Windows 2016 Active Directory

[shrdlu]

I looked through the forums and did not see any specific topics around this question, but in the event I missed something please feel free to just send a link and say "check this out."

I have an AD Server running on Windows 2016 and was having issues getting it to be registered with OPNsense, so before I dig in here I wanted to see if Windows 2016 AD was even supported with OPNsense for LDAP and or LDAP +OTP?

Of not, not a problem but curious if there were plans to support it, or maybe recommend some workarounds.

Thanks

[bartjsmit]

maybe recommend some workarounds.

RADIUS will offer AD based logins in a pretty bullet-proof way. No OTP combo though.

Bart...

[shrdlu]

So, can I infer from your statement that Windows 2016 Active Directory is not supported?

Secondly, thanks for that info and I might look in that direction of using Radius.

[bartjsmit]

AD may very well be supported, but I prefer RADIUS. From a defense-in-depth perspective a directory server is right at the heart of the network, and a firewall is at the periphery.  I think it is best to keep them separate and use strong encryption between them.

LDAP access to Windows domain controllers requires authentication, which means that your firewall holds account credentials, or you need to enable anonymous LDAP bind in AD. Neither option is attractive from a security perspective.

Bart...

[franco]

To be perfectly clear: yes, AD works with all LDAP authentication options available in OPNsense given it's correctly configured.


Cheers,
Franco