Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Several issues upon 2.5.0 upgrade

    Scheduled Pinned Locked Moved General pfSense Questions
    51 Posts 7 Posters 11.0k Views 9 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      BossaOps @maverickws
      last edited by

      @maverickws I think he means pfsense and LDAP server use mutual certificate verification for the broken setup, but only bind credentials (both over TLS) for the functional one. That's what's broken with Cloud Identity LDAP, it uses client certificates, not credentials.

      maverickwsM 1 Reply Last reply Reply Quote 0
      • maverickwsM Offline
        maverickws @BossaOps
        last edited by

        @bossaops our LDAP server doesn't verify the client certificate, I mean many services that connect to it have self-signed certificate. Either way, that wouldn't apply to a plain auth setup, and as requested above I've disabled TLS/SSL and changed the port to 389 and tested, the issues persisted.

        B L 2 Replies Last reply Reply Quote 0
        • M Offline
          mjsengineer @maverickws
          last edited by

          @maverickws I am referring to the "Client Certificate" option under the LDAP Server Settings section of the Authentication Server configuration on pfsense (ie. System -> User Manager -> Authentication Servers).

          1 Reply Last reply Reply Quote 0
          • B Offline
            BossaOps @maverickws
            last edited by

            @maverickws It would be interesting seeing what changed inside the pfsense LDAP code, though I think the issue myself and msjengineer have is actually the local (running onthe pfsense) code not dealing with the self signed certificate properly, with what you're demonstrating very possibly this isn't the only breaking change they made.

            BTW mutual certificate verification can use self signed certificates, just like you can use self signed certificates on web servers, the verifier just needs to have a CA/intermediate certificate signed by the same CA (just like the OpenVPN client certs are signed by the pfsense CA, which is self signed).

            I actually have an stunnel proxy running here locally, as I use Cloud Identity LDAP with an IDP service that doesn't support mutual certificate verification, I will try and see if I can't get auth working via that route as a test.

            1 Reply Last reply Reply Quote 0
            • L Offline
              LucSuryo @maverickws
              last edited by

              @maverickws this finally works for me
              (PART 1)

              example values
              user => netgate
              base dn => dc=forum,dc=netgate,dc=org
              user dn => uid=netgate,ou=users,dc=forum,dc=netgate,dc=org
              so note we use uid! since ldap is use to shell to linux servers too

              on the openldap server

              • create user : netgate
              • generate password for this user
              • add to group vpn (we use memberof !!)
                (home made script)

              on the pfense
              User Manager / Authentication Servers

              Authentication Servers

              • Descriptive name => myldap
              • Type => LDAP
              • Hostname or IP address =>10.10.10.10
              • Port value => 389
              • Transport => Standard TCP
              • Peer Certificate Authority => Global Root CA List
              • Client Certificate => None
              • Protocol version => 3
              • Server Timeout => 25
              • Search scope => Entire Subtree
              • Base DN => dc=forum,dc=netgate,dc=org
              • Authentication containers => ou=users,dc=forum,dc=netgate,dc=org;ou=groups,dc=forum,dc=netgate,dc=org
              • Extended query => checked
              • Query => memberOf=cn=vpn,ou=groups,dc=forum,dc=netgate,dc=org
              • Bind credentials => <your admin dn and password>
              • User naming attribute => uid
              • Group naming attribute => cn
              • Group member attribute => memberOf
              • RFC 2307 Groups => uncheck
              • Group Object Class => groupOfNames
              • rest all unchecked!

              on the pfense
              User Manager / Settings

              • Authentication Server => myldap
                click save & test
                make sure there are no error

              on the pfense
              Diagnostics / Authentication

              • Authentication Server => myldap
              • Username => netgate
              • Password => <generated password>
                make sure there is are errors
              L 1 Reply Last reply Reply Quote 1
              • P Offline
                Polle
                last edited by

                Switched to port 389 and 'Standard TCP' - then tried authentication from the diagnostics and did a packet capture, what I see is that:

                • box contacts the LDAP server and performs a bind request using the bind credentials
                • ldap returns bindresponse success
                • box performs some search request - OUs I specified and finally the user (uid) for the user that is authenticating
                • next a bind request for the user
                • ldap again returns bindresponse success
                • and finally the box issues an unbindrequest
                  with the usual load of ACKs in between

                So all that looks pretty much OK but nevertheless it returns "The following input errors were detected: Authentication failed." ....

