Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to configure Windows 10 -> ipsec -> freeradius/ldap -> samba4

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      FisherKing
      last edited by

      I've spent a few days messing with this and I've gotten most of the pieces working individually, but not all together.  I'm not sure if that's because it simply isn't possible, or because I'm lacking the necessary understanding.

      Following the excellent guide (https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2), I was able to setup an ipsec vpn between a windows 10 client and pfsense 2.3.2.  If I'm OK with authenticating against plain text passwords stored on the firewall, that's good enough.

      I then installed the freeRadius package and got it configured to authenticate against my Samba4 server via LDAP. I am able to validate this using the radtest tool and by adding a new Authentication Server under System/User Manager/Authentication server and testing with the Diagnostics / Authentication tool.

      My next step was to change the VPN / IPsec / Mobile Clients / Extended AUthentication (Xauth) section to authenticate against my freeRadius authentication source, and change VPN / IPsec / Mobile Clients / Edit Phase 1 / Authentication Method from "EAP-MSChapv2" to "EAP-RADIUS".

      After restarting the IPSec service, I started FreeRADIUS (radiusd -X) from the shell so that I could monitor the auth attempt.  I configured my windows 10 client to use Microsoft: Protected EAP (PEAP).  For testing purposes, I've disable any certificate / server checking on the windows client.

      Having made these changes, my windows client will no longer authenticate.  I can see that StrongSwan is talking to the FreeRADIUS server and that none of the auth attempts being made are succeeding.

      At this point, I can't figure out if what I'm trying to do is just not possible, or if I need to change IPSec settings, or Radius settings, or Samba4 settings, or Windows client settings, or some combination of the above.  Can somebody provide insight into what I need to adjust, or how I can further diagnose things?

      Thanks.

      FreeRADIUS logs are below.

