Archive > 20.1 Legacy Series

Using [LDAP-sourced/synced] local users for FreeRADIUS server plugin

(1/1)

senseivita:
For a very long time I've been trying to setup FreeRADIUS for full Active Directory integration but when I always manage to get something wrong and I run back to Windows Server NPS. If it's not setting up NTLM auth –something I've never been able to do– it's some random bug that makes the exact same settings work in an OPNsese config work in one install but not on the next.

Binding FreeRADIUS to LDAP won't work because "passwords are sent on the clear" …even though the connections are made over LDAPS, i.e; ldaps://…:636/. Since OPNsense's users can be also synced with AD, I figured these could be used locally by FreeRADIUS and be augemented with the proper attributes for a given user. Being already local, any authentication method should be available. But again I was wrong, or at least couldn't figure out how to set it up.

The most I managed to set up has been EAP-TLS. It's a strong method so I'm more than happy to settle for a single method if that's the one. However, I can also do that on Network Policy Server; the main appeal of OPNsense+FreeRADIUS are the per-user attribute settings. The way I setup EAP-TLS, although it validates OCSP it really doesn't associate the certificate with a directory user, so no user attributes configurable; I tried adding the information manually on FreeRADIUS's Users area but it won't allow me entering the @ symbol, necessary to write UPNs, used for the CN and SAN on certificates, leaving me back a square 1.

Do you have some insight you could share setting this up? Any advice/commentary is welcome. :)

mimugmail:
This will come with the next update https://github.com/opnsense/plugins/pull/1900

Navigation

[0] Message Index