Freeradius + Active Directory is Possible ?

[piotrchm93]

Hello community,

OPNsense 24.1.9_4-amd64
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.14
on proxmox 8.2.4

Plugin:
os-freeradius (installed) 1.9.23

I have the following question: In normal Freeradius, I can authorize users using Microsoft Active Directory or EAP-TLS using certificates.

Is Authentication using AD also possible using OPNsense?
If so, please give me a hint on how to deal with this issue.

I have System -> Servers -> configured

Desc: AD
USER DN, Containers etc.
User naming attribute: sAMAccountName,

Port value: 389,
TCP Standard,
Protocol ver: 3.


Everything works fine here, in System - Tester I receive the following message:
User: piotr authenticated successfully.
This user is a member of these groups (...).


And now the whole problem starts in Services -> Freeradius.

Logging in using local users works. However, I cannot force it to be authorized in AD.

 Enable LDAP

EAP - MSCHAPv2
Prime256v1
use own cert - no
rootCA - no
Server certificate - web ui
crl - none
tls CN - no
tls min ver 1.2

LDAP
Inner Tunnel Yes
Protocol type: LDAP
server: my Domain Controller IP
Port 389
Certificate: none
TLS start: no
Bind User and Base DN = same as system -> Servers
User filter: (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
Group Filter: (objectClass=posixGroup)


IN LOG: Auth: (45) Login OK: [piotr/<via Auth-Type = Accept>] (from client UAP port 0 cli A2-DD-5F-XX-XX-XX)

but my Android devices don't connect to the network...

I have no idea what I'm doing wrong anymore.

Please give me some advice!

Kind regards

Piotr