No Group RADIUS Authentication with Active Directory

StonecoldServers316 · Jan 16, 2018, 8:18 PM

I've been working on resolving this issue for over a month now, but I just haven't found a working solution despite countless articles. I've followed step by step on the following article : https://community.spiceworks.com/how_to/128944-pfsense-admin-logins-via-radius-using-active-directory-accounts . And I also read this article: https://forum.pfsense.org/index.php?topic=133441.0. Every time I try authenticating using my RADIUS server, it authenticates, but doesn't provide a group membership. Here is my current configuration:

PfSense - Auth. Servers:

Main-SRV1
192.168.1.2
RADIUS
PAP
Auth. Port 1812
Acct. Port 1813
Auth. Timeout 5

PfSense - Groups:
"PfAdmin"
Scope:Remote (Tried local too)
Privileges: WebCfg - All

Windows Server 2012 R2 (RADIUS Server) :

Grant Access
Unspecified network access server
Conditions: MAIN\PfAdmin ; Client IP 10.0.3.2
Auth. Methods: PAP/SPAP
Class: PfAdmin (Tried "PfAdmin;" and "PfAdmin;PfAdmin")

It seems somewhere I ran into an issue and I can't seem to understand why. Followed multiple articles on this with the same results. Any help definitely would be appreciated!

jimp · Jan 17, 2018, 1:49 PM

Take a packet capture of the RADIUS auth exchange. Load it up in Wireshark and inspect the reply from the AD server, see if it has the Class attribute and how it looks.