IKEv2 and Active Directory

ibauersachs

I need this too and hacked around in the project. Can someone please test the patches before I submit pull requests?

For the 2.2 release:
https://github.com/ibauersachs/pfsense/tree/ipsec-mobile-eap-radius_2-2
https://github.com/ibauersachs/pfsense/commit/1aa6a7685020ad179d7b612200f6edfa87b6152a

Based on the master development branch:
https://github.com/ibauersachs/pfsense/tree/ipsec-mobile-eap-radius
https://github.com/ibauersachs/pfsense/commit/4a47c6f8a744c69936742e4f222d721fac51ef99

You can "install" the files from these commits by logging in via SSH and use fetch to overwrite the local files, e.g. for 2.2:

cd /etc/inc
fetch https://github.com/ibauersachs/pfsense/raw/1aa6a7685020ad179d7b612200f6edfa87b6152a/etc/inc/ipsec.inc

johnsonp

Thanks so much for this ibauersachs

I've successfully applied the patch on top of 2.2.1, and I can see the EAP-RADIUS option and pre-shared key fields.  I hope to find some time later today to test if this works for us - I'll post back the results as soon as I can

Thanks again!
Peter

eri--

This should work already in pfSense.
An external script is executed to perform authentication by pfSense tools.

Granted accounting is still not implemented by that.

I will analyse the pull request as well also noted on redmine https://redmine.pfsense.org/issues/4614

@ibauersachs,

can you submit a pull request for this and sign the contributor agreement?
Mention the redmine in your pull request.

ibauersachs

I couldn't get RADIUS to work with the external script and the Windows IKEv2 client. As far as I can tell this cannot work because the script relies on the cleartext username/password, which Windows doesn't provide with the MSCHAP authentication.

Pull requests:
Master: https://github.com/pfsense/pfsense/pull/1612
RelEng 2.2: https://github.com/pfsense/pfsense/pull/1613

(Those are rebased on today's commits, so the commit-links of my previous post are no longer valid)

I've already signed the CLA.

ltctech

Can you add in "secondary" radius server support, not just "primary". It would be great to have redundancy in case an NPS server has to be taken down for maintenance. Thanks.

eri--

It normally should allow for multi selection like all other places.

ltctech

@ermal:

It normally should allow for multi selection like all other places.

It allows you to select multiple radius servers in mobile clients tab. Problem is that it doesn't actually properly write strongSwan.conf then. Instead of properly populating the radius attr section with primary and secondary, it sticks their names into x-auth generic which will not work.

jimp

@ltctech:

@ermal:

It normally should allow for multi selection like all other places.

It allows you to select multiple radius servers in mobile clients tab. Problem is that it doesn't actually properly write strongSwan.conf then. Instead of properly populating the radius attr section with primary and secondary, it sticks their names into x-auth generic which will not work.

This should be fixed on 2.3, it didn't make 2.2.5.

ltctech

@jimp:

@ltctech:

@ermal:

It normally should allow for multi selection like all other places.

It allows you to select multiple radius servers in mobile clients tab. Problem is that it doesn't actually properly write strongSwan.conf then. Instead of properly populating the radius attr section with primary and secondary, it sticks their names into x-auth generic which will not work.

This should be fixed on 2.3, it didn't make 2.2.5.

I now see that it was fixed, the issue didn't mention the multiple server problem though:
https://redmine.pfsense.org/issues/5219
https://redmine.pfsense.org/projects/pfsense/repository/revisions/6684d5944eacf4dbd717edba9d82c30001b5bc3b/diff/src/etc/inc/vpn.inc

Are there any plans to support "preference" of these servers? Thanks.

jimp

Not currently, though if you make sure to add the one you want to prefer to the user manager servers first it would be preferred. It will go from the top down the list.

ltctech

@jimp:

Not currently, though if you make sure to add the one you want to prefer to the user manager servers first it would be preferred. It will go from the top down the list.

Didn't know that, if that's the case that's good enough.

ibauersachs

@lctech Allowing to select multiple servers for your use case (load balancing, high availability) could be easily implemented because strongSwan can do that already. I opted against allowing multi-selection in April because in my understanding multiple defined servers would mean asking each of them in turn, which is what the xauth-generic script does. So the selection there would have been ambiguous.