      
rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=231, length=140
        User-Name = "TestUser"
        NAS-Port-Type = Virtual
        Service-Type = Framed-User
        NAS-Port = 1
        NAS-Port-Id = "con1"
        NAS-IP-Address = IP_Removed
        Called-Station-Id = "IP_Removed[4500]"
        Calling-Station-Id = "IP_Removed[5205]"
        EAP-Message = 0x0200000a017065746572
        NAS-Identifier = "strongSwan"
        Message-Authenticator = 0x67b4cf3e2648f4d4310dcc5b7f35a440
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
++[ntdomain] = noop
[eap] EAP packet type response id 0 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++policy redundant {
[ldap] performing user authorization for TestUser
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> TestUser
[ldap]  expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=TestUser)
[ldap]  expand: cn=users,dc=TestDomain,dc=net -> cn=users,dc=TestDomain,dc=net
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in cn=users,dc=TestDomain,dc=net, with filter (sAMAccountName=TestUser)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
  [ldap] ldap_release_conn: Release Id: 0
+++[ldap] = ok
++} # policy redundant = ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] = noop
rlm_checkval: Item Name: Calling-Station-Id, Value: IP_Removed[5205]
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 231 to 127.0.0.1 port 9312
        EAP-Message = 0x0101001604105ae5d4baf16a7c509dab031e5459c66f
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xeb78b47ceb79b0460627db70884014f4
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=232, length=154
        User-Name = "TestUser"
        NAS-Port-Type = Virtual
        Service-Type = Framed-User
        NAS-Port = 1
        NAS-Port-Id = "con1"
        NAS-IP-Address = IP_Removed
        Called-Station-Id = "IP_Removed[4500]"
        Calling-Station-Id = "IP_Removed[5205]"
        EAP-Message = 0x020100060319
        NAS-Identifier = "strongSwan"
        State = 0xeb78b47ceb79b0460627db70884014f4
        Message-Authenticator = 0x722d1fb10f2c9da44fcb479cb0c60bd6
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
++[ntdomain] = noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++policy redundant {
[ldap] performing user authorization for TestUser
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> TestUser
[ldap]  expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=TestUser)
[ldap]  expand: cn=users,dc=TestDomain,dc=net -> cn=users,dc=TestDomain,dc=net
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in cn=users,dc=TestDomain,dc=net, with filter (sAMAccountName=TestUser)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
  [ldap] ldap_release_conn: Release Id: 0
+++[ldap] = ok
++} # policy redundant = ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] = noop
rlm_checkval: Item Name: Calling-Station-Id, Value: IP_Removed[5205]
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 232 to 127.0.0.1 port 9312
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xeb78b47cea7aad460627db70884014f4
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=233, length=330
        User-Name = "TestUser"
        NAS-Port-Type = Virtual
        Service-Type = Framed-User
        NAS-Port = 1
        NAS-Port-Id = "con1"
        NAS-IP-Address = IP_Removed
        Called-Station-Id = "IP_Removed[4500]"
        Calling-Station-Id = "IP_Removed[5205]"
        EAP-Message = 0x020200b61980000000ac16030300a7010000a3030357b4dc78407bc5ba6bbc4d071dd2496862c0382a2a98bfd51de17792084c11fe00003cc02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c01300390033009d009c003d003c0035002f000a006a0040003800320013000500040100003e000500050100000000000a0006000400170018000b00020100000d001400120401050102010403050302030202060106030023000000170000ff01000100
        NAS-Identifier = "strongSwan"
        State = 0xeb78b47cea7aad460627db70884014f4
        Message-Authenticator = 0x34580bb6d0e426bad60229ec572b92f4
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
++[ntdomain] = noop
[eap] EAP packet type response id 2 length 182
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 172
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< Unknown TLS version [length 00a7]
