OpenVPN & AD user authentication in 2.1

peterlinuxgeek

Hi All,

Can it be done is probably my first question… Seen mixed msg on diff fora and google.

Would like to setup OpenVPN to authenticate user against an MS Active Directory...
Keep in mind, I am not a AD specialist at all - but understand the basic concepts of LDAP.

Environment =
PfSense
Version 2.1-RELEASE (i386)
built on Wed Sep 11 18:16:50 EDT 2013
FreeBSD 8.3-RELEASE-p11

When using the
Diagnostics: Authentication
via the pfSense webpage
I get a hopeful result.

User: Xxxx authenticated successfully.
This user is a member of these groups:

<there are="" no="" groups="" reported,="" but="" the="" user="" is="" member="" of="" several="" in="" ad...="">Config
System: Authentication Servers

Descriptive name AD
Type LDAP

Search scope
Level: One level
Base DN:  DC=company,DC=local

Authentication containers (3)
OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,DC=local
CN=Users,DC=company,DC=local;OU=Domain Controllers,DC=company,DC=local;
OU=MyBusiness,DC=company,DC=local

Bind credentials with user OpenVPN + password (doesn't seem to work at all when using anonymous binds)

User naming attribute samAccountName
Group naming attribute cn
Group member attribute MemberOf

VPN config

Server Mode: Remote Access (User Auth)
Backend for authentication
AD
Local Database

OpenVPN log (newest to oldest) when using a AD user.
Jan 16 19:52:33 openvpn[92746]: 183.x.y.z:57610 Peer Connection Initiated with [AF_INET]183.x.y.z:57610
Jan 16 19:52:32 openvpn[92746]: 183.x.y.z:57610 TLS Auth Error: Auth Username/Password verification failed for peer
Jan 16 19:52:31 openvpn[92746]: 183.x.y.z:57610 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 255
Jan 16 19:52:30 openvpn: user 'Xxxx' could not authenticate.

Connection is coming from a linux based openvpn client (command line)
but that should make a difference, I hope -
If we get this going clients will be on Android phones, Mac's, Windows PCs etc.

Any idea as to why the Diagnostics: Authentication returns a successful authentication but no groups?
Do we need a group(s) to be returned?

Any ideas as to why the authentication completely fails with OpenVPN?
We don't need AD for authentication to get into pfSense itself, only for OpenVPN...

Suggestions & recent howto's would be great.

Thanks

Peter</there>

peterlinuxgeek

Small progress

Adjusted Authentication server setup so that

Level: Entire SubTree

Authentication containers (4)

CN=Users,DC=company,DC=local;
OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,DC=local;
OU=Security Groups,OU=MyBusiness,DC=company,DC=local;
OU=Users,OU=MyBusiness,DC=company,DC=local

Now
Diagnostics: Authentication

return a group (1 not all)

User: Xxxxx authenticated successfully.
This user is a member of these groups:
Mobile Users

OpenVPN authentication (from linux based laptop…)
works if user name is in local database
but NOT when trying to use a name in the AD...

Any suggestions?

Thx

Peter