Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense-Freeradius authentication to Active Directory

    General pfSense Questions
    2
    3
    13.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      ludifrita
      last edited by

      I am new user and using Pfsense, first time.

      I want to implement Freeradius authentication with AD. I need to assign Service-Type = Administrative-User
      to Active directory user, who are member of group NedworkAdmin, and reject to the non-administrators.

      Pfsense-Freeradius is able to authenticate every Active Directory user, so LDAP -> GENERAL CONFIGURATION - SERVER 1 is OK.
      But when I configure filters for the group on LDAP-> Group Membership Options - SERVER 1 which modifies
      radiusd.conf it stop working.
      I also need to modify /etc/raddb/users file in order to tune the Service Type.

      This is the configuration:

      radiusd.conf
      […]
                   groupname_attribute = cn
                   groupmembership_filter = "(&(cn=NetworkAdmin)(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn}))))"
                   groupmembership_attribute = memberOf

      […]
      /etc/raddb/users

      DEFAULT Ldap-Group == “NetworkAdmin”
             Service-Type := Administrative-User,
        Reply-Message  = “Welcome Administrator”

      DEFAULT Auth-Type := Reject
        Reply-Message  = “Not allowed”

      Can anyone help to get authentication working with active directory group?
      Thanks

      1 Reply Last reply Reply Quote 0
      • L
        ludifrita
        last edited by

        At the end I left the group check. Users who are added on the pfSense freeradius database are authenticated and the rest are rejected.

        Verification of users is sequential. When reaching the end of the file list the attempt is rejected:

        /usr/local/etc/raddb/users

        "user1" Cleartext-Password: = ""
                Service-Type: = Administrative-User
        "user2" Cleartext-Password: = ""
                Service-Type: = Administrative-User
        "user2" Cleartext-Password: = ""
                Service-Type: = Administrative-User
        DEFAULT Auth-Type: = Reject

        When adding new users using the Pfsense menu, the last line is overwriten.
        "DEFAULT Auth-Type: = Reject" has to be added at the end of the file editing manually /usr/local/etc/ raddb/users

        Hope this helps someone.

        1 Reply Last reply Reply Quote 0
        • N
          Nachtfalke
          last edited by

          You can add "DEFAULT Auth-Type: = Reject" with the GUI:

          You just create a new entry on "Users" and put this in the correct custom-options box.

          In pfsense 2.1 - when it is done and freeradius2 package is ready for pfsense 2.1 - you will be able to easy move entries in "Users" using the GUI.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.