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> Unknown TLS version [length 0039]
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> Unknown TLS version [length 08d0]
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> Unknown TLS version [length 014d]
[peap]     TLS_accept: SSLv3 write key exchange A
[peap] >>> Unknown TLS version [length 0004]
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 233 to 127.0.0.1 port 9312
        EAP-Message = 0x0103040019c000000a6e16030300390200003503036e5a1647e67ef56ee625453cd826f06f970abe4b13c21fd20f49f57dae77d11200c03000000dff01000100000b00040300010216030308d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504030c1d4578616d706c6520436572746966
        EAP-Message = 0x696361746520417574686f72697479301e170d3136303831323232353131325a170d3137303831323232353131325a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c971618489ecbdc46a213ab89d709a9dfdc5be11f1965816430cde9d70ac2117d1aa5118cfd5ea36d2d613a0670dde
        EAP-Message = 0x72a22aebfbb869d0342d621520d0dd39d5b5fb27389d3c68ae8a7ab32b14b3c167d4d37b987a0af9c743a77079f66c4df42f21e72b88be5c74262b0306630f3168d9761b6e7b4aa943c34813547f19009283c2f6abd7c514e1f7e5cd3d12798ca8542a3c451af43bde7a3b0cfa99f455c73bfb0e64d11a1596c1d809ea54ec93be93813c0c2471f9d31f99e4a52d2a8f384b91c41ab42ee13d69cb20e7b0112311bee5aeb734351187c521b25ffe5a6168f19556446de072e4e8034defb266a559dd1e1e6a1bbd87e0ba95f5b08aa5497f0203010001a34f304d30130603551d25040c300a06082b0601050507030130360603551d1f042f302d302ba0
        EAP-Message = 0x29a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100303e3eb4de9a6f0c492db62dfab6e18a675dc7704328e96ae538da7c3eed3c3f9781055dcb81ffdd3260a249e345a7f7f7e2eaa463aced976f51f6052a87a1db994b44d0707e71290e2748dbe502ed9db68e18fdf249c97d9647b86cab3e7646970f3b17e5c5e4512c4c62b173859238b0a1808b7f52183d701c43403efb0d8484c6e5a6f081996ac31b28fd8862c97c8beedbcf3241140c1ab03cdfe90f4ddbb8186f258dea0808c1dc1035035452c093981f2bb271d0188cf0d565c2f693
        EAP-Message = 0xe0a3e05f8b413f52ce9ffba2
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xeb78b47ce97bad460627db70884014f4
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=234, length=154
        User-Name = "TestUser"
        NAS-Port-Type = Virtual
        Service-Type = Framed-User
        NAS-Port = 1
        NAS-Port-Id = "con1"
        NAS-IP-Address = IP_Removed
        Called-Station-Id = "IP_Removed[4500]"
        Calling-Station-Id = "IP_Removed[5205]"
        EAP-Message = 0x020300061900
        NAS-Identifier = "strongSwan"
        State = 0xeb78b47ce97bad460627db70884014f4
        Message-Authenticator = 0x7be72d92ae0aebeab57a4e51a66d7705
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
++[ntdomain] = noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 234 to 127.0.0.1 port 9312
        EAP-Message = 0x010403fc1940a03cb8b4b47f05602d8181f4b64ef50f87fb7e9965f7f5d3d5e637c7ec2f5ef6ade033f4e72cfa3cd4fb440979bd32dda6140653850004e5308204e1308203c9a003020102020900baffaa390de57455300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e
        EAP-Message = 0x170d3136303831323232353131325a170d3137303831323232353131325a308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100be3bb728409915dbd51039e0f3db0b8f733a97ab215977671b95e113475b77a909e579946abcb214
        EAP-Message = 0x9261885323b697347225b2e61e055e6ad1e67b72422f3ca8b66ec8d83108297044e639655999dbf0a25a6a521db9b2fd475e46924cfe19b50118613170b9fc9f94f46637969e8f52436088c2bde69bfceea116975a48fd265f15f4e6a51aff332770e9a64296b2f1dbeef3628d0cfe3737f3155380a65fbcad3afc5d406338c3581924d0d4ddac126baa6e81756e09bf9ee8ea2d97d1962d7fecd08d0752a3a5f82fc6cf42e18e0c91a1b46ab2f2a810ec1ac254597bfc9c24a6d960edf68d1f9f8949bff7f226817234f34c1f51bab84a0fd4631ef2bbb70203010001a382013430820130301d0603551d0e041604147743252dbe117026c25ccb85d6
        EAP-Message = 0x386d7114cfe0893081c80603551d230481c03081bd80147743252dbe117026c25ccb85d6386d7114cfe089a18199a48196308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479820900baffaa390de57455300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f777777
        EAP-Message = 0x2e6578616d706c65
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xeb78b47ce87cad460627db70884014f4
