Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN, FreeRadius and LDAP

    OpenVPN
    4
    7
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Totem974 0
      last edited by

      I turn to the community to seek help regarding the integration of LDAP authentication and Google Authenticator for VPN access using FreeRadius, OpenVPN, and PfSense.

      Here's my current situation: I have successfully installed and tested FreeRadius, OpenVPN, and PfSense independently, and each component is functioning correctly. However, I now want to implement a more secure authentication process for users connecting to the VPN.

      My goal is to allow users to connect to the VPN by providing their credentials and password from the Active Directory (LDAP), and then prompt users to enter the temporary code provided by Google Authenticator via FreeRadius. And if there is a way to get one QRcode by User, it would be better.

      In summary:
      PF + LDAP = ok
      OVPN + LDAP = ok
      OVPN + PAP = ok
      OVPN + (LDAP + PAP) = error

      Is this even possible?

      M 1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @Totem974 0
        last edited by

        @Totem974-0 https://www.netgate.com/blog/freeradius-on-pfsense-for-2fa

        Ive accomplished 2FA using DUO which is free for 10 users.
        OpenVPN user authenticates with LDAP. LDAP query gets sent to DUO proxy and then sent to LDAP server. LDAP server approves and DUO proxy will send a push notification to users phone. Works flawlessly. Might be a cleaner solution then sending every users a qr code.

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        T 1 Reply Last reply Reply Quote 1
        • T
          Totem974 0 @michmoor
          last edited by Totem974 0

          @michmoor

          It can indeed be a solution, but I need to be able to accommodate at least 20 users. Nevertheless, it's a lead worth exploring (the idea of using a proxy to access a third-party server). And if possible using Microsoft Authenticator.

          Thank you for this tip.

          1 Reply Last reply Reply Quote 0
          • D
            DonP
            last edited by

            This post is deleted!
            1 Reply Last reply Reply Quote 0
            • B
              bamypamy
              last edited by

              I have the same question. Did you manage to get it working?
              I can get it to work with local users and 2fa and I can also get it to work with ldap users and no 2fa but not in combination.

              M 1 Reply Last reply Reply Quote 0
              • M
                michmoor LAYER 8 Rebel Alliance @bamypamy
                last edited by

                @bamypamy
                Its very easy to set up DUO. You set up a Proxy. Have the proxy point to your LDAP. Thats it.

                https://duo.com/docs/authproxy-reference

                Firewall: NetGate,Palo Alto-VM,Juniper SRX
                Routing: Juniper, Arista, Cisco
                Switching: Juniper, Arista, Cisco
                Wireless: Unifi, Aruba IAP
                JNCIP,CCNP Enterprise

                B 1 Reply Last reply Reply Quote 0
                • B
                  bamypamy @michmoor
                  last edited by

                  @michmoor I checked this option but I also have the problem that it is more than 10 Users. I guess I need to ask for some money. ;-)
                  Thanks for replying.

                  1 Reply Last reply Reply Quote 0
                  • B bamypamy referenced this topic on
                  • O oscar.pulgarin referenced this topic on
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.