FreeRADIUS and IPsec Mobile client

[loganx1121]

Link to same post on reddit for screenshot purposes since attachments here are limited - https://www.reddit.com/r/OPNsenseFirewall/comments/zzt3mq/freeradius_and_ipsec_mobile_client/


I'm trying to use the FreeRADIUS plugin for an IPsec mobile client. Previously had the mobile client working with local accounts, but I need to do this for 400+ people so I figured why not use RADIUS?

So I have the FreeRADIUS plugin installed, which points to a windows domain controller that is sitting behind another firewall at another location. The 2 firewalls have a wireguard tunnel.

FreeRADIUS has LDAP enabled, just boring port 389 to test this out, and a client setup of 127.0.0.1. The RADIUS server in system > access > servers is also set as 127.0.0.1. When I use the tester, I see the port 389 traffic go across to the WG tunnel, and the tester shows the auth is successful.

However, when I try to do this with windows built-in VPN and connect to the IPsec mobile client on the same firewall that FreeRADIUS is running on, I get the following:

Code: [Select]

2022-12-30T23:33:11 Auth: (19) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [mo/<via Auth-Type = eap>] (from client test port 7 cli x.x.x.x[4500])

2022-12-30T23:33:11 Auth: (18) Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): [mo/<via Auth-Type = eap>] (from client test port 0 via TLS tunnel)

2022-12-30T23:31:26 Auth: (9) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [mo/<via Auth-Type = eap>] (from client test port 6 cli x.x.x.x[4500])

2022-12-30T23:31:26 Auth: (8) Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): [mo/<via Auth-Type = eap>] (from client test port 0 via TLS tunnel)

The firewall has a root CA made on OPNsense, and from that I issued 2 server certificates - 1 for the IPsec tunnel and 1 for FreeRADIUS. I read somewhere that the IPsec cert and the FreeRADIUS cert had to be the same cert to make this work, so I tried using the IPsec cert in both places but that didn't seem to help.

The client (virtual machine) that is trying to connect has the root CA installed in the "Trusted certificate authorities" in the computer certificates (not personal certificates). I did this when I was using local accounts on the firewall to connect to the IPsec mobile client connection and had it working.

I'm kind of at a loss. The tester says auth works. I see the traffic go over the tunnel. I can only assume return traffic isn't an issue since if it was I would think using the "Tester" wouldn't work either. The common name on both the IPsec cert and the RADIUS cert is the public DNS entry of the firewall.

I've tried PEAP, mschapv2, EAP-TTLS, but can't get any of those to work.  I'm hoping this is just something dumb I missed that someone can point out to me.

[Patrick M. Hausen]

For MSCHAP to work, RADIUS needs access to a clear text or NT hashed password. You cannot perform MSCHAP when authenticating with another remote entity over e.g. LDAP. It should possible to place the RADIUS server on the domain controller in form of MS IAS (Internet Authentication Server - essentially RADIUS included in Windows Server).

Other than that I am a bit out of that area of expertise for quite some years now, sorry. Your best bet is probably the freeradius-users mailing list.

What about XAUTH with plain user/password with LDAP backend and a certificate managed by your Windows CA for each user?

[loganx1121]

For MSCHAP to work, RADIUS needs access to a clear text or NT hashed password. You cannot perform MSCHAP when authenticating with another remote entity over e.g. LDAP. It should possible to place the RADIUS server on the domain controller in form of MS IAS (Internet Authentication Server - essentially RADIUS included in Windows Server).

Other than that I am a bit out of that area of expertise for quite some years now, sorry. Your best bet is probably the freeradius-users mailing list.

What about XAUTH with plain user/password with LDAP backend and a certificate managed by your Windows CA for each user?

Well it's around 500 users, so doing a certificate for each of them would be a lot of overhead that I'm trying to avoid.

So you're saying mschap won't work because the FreeRADIUS plugin can't do mschap with the domain controller?  I'm a little confused on that part.

[Patrick M. Hausen]

Yes. for MSCHAP the RADIUS server needs access to a password in clear text or NTLM hash. Only the domain controllers have that.

You can use IAS instead of FreeRADIUS, if I am not mistaken.

Or use XAUTH with username/password. You can use a fixed certificate for server and client for all users and XAUTH.