RADIUS vs LDAP for AD authentication for OpenVPN
-
No I haven't against a specific OU. My understanding though is that in that case I would have to create duplicate accounts, which is not what I'm looking for. We have multiple sites so we organize accounts based on location (like, city). So if I were to use an OU I would have to either move accounts into a VPN OU, or duplicate accounts.
Or, I'm misunderstanding. Am I? I thought groups were CNs.
@Rob:
Okay, let me take a step back. I might be wrong about the dial-in permission. I'd taken it as a given but never actually tested.
I have not tried to use LDAP queries against a security group, but they definitely work for me against an OU (not a container mind you). Have you tried a specific OU? Eg: OU=VPN Users,DC=YourDomain,DC=local
-
You can use multiple DNs separated by semi-colons, so you could have one OU for each site.
-
Be that as it may, I want more granular control. I don't want everyone at a site to inherently have VPN access. I follow the mantra of only needed access. As such I want access delegated by group membership (and having their own cert too of course).
How can I get LDAP auth to query against a specific group?
@Rob:
You can use multiple DNs separated by semi-colons, so you could have one OU for each site.
-
Okay so I think I've found how to configure the LDAP authentication to check against domain groups (or a single group). I had to dig around and found this bug report ( https://redmine.pfsense.org/issues/1009 ) If you read #7 in the list the person refers to this thread ( https://forum.pfsense.org/index.php?topic=48961.0 ).
So to test I've been using Diagnostics -> Authentication. I have a test account, and tested if auth failed when in and out of the group. Auth succeeded when in the group, and failed when not in the group. Working how I want!
So how I have it is as follows.
Level: Entire Subtree (but this can probably work at one level too)
Base DN: DC=domain,DC=local
Containers: DC=domain,DC=local
Extended Query (checked): memberOf=CN=VPNgroup,OU=Groups,DC=domain,DC=localThe rest is still using the initial recommended Active Directory parameters when I first set up the "Server" configuration.
Now to complete setup and test this for actual OpenVPN access now, wheee!
-
So with my test account I have this set up exactly how I want. If the user account is disabled, auth fails. If the user is not part of the group, auth fails. To clarify, when I try to connect with the openvpnmanager it keeps prompting for login when either not member of the group or account disabled.
Now I need to test deleting/revoking the cert to make sure that works how I want. Also testing that the manager does work with a non-privileged user.
-
The cert revocation list works quite well! Interestingly enough it seems to just appear as a connection reset from the user's perspective, there's no "access denied" equivalent. I wonder if this is intentional.
I'm good to go it seems!
-
I presume you'll need to use a security group and query against the group's DN. But I've never tried that personally.
-
I've outlined above how this is achieved.
@Rob:
I presume you'll need to use a security group and query against the group's DN. But I've never tried that personally.
-
Oh that's great - missed that. Good work.
-
btw for those interested, I'm trying to add fail-over for auth for openVPN, the thread is at : https://forum.pfsense.org/index.php?topic=73544.0
-
in case you are still trying to get RADIUS over AD,
this link is the solution.
I test and it works fine for mehttps://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory -
I actually also got the AD for authentication working for our Openvpn implementation, key is using the extended query option to differentiate between OU, apart this there is nothing much to change in your AD structure.