Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
Using [LDAP-sourced/synced] local users for FreeRADIUS server plugin
« previous
next »
Print
Pages: [
1
]
Author
Topic: Using [LDAP-sourced/synced] local users for FreeRADIUS server plugin (Read 1959 times)
senseivita
Newbie
Posts: 36
Karma: 0
Using [LDAP-sourced/synced] local users for FreeRADIUS server plugin
«
on:
April 07, 2020, 03:49:29 pm »
For a very long time I've been trying to setup FreeRADIUS for full Active Directory integration but when I always manage to get something wrong and I run back to Windows Server NPS. If it's not setting up NTLM auth –something I've never been able to do– it's some random bug that makes the exact same settings work in an OPNsese config work in one install but not on the next.
Binding FreeRADIUS to LDAP won't work because "passwords are sent on the clear" …even though the connections are made over LDAPS, i.e; ldaps://…:636/. Since OPNsense's users can be also synced with AD, I figured these could be used locally by FreeRADIUS and be augemented with the proper attributes for a given user.
Being already local, any authentication method should be available.
But again I was wrong, or at least couldn't figure out how to set it up.
The most I managed to set up has been EAP-TLS. It's a strong method so I'm more than happy to settle for a single method if that's the one. However, I can also do that on Network Policy Server; the main appeal of OPNsense+FreeRADIUS are the per-user attribute settings. The way I setup EAP-TLS, although it validates OCSP it really doesn't associate the certificate with a directory user, so no user attributes configurable; I tried adding the information manually on FreeRADIUS's Users area but it won't allow me entering the
@
symbol, necessary to write
UPN
s, used for the CN and SAN on certificates, leaving me back a square 1.
Do you have some insight you could share setting this up? Any advice/commentary is welcome.
Logged
I'm a bit dyslexic and it makes me forgo letters at the end of words. What gets written is written correctly though, I have good orthography in one or two languages, ironically. It's messed up, I know, I'm sorry. Just pretend you're my auto-complete.
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Using [LDAP-sourced/synced] local users for FreeRADIUS server plugin
«
Reply #1 on:
July 20, 2020, 02:59:24 pm »
This will come with the next update
https://github.com/opnsense/plugins/pull/1900
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
Using [LDAP-sourced/synced] local users for FreeRADIUS server plugin