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=235, length=154
        User-Name = "TestUser"
        NAS-Port-Type = Virtual
        Service-Type = Framed-User
        NAS-Port = 1
        NAS-Port-Id = "con1"
        NAS-IP-Address = IP_Removed
        Called-Station-Id = "IP_Removed[4500]"
        Calling-Station-Id = "IP_Removed[5205]"
        EAP-Message = 0x020400061900
        NAS-Identifier = "strongSwan"
        State = 0xeb78b47ce87cad460627db70884014f4
        Message-Authenticator = 0x8898dca0e4c57984409c6552f4df211c
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
++[ntdomain] = noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 235 to 127.0.0.1 port 9312
        EAP-Message = 0x0105028819002e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100b9fba2ddae79919edc86cfd1f7464421b4563bb851098b29a6382676d6195db3f3a93e53dfe558e54cfc3eba56ea625752c300ffa2c4573b7277c2676a2c7a8a136eccab50eba408e174bef608b48034aba0ffca52074097418ff271ea5cb5c66afe4a1d3e60e8910f47895e95783891cad3a3656bba1c891877866bb548ce79c4cea486227eb7af32422fbb76087f74ee98d6b171d7c54fcaf386a8035db6bbebe91b4115416f04245a07f3165c2b300c0146cb532ad12d7e5c4707e04d60aae3cba9ebce56df3bf67b48fa72445c8c
        EAP-Message = 0x40b0f8f8a5e7ccb24cf83b328b7b3e8ab27aa651e2fa4234cde8b28e719de9c63a2bf50a476ddd9b2b39a79797634d75160303014d0c00014903001741048681d854807695e849e2dd640f520876bd03b7eb15997d74778ddcac91ba7746b1a82f7f40c2c1303ad840a6579a9e8b9788478fd702ec571900c7d18b873ca20401010029be1d728c241f5668f9b5fcd3d4d10e1da37290ab3b9efbfe7fabda698df1c8f45254cb57e914a4305acbb831649185883610bdb4fae6a5ddeeb5240616d97591b18167a21a6228133b2c207399b0c57fa1d93bbfc5209121780f2b187c17df52e620fdd8eb680ebeea87864ff6c55db45239deabadfec51ec76f
        EAP-Message = 0x56b2b2fdca71dc3f4c6bd4bd089e64fb355e9020de05a8b426be2428c4be148813ae9139bc2d54077c1d3e6b778a866a945a9bb77db30dd8ce201459dc5c61a0b1b26a40cea4f169609e8949fc53e43ffebbdbf0206581cc80165ccff36be9756dc1f7aa20caaa1906221eb3f79155afc1635b29c10093d22af50fa8db71b15f6ddd4ac7b416030300040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xeb78b47cef7dad460627db70884014f4
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=236, length=284
        User-Name = "TestUser"
        NAS-Port-Type = Virtual
        Service-Type = Framed-User
        NAS-Port = 1
        NAS-Port-Id = "con1"
        NAS-IP-Address = IP_Removed
        Called-Station-Id = "IP_Removed[4500]"
        Calling-Station-Id = "IP_Removed[5205]"
        EAP-Message = 0x0205008819800000007e16030300461000004241047757fb960bf7f99812200263aa2780883aca69ac5fcb73d9f376ef076b2c9e0a8466e42a44ef655b6a73a05d4e375972bd3f6804eb7e2df30a697fb91d6d6ad814030300010116030300280000000000000000964c30df5cecb1bb27ca583b050b22fbd67ffb96e65441fac7b6f60b256c6cde
        NAS-Identifier = "strongSwan"
        State = 0xeb78b47cef7dad460627db70884014f4
        Message-Authenticator = 0x58484ef7b4767608c12b685c356dbeb5
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
++[ntdomain] = noop
[eap] EAP packet type response id 5 length 136
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 126
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< Unknown TLS version [length 0046]
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap]     TLS_accept: SSLv3 read certificate verify A
[peap] <<< Unknown TLS version [length 0001]
[peap] <<< Unknown TLS version [length 0010]
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> Unknown TLS version [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> Unknown TLS version [length 0010]
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 236 to 127.0.0.1 port 9312
        EAP-Message = 0x0106003919001403030001011603030028f12ba754bee30bf915504ae770ed305d665f01e6bda106b85b2dcd097f9d8040dbc28d65d81c2497
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xeb78b47cee7ead460627db70884014f4
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=237, length=154
        User-Name = "TestUser"
        NAS-Port-Type = Virtual
        Service-Type = Framed-User
        NAS-Port = 1
        NAS-Port-Id = "con1"
        NAS-IP-Address = IP_Removed
        Called-Station-Id = "IP_Removed[4500]"
        Calling-Station-Id = "IP_Removed[5205]"
        EAP-Message = 0x020600061900