                1 Reply Last reply Reply Quote 1
                • L Offline
                  LucSuryo @LucSuryo
                  last edited by

                  @maverickws
                  (PART 2)

                  i generate a new CA with values that reflects our company
                  (example )

                  Name => My OpenVPN
                  ST=CA, OU=forum, O=The Netgate Forum , L=Lala City, CN=vpn-ca, C=US

                  next setup OpenVPN Server

                  • Server mode => Remote Access (SSL/TLS + User Auth)
                  • Backend for authentication => myladp + Database
                  • Protocal => UDP on IPv4 Only
                  • Device mode => tun - layer 3 Tunnel Mode
                  • Interface => WAN
                  • Local port => 7070 <--- we use not the default to port value
                  • Description OpenVPN Netgate Forum
                  • TLS Configuration => checked <--- TLS key will be generated after save
                  • TLS Key Usage Mode => TLS Authentication
                  • TLS keydir direction => use Default Direction
                  • Peer Certificate Authority => My OpenVPN
                  • DH Parameter Length => 2048
                  • ECDH Curve => Use Default
                  • Data Encryption NegotiationEnable Data Encryption Negotiation => checked
                  • Data Encryption Algorithm => <we use only the AES-256-x>
                  • Fallback Data Encryption Algorithm -> ES-256_CBC (256 bit key, 128 bit block)
                  • Auth digest algorithm => SHA256
                  • Hardware Crypto => <no hardware since we are on a VM>
                  • Certificate Depth : One (Client + Server)
                  • Strict User-CN Matching : checked (Enforce match)

                  next only the important ones
                  IPv4 Tunnel Network => <your choice, buy use a /24!)
                  IPv4 Local network(s) => 10.10.0.0/16
                  Concurrent connections => <we set it to 25 to match the vm, which has 2 core and 2gb memory>
                  Allow Compression => Decompress incoming, do not compress outgoing
                  Compression => Adaptive LZO Compression
                  Username as Common Name => checked Use the authenticated client username instead of the certificate common name (CN).

                  1 Reply Last reply Reply Quote 0
                  • maverickwsM Offline
                    maverickws
                    last edited by maverickws

                    @mjsengineer You mean the "Peer Certificate Authority" then I assume? I have no option called "Client Certificate", so I'm guessing that must be it.

                    @BossaOps right what I meant is we haven't add trust for any extra CA most of the times they just get the plain old default cert so I meant that wouldn't be the case here.

                    Edit: While I was typing this I was looking at @LucSuryo's reply and he also mentions that Client Certificate option. I don't see that in mine.

                    Is that what you meant @mjsengineer too?

                    Authentication Servers

                    I checked two pfSense running 2.5.0, none has that "Client Certificate" option.

                    I'm reviewing @LucSuryo's settings to see if I find something that'll fix this.

                    M 1 Reply Last reply Reply Quote 0
                    • maverickwsM Offline
                      maverickws
                      last edited by maverickws

                      My settings are a bit different from @LucSuryo's but what got it fixed was disabling the option RFC 2307 Groups:

                      I mean, fixed it in the sense that the Diagnostic > Authentication authenticates successfully. But then says:

                      This user is a member of groups: and it returns empty, not referring the group its a member of and set on the extended query.

                      Trying to login to the pfSense returns that error No page assigned to this user! Click here to logout. ...

                      M L 2 Replies Last reply Reply Quote 0
                      • M Offline
                        mjsengineer @maverickws
                        last edited by

                        @maverickws I have something different. I'm running 21.02 on a netgate SG-3100:

                        Screenshot_2021-03-05 pfsense png - pfsense pdf.png

                        B 1 Reply Last reply Reply Quote 0
                        • M Offline
                          mjsengineer @maverickws
                          last edited by

                          @maverickws When I unselect "LDAP Server uses RFC 2307 style group membership", the authentication check under the Diagnostics returns "authenticated successfully." My OpenVPN connection also authenticates successfully.

                          Seems that clears the problem.

                          P 1 Reply Last reply Reply Quote 0
                          • B Offline
                            BossaOps @mjsengineer
                            last edited by

                            @mjsengineer I can confirm it's always been there on netgate hardware, I started doing LDAP authentication after I purchased it so I don't know if it's exclusive to their hardware images.

