Thanks for pointing me in the right direction Jim. I've gotten it working. This makes is possible to have a windows PC authenticate over the VPN through pfSense to a Samba4 / AD controller before login using the native windows VPN client.
The process is as follows.
You should already have Samba4 and FreeRadius installed on the same machine. Samba4 should already be joined to a domain and / or configured as an AD controller.
Validate Samba4 and give radius access
After joining the domain, test the connection using wbinfo.
wbinfo -a <username>% <password>A successful response should show something like the following:
plaintext password authentication failed
Could not authenticate user <username>% <password>with plaintext password
challenge/response password authentication succeeded
The critical part is the "challenge/response password authentication succeeded".
The plaintext password authentication error is expected as no plain-text passwords are stored in Active Directory.
Now attempt an NTLM authentication:
ntlm_auth –request-nt-key --domain= <netbios domain="" name="">--username= <username>You are prompted for a password, and on successful authentication, you should see this output:
NT_STATUS_OK: Success (0x0)
The radiusd user needs access to the winbindd_privileged directory.
This directory is typically found at /var/lib/samba/winbindd_privileged/.
Check to see if any group besides root has access to the directory.
ls -lh /var/lib/samba/
If root is the group as well as the owner, create a new group. If a group already exists, make note of the group name and skip the next two steps.
groupadd wbpriv
Grant access for the group to the winbindd_privileged directory.
chown :wbpriv /var/lib/samba/winbindd_privileged
Add the radiusd user to the group that has read access on the winbindd_privileged directory.
usermod -a -G wbpriv radiusd
Configuring FreeRadius
Edit the freeradius modules/mschap file. It can typically be found at /etc/freeradius/modules/mschap or /etc/raddb/modules/mschap depending on your distribution.
Make sure the following lines are uncommented.
require_encryption = yes
require_strong = yes
ntlm_auth = "/path/to/ntlm_auth …"
with_ntdomain_hack = yes
Modify the ntlm_auth line to point to the location of the ntlm_auth program you used earlier to test NTLM authentication.
ntlm_auth is often found at /usr/bin/ntlm_auth.
Add "–domain=%{%{mschap:NT-Domain}:-MYDOMAIN}" to the ntlm_auth line (replace MYDOMAIN with the correct domain) so that if finally looks something like:
ntlm_auth = "/usr/bin/ntlm_auth –request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Save the file.
In the freeradius sites-available/default and sites-available/inner-tunnel, ensure mschap is enabled in the authentication section.
Disable the files module in each of these files if you do not use any of the information in the users file, and if necessary, comment out any uncommented test users in the users.conf file.
In the freeradius eap.conf, change default_eap_type to peap .
Change the "ttls" section as follows to use EAP-TTLS with EAP-MSCHAPv2 as the inner method.
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = no
Create a new entry in freeradius clients.conf to allow access from pfSense.
client pfSense_IP_HERE {
secret = REPLACE_THIS_WITH_A_SHARED_SECRET_KEY_THAT_WILL_BE_KNOWN_BY_PFSENSE
shortname = pfsense_firewall
nastype = other
}
Change the default secret for the localhost client in clients.conf file.
Save the file and restart the FreeRadius service.
Validate authenticating via FreeRadius
radtest -t mschap TestUser@domain.com Users_Password localhost 0 SecretKeyForLocalHost
Should return
rad_recv: Access-Accept
Setup a new Authentication Server in pfSense.
System > User Manager > Authentication Servers
Click "Add"
Give the server a name - "test-domain-radius-mschapv2"
Type = "RADIUS"
Hostname = ipaddress of the radius server.
Shared Secret = THE_SHARED_SECRET_KEY_CREATED_IN_THE_FREERADIUS_CLIENTS.CONF_FILE
Services offered = Authentication
Click Save
Follow the instructions found at https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 with the following exceptions.
Under Mobile Clients, Set User Authentication to the newly created radius authentication method.
Under Phase 1, set the Authentication Method to EAP-MSChapv2
Don't create any Client Pre-Shared keys
You should now be able to connect to the pfSense VPN using windows native VPN client and Samba4 / AD credentials.
Credit for various pieces of this to the following sites:
http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO
https://www.eduroam.us/node/89
https://blog.practichem.com/configuring-freeradius-for-wpa2-enterprise-with-active-directory-integration-on-ubuntu-1404/
http://deployingradius.com/documents/configuration/active_directory.html
http://confluence.diamond.ac.uk/display/PAAUTH/Using+Active+Directory+as+authentication+source</username></netbios></password></username></password></username>