        NAS-Identifier = "strongSwan"
        State = 0xeb78b47cee7ead460627db70884014f4
        Message-Authenticator = 0xc8534ef2496dc0beb58be833fadf1174
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
++[ntdomain] = noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 237 to 127.0.0.1 port 9312
        EAP-Message = 0x010700281900170303001df12ba754bee30bfabf55d82bb2ae79562f72483a8dc8a6b3482f8a0a9c
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xeb78b47ced7fad460627db70884014f4
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=238, length=189
        User-Name = "TestUser"
        NAS-Port-Type = Virtual
        Service-Type = Framed-User
        NAS-Port = 1
        NAS-Port-Id = "con1"
        NAS-IP-Address = IP_Removed
        Called-Station-Id = "IP_Removed[4500]"
        Calling-Station-Id = "IP_Removed[5205]"
        EAP-Message = 0x020700291900170303001e0000000000000001721f0bd90cbbacf904adb63a4d88f60f44774966589e
        NAS-Identifier = "strongSwan"
        State = 0xeb78b47ced7fad460627db70884014f4
        Message-Authenticator = 0xf0c383b0797787a613991fd552aae4b2
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
++[ntdomain] = noop
[eap] EAP packet type response id 7 length 41
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - TestUser
[peap] Got inner identity 'TestUser'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
        EAP-Message = 0x0207000a017065746572
server  {
[peap] Setting User-Name to TestUser
Sending tunneled request
        EAP-Message = 0x0207000a017065746572
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "TestUser"
server  {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
++[ntdomain] = noop
[eap] EAP packet type response id 7 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++policy redundant {
[ldap] performing user authorization for TestUser
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> TestUser
[ldap]  expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=TestUser)
[ldap]  expand: cn=users,dc=TestDomain,dc=net -> cn=users,dc=TestDomain,dc=net
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in cn=users,dc=TestDomain,dc=net, with filter (sAMAccountName=TestUser)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
  [ldap] ldap_release_conn: Release Id: 0
+++[ldap] = ok
++} # policy redundant = ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] = noop
rlm_checkval: Could not find item named Calling-Station-Id in request
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server
[peap] Got tunneled reply code 11
        EAP-Message = 0x0108001f1a0108001a10bfc631df6dee265fb599c42474e4f6157065746572
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x2d20f6832d28ec24c59800e3c9a23387
[peap] Got tunneled reply RADIUS code Access-Challenge
        EAP-Message = 0x0108001f1a0108001a10bfc631df6dee265fb599c42474e4f6157065746572
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x2d20f6832d28ec24c59800e3c9a23387
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 238 to 127.0.0.1 port 9312
        EAP-Message = 0x0108003e19001703030033f12ba754bee30bfbc6ad2bd0df630792fe01306fce5a37dc89e18ba89e1ee7eb53590300f868541d09311e9792638b464abcb5
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xeb78b47cec70ad460627db70884014f4
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=239, length=243
        User-Name = "TestUser"
        NAS-Port-Type = Virtual
        Service-Type = Framed-User
        NAS-Port = 1
        NAS-Port-Id = "con1"
        NAS-IP-Address = IP_Removed
        Called-Station-Id = "IP_Removed[4500]"
        Calling-Station-Id = "IP_Removed[5205]"
        EAP-Message = 0x0208005f190017030300540000000000000002da9adb4d99a9ac37134c734a1837dc50969996f4694839b6633032bb83f6403843de4854af075ccfe2869e8d6f9f419067b3783d624601c4062f79f2aea1dc20d0251ad40164c33374575e3e
        NAS-Identifier = "strongSwan"
        State = 0xeb78b47cec70ad460627db70884014f4
        Message-Authenticator = 0xc69ab484d3649ccef3a1d705adec6d6e
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
++[ntdomain] = noop
[eap] EAP packet type response id 8 length 95
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 0x020800401a0208003b31fd1afe750dbd255cd4207670f4789029000000000000000058ab4a3f8aa93e65a81d9d826e223aef2e29cf987ca0c640007065746572
