Windows IPsec VPN authetication with Active Directory and FreeRADIUS

[Bisti]

Is it possible to authenticate Windows client machine on IPsec VPN against Active Directory?
I tried this by setting up FreeRADIUS on my OPNsense but it`s not working. What I googled is that my FreeRADIUS expects cleartext password while my Windows machine is sending NThash. It seems that for this to work, I would also need to install samaba and join my OPNsense box to AD (I don't wand to go that way). Anyone tested similar setup?

[ScottSenffner]

I am really interested to hear how this is fixed, as I need to do this myself.  I have not set it up yet, because this is my first firewall with OpnSense.  I am a complete newbie at it. I was able to get it installed this weekend and I am having problems with port forwarding. It my be a problem with the version 18.1.6? Not sure yet, just replied to someone else inquiry about that as well.

Looking forward to more learning experiences.

Scott

[Bisti]

I think that the only way to do this at the moment is to use certificate authentication. I don`t have CA set up at the moment in my AD infrastructure so I can`t test this out.

[Kofl]

Maybe it would be a solution to use Windows Radius, which uses AD to authenticate?
http://thesolving.com/server-room/configure-radius-server-windows-authenticate-cisco-vpn-users/

and then configure OPNSense to use that radius server:
https://wiki.opnsense.org/manual/how-tos/user-radius.html

[mimugmail]

You can bind to LDAP via Freeradius plugin, should work fine

[Bisti]

You can bind to LDAP via Freeradius plugin, should work fine

What do you mean by that? I have installed Freeradius plugin and bound it to my AD but it only accepts plain passwords and Windows desktops sends NT-Hash of password.
I will try to do what Kofl suggested - use Windows RADIUS server.