OpenVPN & AD user authentication in 2.1
-
Hi All,
Can it be done is probably my first question… Seen mixed msg on diff fora and google.
Would like to setup OpenVPN to authenticate user against an MS Active Directory...
Keep in mind, I am not a AD specialist at all - but understand the basic concepts of LDAP.Environment =
PfSense
Version 2.1-RELEASE (i386)
built on Wed Sep 11 18:16:50 EDT 2013
FreeBSD 8.3-RELEASE-p11When using the
Diagnostics: Authentication
via the pfSense webpage
I get a hopeful result.User: Xxxx authenticated successfully.
This user is a member of these groups:<there are="" no="" groups="" reported,="" but="" the="" user="" is="" member="" of="" several="" in="" ad...="">Config
System: Authentication ServersDescriptive name AD
Type LDAPSearch scope
Level: One level
Base DN: DC=company,DC=localAuthentication containers (3)
OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,DC=local
CN=Users,DC=company,DC=local;OU=Domain Controllers,DC=company,DC=local;
OU=MyBusiness,DC=company,DC=localBind credentials with user OpenVPN + password (doesn't seem to work at all when using anonymous binds)
User naming attribute samAccountName
Group naming attribute cn
Group member attribute MemberOfVPN config
Server Mode: Remote Access (User Auth)
Backend for authentication
AD
Local DatabaseOpenVPN log (newest to oldest) when using a AD user.
Jan 16 19:52:33 openvpn[92746]: 183.x.y.z:57610 Peer Connection Initiated with [AF_INET]183.x.y.z:57610
Jan 16 19:52:32 openvpn[92746]: 183.x.y.z:57610 TLS Auth Error: Auth Username/Password verification failed for peer
Jan 16 19:52:31 openvpn[92746]: 183.x.y.z:57610 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 255
Jan 16 19:52:30 openvpn: user 'Xxxx' could not authenticate.Connection is coming from a linux based openvpn client (command line)
but that should make a difference, I hope -
If we get this going clients will be on Android phones, Mac's, Windows PCs etc.Any idea as to why the Diagnostics: Authentication returns a successful authentication but no groups?
Do we need a group(s) to be returned?Any ideas as to why the authentication completely fails with OpenVPN?
We don't need AD for authentication to get into pfSense itself, only for OpenVPN...Suggestions & recent howto's would be great.
Thanks
Peter</there>
-
Small progress
Adjusted Authentication server setup so that
Level: Entire SubTree
Authentication containers (4)
CN=Users,DC=company,DC=local;
OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,DC=local;
OU=Security Groups,OU=MyBusiness,DC=company,DC=local;
OU=Users,OU=MyBusiness,DC=company,DC=localNow
Diagnostics: Authenticationreturn a group (1 not all)
User: Xxxxx authenticated successfully.
This user is a member of these groups:
Mobile UsersOpenVPN authentication (from linux based laptop…)
works if user name is in local database
but NOT when trying to use a name in the AD...Any suggestions?
Thx
Peter