Freeradius + Active Directory is Possible ?

Started by piotrchm93, July 09, 2024, 02:43:41 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 09, 2024, 02:43:41 PM
Hello community,

OPNsense 24.1.9_4-amd64
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.14
on proxmox 8.2.4

Plugin:
os-freeradius (installed) 1.9.23

I have the following question: In normal Freeradius, I can authorize users using Microsoft Active Directory or EAP-TLS using certificates.

Is Authentication using AD also possible using OPNsense?
If so, please give me a hint on how to deal with this issue.

I have System -> Servers -> configured

Desc: AD
USER DN, Containers etc.
User naming attribute: sAMAccountName,

Port value: 389,
TCP Standard,
Protocol ver: 3.


Everything works fine here, in System - Tester I receive the following message:
User: piotr authenticated successfully.
This user is a member of these groups (...).


And now the whole problem starts in Services -> Freeradius.

Logging in using local users works. However, I cannot force it to be authorized in AD.

Enable LDAP

EAP - MSCHAPv2
Prime256v1
use own cert - no
rootCA - no
Server certificate - web ui
crl - none
tls CN - no
tls min ver 1.2

LDAP
Inner Tunnel Yes
Protocol type: LDAP
server: my Domain Controller IP
Port 389
Certificate: none
TLS start: no
Bind User and Base DN = same as system -> Servers
User filter: (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
Group Filter: (objectClass=posixGroup)


IN LOG: Auth: (45) Login OK: [piotr/<via Auth-Type = Accept>] (from client UAP port 0 cli A2-DD-5F-XX-XX-XX)

but my Android devices don't connect to the network...

I have no idea what I'm doing wrong anymore.

Please give me some advice!

Kind regards :)

Piotr
December 09, 2024, 10:24:36 AM #1
Hello, did you manage to fix your issue? 

I'm not even getting an Auth: OK with my similar setup.

Instead I'm getting this "No NT-Password" error.

Code Select
Auth: (14) Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): [exu/<via Auth-Type = eap>] (from client Unifi APs port 0 via TLS tunnel)

What settings (EAP and Phase-2) are you using on the client side to authenticate?
December 09, 2024, 10:38:38 AM #2
What about running RADIUS on your DC if you need AD integration?

https://learn.microsoft.com/en-us/windows/win32/nps/ias-radius-authentication-and-accounting

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 17, 2024, 01:00:16 PM #3
I wasn't aware of this Windows server role.

I'll have a look at using this.
Print
Go Up Pages1
User actions