server  {
[peap] Setting User-Name to TestUser
Sending tunneled request
        EAP-Message = 0x020800401a0208003b31fd1afe750dbd255cd4207670f4789029000000000000000058ab4a3f8aa93e65a81d9d826e223aef2e29cf987ca0c640007065746572
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "TestUser"
        State = 0x2d20f6832d28ec24c59800e3c9a23387
server  {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
++[ntdomain] = noop
[eap] EAP packet type response id 8 length 64
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++policy redundant {
[ldap] performing user authorization for TestUser
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> TestUser
[ldap]  expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=TestUser)
[ldap]  expand: cn=users,dc=TestDomain,dc=net -> cn=users,dc=TestDomain,dc=net
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in cn=users,dc=TestDomain,dc=net, with filter (sAMAccountName=TestUser)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
  [ldap] ldap_release_conn: Release Id: 0
+++[ldap] = ok
++} # policy redundant = ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] = noop
rlm_checkval: Could not find item named Calling-Station-Id in request
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/default
[mschapv2] +group MS-CHAP {
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: TestUser
[mschap] Client is using MS-CHAPv2 for TestUser, we need NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
        expand:  ->
Login incorrect: [TestUser] (from client localhost port 0 via TLS tunnel)
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> TestUser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
} # server
[peap] Got tunneled reply code 3
        MS-CHAP-Error = "\010E=691 R=1"
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code Access-Reject
        MS-CHAP-Error = "\010E=691 R=1"
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 239 to 127.0.0.1 port 9312
        EAP-Message = 0x0109002e19001703030023f12ba754bee30bfce9558a911d7a5fbf47648263b888d4c15cee4b10f4edc8a51a663d
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xeb78b47ce371ad460627db70884014f4
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=240, length=194
        User-Name = "TestUser"
        NAS-Port-Type = Virtual
        Service-Type = Framed-User
        NAS-Port = 1
        NAS-Port-Id = "con1"
        NAS-IP-Address = IP_Removed
        Called-Station-Id = "IP_Removed[4500]"
        Calling-Station-Id = "IP_Removed[5205]"
        EAP-Message = 0x0209002e1900170303002300000000000000039ee432499c84b8d278d9f29d933901b9dcd619c954063066e712d7
        NAS-Identifier = "strongSwan"
        State = 0xeb78b47ce371ad460627db70884014f4
        Message-Authenticator = 0x0cbb459bcd38df959afc8e237c088a5c
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
++[ntdomain] = noop
[eap] EAP packet type response id 9 length 46
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the debug output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
        expand:  ->
Login incorrect: [TestUser] (from client localhost port 1 cli IP_Removed[5205])
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> TestUser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 10 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 10
Sending Access-Reject of id 240 to 127.0.0.1 port 9312
        EAP-Message = 0x04090004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 1 ID 231 with timestamp +508
Cleaning up request 2 ID 232 with timestamp +508
Cleaning up request 3 ID 233 with timestamp +508
Cleaning up request 4 ID 234 with timestamp +508
Cleaning up request 5 ID 235 with timestamp +508
Cleaning up request 6 ID 236 with timestamp +508
Cleaning up request 7 ID 237 with timestamp +508
Cleaning up request 8 ID 238 with timestamp +508
Cleaning up request 9 ID 239 with timestamp +508
Waking up in 1.0 seconds.
Cleaning up request 10 ID 240 with timestamp +508
Ready to process requests.
      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        You're unlikely to find an answer here for that. It's a failure of EAP between FreeRADIUS+LADP<->Samba and nothing to do with pfSense.