                            1 Reply Last reply Reply Quote 0
                            • L Offline
                              LucSuryo @maverickws
                              last edited by

                              @maverickws

                              yes it will not return any group unless you have setup group on pfsense
                              im trying to post PART 3, but get flagged as spam :-(

                              I had the same group in pfsense as a remote group and with the same name
                              but afterward, i t was not needed

                              in part 3 is creating the a user cert for the user and then export the client configuration : mind you i use openvpn-client-export (look in packages)

                              maverickwsM 1 Reply Last reply Reply Quote 0
                              • maverickwsM Offline
                                maverickws
                                last edited by

                                I see. I don't even want to comment this new version divergence ... %$#%# ... but I guess the issue isn't there either.

                                I just wonder how much longer is it going to take for Netgate acknowledge they f***ed up something on LDAP Auth, or provide instructions to fix it. I've had RFC 2307 Groups enabled since forever, and as far as I know Red Hat IDM is RFC 2307 compliant so I'm still trying to find out why doesn't work with it enabled.
                                Also, realising this new bug of not identifying the group the user belongs to.

                                L B 2 Replies Last reply Reply Quote 0
                                • maverickwsM Offline
                                  maverickws @LucSuryo
                                  last edited by

                                  @lucsuryo looking forward for that part 3. I have the group setup at:
                                  System > User Manager > Users > Groups

                                  Group name: the same name as the group on the LDAP server
                                  Scope: Local (it was already set like that from before)
                                  Group membership: I only see the local user.

                                  L 1 Reply Last reply Reply Quote 0
                                  • L Offline
                                    LucSuryo @maverickws
                                    last edited by LucSuryo

                                    @maverickws and @mjsengineer

                                    i use both 2.5.0 on a small box and 21.02 in AWS
                                    both had the issue, but no longer

                                    if everyone get their vpn + ldap working then there is no need for me to post PART 3 then :)

                                    the only important part of the client export is

                                    • Host Name Resolution -> other
                                    • Host Name -> use a dns resolved entry for the vpn

                                    and

                                    • Legacy Client : checked, Do not include OpenVPN 2.5 settings in the client configuration.

                                    we have some user on old tunnelblick

                                    maverickwsM 1 Reply Last reply Reply Quote 0
                                    • B Offline
                                      BossaOps @maverickws
                                      last edited by

                                      @maverickws My problem isn't related to the RFC 2307 Groups unfortunately, never had it checked :(

                                      Just saw that this recipe does state "For users of pfSense factory software version 2.4.4-RELEASE-p1 or later"

                                      https://docs.netgate.com/pfsense/en/latest/recipes/auth-google-gsuite.html

                                      1 Reply Last reply Reply Quote 0
                                      • L Offline
                                        LucSuryo @maverickws
                                        last edited by

                                        @maverickws

                                        group should be remote :) since the user is not in the local database

                                        Do you need part 3? (user cert + client export)
                                        it seem the forum guard thinks I am a spammer :-(

                                        1 Reply Last reply Reply Quote 0
                                        • maverickwsM Offline
                                          maverickws @LucSuryo
                                          last edited by maverickws

                                          @LucSuryo I guess we do have different setups hehe but at least I've gotten a little further.
                                          I'm going to review the part of that article where they mention the groups, maybe that has something to do with it. Hadn't checked there either because ... well... all was working before!

                                          P.S. I've tried to make some posts before that also got flagged for spam. Sometimes still happens, never really understood why.

                                          L 1 Reply Last reply Reply Quote 0
                                          • L Offline
                                            LucSuryo @maverickws
                                            last edited by LucSuryo

                                            @maverickws

                                            same here , everything worked just fine (been using Pfsense for 7+ years)
                                            never had this issue...

                                            and i pulled my hairs for 2 days!
                                            on the group : for us it works with our without no issue

                                            this is just simple : vpn + ldap and it got broken in 2.5.0 and 21.02...

                                            we have a commercial openvn (latest version) and zero issue
                                            the one important thing pfsense is missing a built-in 2fa like the commercial openvpn...

                                            i know i need to do some reading how to get radius + google authenticator working, but that is for an other day and other beer :-)

                                            still need part 3?

                                            B 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.