How to setup FreeRadius to bind to Windows AD with LDAP

[olest]

Hi,

How do I configure FreeRadius plugin to authenticate against Windows Active Directory LDAP server.

I have setup LDAP:

Protocol type: LDAP
Server: IP of the LDAP server
Bind user: empty
Bind password: empty
Base DN: dc=company,DC=local
User Filter: (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
Group Filter: (objectClass=posixGroup)

I'm not sure what to put in User Filter and Group Filter.

Can anyone help?

[mimugmail]

I had this too and fixed it without using the group filter and put the search in user filter:

(&(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=CN=bli,OU=bla,OU=blub,DC=blub,DC=blub))

[olk2233]

Hello @mimugmail

I would like to use FreeRadius 1.9.15 with LDAP against a Windows Server 2016 on OPNsense 21.1.9 for authentication.
The OPNsense is not joined to the Windows AD. Does this setup work for you?

EAP: PEAP

LDAP settings:
Protocol Type: LDAPS
Server: DNS Name of the AD server
Bind User: a valid AD user
Bind Password: valid password
Base DN: dc=company,DC=local
User Filter: (&(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=CN=bli,OU=bla,OU=blub,DC=blub,DC=blub))
Group Filter: empty

- A test ldapsearch is working from the OPNsense
- LDAPS bind also works --> if I enter a worng password, I get an error: Error: rlm_ldap (ldap): Bind credentials incorrect: Invalid credentials
- the error message for which I can't find a solution is:
-- Auth: (7)   Login incorrect (mschap: FAILED: No NT-Password.  Cannot perform authentication)
-- Auth: ( Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.))

- Should this setup work in general?
- Any ideas?

Thank you for any help.
Best regards
Olk

[mimugmail]

This doesnt work with eap in general. There is a solution around I need to find again, maybe forums or github

[olk2233]

Hello mimugmail
thank you so much for the answer. I read a lot about EAP, PAP and all other methods. I'm not sure if I understand it 100% correctly.

In my opinion, my setup would only work with EAP-TTLS/PAP, which is just secure, if the certificate is validated properly.

If I try to authenticate with EAP-TTLS/PAP, I get an error message on the OPNsense/radius.log (EAP Type "TTLS" configured):
Auth: (11)   Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject)

If I try to use the EAP Type "TTLS-GTC", the RADIUS daemon doesn't start:
Error: /usr/local/etc/raddb/mods-enabled/eap[15]: No dictionary definition for default EAP method 'ttls-gtc'.

Is ttls-gtc the same as ttls/pap?

Have a good day.
Olk

[unquietwiki]

Hey all. As of 21.7 , this appears to be the required parameters for AD user search. The answers in this post helped me sort this out; thanks!

Code: [Select]

Bind User: CN=FreeRADIUS,CN=Managed Service Accounts,DC=AD,DC=EXAMPLE,DC=ORG

Base Domain: DC=AD,DC=EXAMPLE,DC=ORG

User Search: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})

Group Search: (memberOf=CN=Users,DC=AD,DC=EXAMPLE,DC=ORG)


[mimugmail]

Hello mimugmail
thank you so much for the answer. I read a lot about EAP, PAP and all other methods. I'm not sure if I understand it 100% correctly.

In my opinion, my setup would only work with EAP-TTLS/PAP, which is just secure, if the certificate is validated properly.

If I try to authenticate with EAP-TTLS/PAP, I get an error message on the OPNsense/radius.log (EAP Type "TTLS" configured):
Auth: (11)   Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject)

If I try to use the EAP Type "TTLS-GTC", the RADIUS daemon doesn't start:
Error: /usr/local/etc/raddb/mods-enabled/eap[15]: No dictionary definition for default EAP method 'ttls-gtc'.

Is ttls-gtc the same as ttls/pap?

Have a good day.
Olk

There is a PR waiting which will allow this now

[mimugmail]

Hey all. As of 21.7 , this appears to be the required parameters for AD user search. The answers in this post helped me sort this out; thanks!

Code: [Select]

Bind User: CN=FreeRADIUS,CN=Managed Service Accounts,DC=AD,DC=EXAMPLE,DC=ORG

Base Domain: DC=AD,DC=EXAMPLE,DC=ORG

User Search: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})

Group Search: (memberOf=CN=Users,DC=AD,DC=EXAMPLE,DC=ORG)


Sorry, not deep into it anymore, is there anything I need to adjust in the plugin?

[unquietwiki]

I ran into some weird stuff with tying that FreeRADIUS setup to IPsec. EAP-RADIUS doesn't seem to work with it authenticating against LDAP/AD.

https://forum.opnsense.org/index.php?topic=26429.0

[leacho73]

Hi All,

I was wondering if anyone got this working - I am trying to setup an always on VPN with Windows 11 and AzureAD - I can authenticate to AzureAD using the Radius server using the 'tester' page within the OpnSense GUI - however, if I try and authenticate via an IPSEC VPN connection using EAP-RADIUS and then set windows 11 to use logged in credentials - I get the following error (as seen further up this thread):

Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): [AzureAD\MyUserName/<via Auth-Type = eap>

Worth noting I am using the FreeRadius Plugin

There may very well be a better way around this to setup an always on VPN with OpnSense and Windows 11 - but this is the only way I could think of getting it working if anyone can advise on the above?

Thanks
Leacho