalcharon12[CFG1] <2d217cd3-5e93-4f42-a548-2e917000500f|29> no alternative config found
2025-10-03T18:19:39Informationalcharon12[CFG1] <2d217cd3-5e93-4f42-a548-2e917000500f|29> selected peer config '2d217cd3-5e93-4f42-a548-2e917000500f' unacceptable: non-matching authentication done
2025-10-03T18:19:39Informationalcharon12[CFG1] <2d217cd3-5e93-4f42-a548-2e917000500f|29> constraint check failed: group membership to 'VPNUsers2' required
2025-10-03T18:19:39Informationalcharon12[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> switching to peer config '2d217cd3-5e93-4f42-a548-2e917000500f'
2025-10-03T18:19:39Informationalcharon12[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> selected peer config 'df9e30a3-41ec-4811-a6b7-e4e0ae4f6697' unacceptable: non-matching authentication done
2025-10-03T18:19:39Informationalcharon12[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> constraint check failed: group membership to 'VPNUsers1' required
2025-10-03T18:19:39Informationalcharon12[IKE1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> authentication of '101.168.52.123' with EAP successful
2025-10-03T18:19:39Informationalcharon12[ENC1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> parsed IKE_AUTH request 5 [ AUTH ]
2025-10-03T18:19:39Informationalcharon12[NET1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> received packet: from 101.168.52.123[4500] to x.x.x.x[4500] (112 bytes)
2025-10-03T18:19:39Informationalcharon12[NET1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> sending packet: from x.x.x.x[4500] to 101.168.52.123[4500] (80 bytes)
2025-10-03T18:19:39Informationalcharon12[ENC1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> generating IKE_AUTH response 4 [ EAP/SUCC ]
2025-10-03T18:19:39Informationalcharon12[IKE1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> EAP method EAP_MSCHAPV2 succeeded, MSK established
2025-10-03T18:19:39Informationalcharon12[IKE1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> RADIUS authentication of 'vpn.user2' successful
2025-10-03T18:19:39Informationalcharon12[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> received group membership 'CN=VPNUsers2' from RADIUS
2025-10-03T18:19:39Informationalcharon12[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> received RADIUS Access-Accept from server 'server1'
2025-10-03T18:19:39Informationalcharon12[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> sending RADIUS Access-Request to server 'server1'
2025-10-03T18:19:39Informationalcharon12[ENC1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
2025-10-03T18:19:39Informationalcharon12[NET1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> received packet: from 101.168.52.123[4500] to x.x.x.x[4500] (80 bytes)
2025-10-03T18:19:38Informationalcharon12[NET1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> sending packet: from x.x.x.x[4500] to 101.168.52.123[4500] (128 bytes)
2025-10-03T18:19:38Informationalcharon12[ENC1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
2025-10-03T18:19:38Informationalcharon12[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> received RADIUS Access-Challenge from server 'server1'
2025-10-03T18:19:38Informationalcharon12[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> sending RADIUS Access-Request to server 'server1'
2025-10-03T18:19:38Informationalcharon12[ENC1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
2025-10-03T18:19:38Informationalcharon12[NET1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> received packet: from 101.168.52.123[4500] to x.x.x.x[4500] (144 bytes)
2025-10-03T18:19:38Informationalcharon05[NET1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> sending packet: from x.x.x.x[4500] to 101.168.52.123[4500] (112 bytes)
2025-10-03T18:19:38Informationalcharon05[ENC1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
2025-10-03T18:19:38Informationalcharon05[IKE1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> initiating EAP_MSCHAPV2 method (id 0x01)
2025-10-03T18:19:38Informationalcharon05[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> received RADIUS Access-Challenge from server 'server1'
2025-10-03T18:19:38Informationalcharon05[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> sending RADIUS Access-Request to server 'server1'
2025-10-03T18:19:38Informationalcharon05[IKE1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> received EAP identity 'vpn.user2'

So it seems that with this configuration it fails to auth the user to the group, even though the tester has established the user and the group and both are visible in the UI

I've also tried changing the Class attribute back to the VPNUsers1 on the NPS, but it still fails to match

From some additional reading there was a concept of local and remote groups in previous versions. It could be that the VPN connection cant match the group as I've created it in the GUI and it might think its local... I've tried to login to the GUI using the radius user to auto create the group as a 'remote 'group, but its a chicken and egg issue where I cant assign the web display login permission to the RADIUS user, so when I login with the RADIUS user I get an error the UI cant be displayed and its time to log off.. you need to create a local user first, assign it the permissions to the WEB UI, but it still does not create the group, probably because its auth-ing locally against the Local DB

Hoping someone can shed some clarity...

Cheers, Nick.

Messages - jointheflow

25.7 Series / Re: Group information via RADIUS seems broken

25.7 Series / Group information via RADIS seems broken