Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN w/Radius Authententication via AD

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      alear
      last edited by

      I've beating my head on this one. I am using AD 2012 and have configured Radius to authenticate VPN users. Now on the remote end authentication works and connection is made no problems. Now when I connect to my 2012 server through the VPN it is successful and I can view all the shares. When I try to connect to one of my PC's it says user is not been given permissions for this type of logon. I figured out what this meant exactly. Even though I am authenticating via AD my PC's are seeing my connection as a guest and not the authenticated AD user through the VPN. I configured the PC's GPO to match my server GPO (User Access Rights) since I can view the shares on the server. But it still gives me the same error. Any thoughts?

      P.S. This is a domain environment that the VPN connects to. All PC's are in the domain if that matters.

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        Using AD for the OpenVPN login phase is not the same as logging in via the domain. The AD structure doesn't know that the VPN user connecting is actually authenticated in a way that is meaningful for the domain. All it saw was a RADIUS access request from the pfSense firewall โ€“ it doesn't have a "session" as such to associate that VPN user's traffic with a specific AD account.

        For something like that to work you'd have to run OpenVPN as a service and actually have the user login to the domain over the VPN while it's connected.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • A Offline
          alear
          last edited by

          If I configure it to use LDAP instead would it work in the manner I'm looking for?

          1 Reply Last reply Reply Quote 0
          • jimpJ Offline
            jimp Rebel Alliance Developer Netgate
            last edited by

            No, it still only does a simple bind request to test that the authentication succeeded.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • A Offline
              alear
              last edited by

              Could you point me in the right direction to do that. Fairly new to pfsense vpn and AD. I want AD users verified not seen as a guest.

              1 Reply Last reply Reply Quote 0
              • jimpJ Offline
                jimp Rebel Alliance Developer Netgate
                last edited by

                Logging into a VPN won't log you into the domain. Two completely different tasks.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.