Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN & AD user authentication in 2.1

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 1 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      peterlinuxgeek
      last edited by

      Hi All,

      Can it be done is probably my first question… Seen mixed msg on diff fora and google.

      Would like to setup OpenVPN to authenticate user against an MS Active Directory...
      Keep in mind, I am not a AD specialist at all - but understand the basic concepts of LDAP.

      Environment =
      PfSense
      Version 2.1-RELEASE (i386)
      built on Wed Sep 11 18:16:50 EDT 2013
      FreeBSD 8.3-RELEASE-p11

      When using the
      Diagnostics: Authentication
      via the pfSense webpage
      I get a hopeful result.

      User: Xxxx authenticated successfully.
      This user is a member of these groups:

      <there are="" no="" groups="" reported,="" but="" the="" user="" is="" member="" of="" several="" in="" ad...="">Config
      System: Authentication Servers

      Descriptive name AD
      Type LDAP

      Search scope
      Level: One level
      Base DN:  DC=company,DC=local

      Authentication containers (3)
      OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,DC=local
      CN=Users,DC=company,DC=local;OU=Domain Controllers,DC=company,DC=local;
      OU=MyBusiness,DC=company,DC=local

      Bind credentials with user OpenVPN + password (doesn't seem to work at all when using anonymous binds)

      User naming attribute samAccountName
      Group naming attribute cn
      Group member attribute MemberOf

      VPN config

      Server Mode: Remote Access (User Auth)
      Backend for authentication
      AD
      Local Database

      OpenVPN log (newest to oldest) when using a AD user.
      Jan 16 19:52:33 openvpn[92746]: 183.x.y.z:57610 Peer Connection Initiated with [AF_INET]183.x.y.z:57610
      Jan 16 19:52:32 openvpn[92746]: 183.x.y.z:57610 TLS Auth Error: Auth Username/Password verification failed for peer
      Jan 16 19:52:31 openvpn[92746]: 183.x.y.z:57610 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 255
      Jan 16 19:52:30 openvpn: user 'Xxxx' could not authenticate.

      Connection is coming from a linux based openvpn client (command line)
      but that should make a difference, I hope -
      If we get this going clients will be on Android phones, Mac's, Windows PCs etc.

      Any idea as to why the Diagnostics: Authentication returns a successful authentication but no groups?
      Do we need a group(s) to be returned?

      Any ideas as to why the authentication completely fails with OpenVPN?
      We don't need AD for authentication to get into pfSense itself, only for OpenVPN...

      Suggestions & recent howto's would be great.

      Thanks

      Peter</there>

      1 Reply Last reply Reply Quote 0
      • P Offline
        peterlinuxgeek
        last edited by

        Small progress

        Adjusted Authentication server setup so that

        Level: Entire SubTree

        Authentication containers (4)

        CN=Users,DC=company,DC=local;
        OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,DC=local;
        OU=Security Groups,OU=MyBusiness,DC=company,DC=local;
        OU=Users,OU=MyBusiness,DC=company,DC=local

        Now
        Diagnostics: Authentication

        return a group (1 not all)

        User: Xxxxx authenticated successfully.
        This user is a member of these groups:
        Mobile Users

        OpenVPN authentication (from linux based laptop…)
        works if user name is in local database
        but NOT when trying to use a name in the AD...

        Any suggestions?

        Thx

        Peter

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.