        You'd have better luck asking on a FreeRADIUS or Samba board. It may not be possible.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • F
          FisherKing
          last edited by

          Thanks for pointing me in the right direction Jim.  I've gotten it working.  This makes is possible to have a windows PC authenticate over the VPN through pfSense to a Samba4 / AD controller before login using the native windows VPN client.

          The process is as follows.

          You should already have Samba4 and FreeRadius installed on the same machine.  Samba4 should already be joined to a domain and / or configured as an AD controller.

          Validate Samba4 and give radius access

          After joining the domain, test the connection using wbinfo.

          wbinfo -a <username>% <password>A successful response should show something like the following:

          plaintext password authentication failed
              Could not authenticate user <username>% <password>with plaintext password
              challenge/response password authentication succeeded

          The critical part is the "challenge/response password authentication succeeded".
          The plaintext password authentication error is expected as no plain-text passwords are stored in Active Directory.

          Now attempt an NTLM authentication:

          ntlm_auth –request-nt-key --domain= <netbios domain="" name="">--username= <username>You are prompted for a password, and on successful authentication, you should see this output:

          NT_STATUS_OK: Success (0x0)

          The radiusd user needs access to the winbindd_privileged directory.
          This directory is typically found at /var/lib/samba/winbindd_privileged/.
          Check to see if any group besides root has access to the directory.

          ls -lh /var/lib/samba/

          If root is the group as well as the owner, create a new group. If a group already exists, make note of the group name and skip the next two steps.

          groupadd wbpriv

          Grant access for the group to the winbindd_privileged directory.

          chown :wbpriv /var/lib/samba/winbindd_privileged

          Add the radiusd user to the group that has read access on the winbindd_privileged directory. 
          usermod -a -G wbpriv radiusd

          Configuring FreeRadius

          Edit the freeradius modules/mschap file. It can typically be found at /etc/freeradius/modules/mschap or /etc/raddb/modules/mschap depending on your distribution.

          Make sure the following lines are uncommented.
          require_encryption = yes
          require_strong = yes
          ntlm_auth = "/path/to/ntlm_auth …"
          with_ntdomain_hack = yes

          Modify the ntlm_auth line to point to the location of the ntlm_auth program you used earlier to test NTLM authentication.
          ntlm_auth is often found at /usr/bin/ntlm_auth.

          Add "–domain=%{%{mschap:NT-Domain}:-MYDOMAIN}" to the ntlm_auth line (replace MYDOMAIN with the correct domain) so that if finally looks something like:

          ntlm_auth = "/usr/bin/ntlm_auth –request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

          Save the file.

          In the freeradius sites-available/default and sites-available/inner-tunnel, ensure mschap is enabled in the authentication section.
          Disable the files module in each of these files if you do not use any of the information in the users file, and if necessary, comment out any uncommented test users in the users.conf file.

          In the freeradius eap.conf, change default_eap_type to peap .
          Change the "ttls" section as follows to use EAP-TTLS with EAP-MSCHAPv2 as the inner method.

          default_eap_type = mschapv2
          copy_request_to_tunnel = yes
          use_tunneled_reply = no

          Create a new entry in freeradius clients.conf to allow access from pfSense.

          client pfSense_IP_HERE {
          secret = REPLACE_THIS_WITH_A_SHARED_SECRET_KEY_THAT_WILL_BE_KNOWN_BY_PFSENSE
          shortname = pfsense_firewall
          nastype = other
          }

          Change the default secret for the localhost client in clients.conf file.

          Save the file and restart the FreeRadius service.

          Validate authenticating via FreeRadius

          radtest -t mschap TestUser@domain.com Users_Password localhost 0 SecretKeyForLocalHost

          Should return
          rad_recv: Access-Accept

          Setup a new Authentication Server in pfSense.
          System > User Manager > Authentication Servers
          Click "Add"
          Give the server a name - "test-domain-radius-mschapv2"
          Type = "RADIUS"
          Hostname = ipaddress of the radius server.
          Shared Secret = THE_SHARED_SECRET_KEY_CREATED_IN_THE_FREERADIUS_CLIENTS.CONF_FILE
          Services offered = Authentication

          Click Save

          Follow the instructions found at https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 with the following exceptions.

          Under Mobile Clients, Set User Authentication to the newly created radius authentication method.
          Under Phase 1, set the Authentication Method to EAP-MSChapv2
          Don't create any Client Pre-Shared keys

          You should now be able to connect to the pfSense VPN using windows native VPN client and Samba4 / AD credentials.

          Credit for various pieces of this to the following sites:
          http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO
          https://www.eduroam.us/node/89
          https://blog.practichem.com/configuring-freeradius-for-wpa2-enterprise-with-active-directory-integration-on-ubuntu-1404/
          http://deployingradius.com/documents/configuration/active_directory.html
          http://confluence.diamond.ac.uk/display/PAAUTH/Using+Active+Directory+as+authentication+source</username></netbios></password></username></password></username>

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.