Tunneled EAP, IPsec, FreeRADIUS, et al + directory sync (LDAPS)

Started by senseivita, March 18, 2021, 04:02:41 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 18, 2021, 04:02:41 PM
Playing with the FreeRADIUS plugin I discovered it was accepting just about every device that would connect to the test wireless network configured with it for auth, or so I thought. As it turns out I had [absentmindedly] configured every possible setting I could use at some point, including remote MySQL database and LDAPS.

When I unchecked the LDAP boxes the devices stopped connecting to the MAC-based authenticated network. As that was sorted out a million questions replaced it though, like why isn't the FreeRADIUS plugin able to use the users synced from Active Directory (over secure LDAP). It'd be nice to use the built-in users with the same pasword and just augment their profiles with just the needed settings*. I also noticed that even while making its own LDAPS connection to the servers, it would still fail to authenticate supplicants requiring the more secure methods, like the tunnel within a tunnel PEAP, TTLS, all that.

I know that this is basically because LDAP is insecure so it doesn't work with the tunneled EAPs, but by that logic, shouldn't LDAPS work? It is encrypted so nothing is in the clear at any stage. Furthermore,  since the users are synced, the authentication is local anyway, therefore, it is secure.

Then there's the actual tunnels, IPsec, Is IPsec able to use the synced users for authentication or is it limited as well? It's got its own section for secrets, two actually, it already hints at No.

What packages/areas (first and/or third party) can use the local directory service fully besides the system's auth and the cert manager?

Thanks!


*: a little later I discovered this can't be done even with the manually addded users anyway. :( I tried settings IP addreses, routing info, VLANs... Only VLANs work. Thankfully this works great on pfSense's FreeRADIUS (where ironically LDAP, secure or not, ain't much of a success) and I can keep that only for my MAC-based auth which is much nicer to manage in either of the two firewalls than in AD Users and Computers or AD Administrative Center or Windows Admin Center.
I'm a bit dyslexic and it makes me forgo letters at the end of words. What gets written is written correctly though, I have good orthography in one or two languages, ironically. It's messed up, I know, I'm sorry. Just pretend you're my auto-complete. :)
March 18, 2021, 08:58:35 PM #1
Why doesnt Users in Radius plugin work? I would just enable NPS role on DC and so it on windows
March 18, 2021, 09:03:54 PM #2
To paraphrase @mimugmail:

The RADIUS server needs access to Windows domain specific $things so you regularly run it on your Windows DC. There is a service in Windows server, formerly known as IAS (Internet Authentication Server), now NPS (Network Policy Server) that you need to add and activate via "features and ... something, I forget  ;)". Then point your OPNsense at that RADIUS server.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 19, 2021, 05:57:26 AM #3
Thx, the differences between writing on mobile and Computer :)
Print
Go Up Pages1
User actions