Using the FreeRADIUS package to authenticate against macOS Server Open Directory



  • Hello all,

    I'm using PFSense 2.4.4-RELEASE and would like to implement WPA2 Enterprise authentication using the FreeRADIUS package available as an add-on.

    I have a server running macOS 10.14.1 + Server package, which provides Open Directory services for user authentication.

    Now, for WiFi auth, I would like to have FreeRADIUS on PFSense reach out to my server, check the provided credentials against OpenDirectory, and then give users WiFi access if login succeeds.

    Unfortunately, I'm not sure how to pull this off just yet.

    First of all, I've read in a couple of places that FreeRADIUS has native support for OpenDirectory backends, but I cannot find this anywhere in the web UI for the package.
    Is this simply not available in the PFSense version, or would I need to manually edit the config file in order to make it work?

    There's also the possibility of using LDAP instead of OpenDirectory authentication.

    I was actually able to set up the macOS server as an authentication server in PFSense, so I can now log in to Webconfigurator using the accounts stored in LDAP.

    I could probably get the same thing to work for RADIUS, but the RADIUS LDAP config expects a number of fields to be present in the LDAP directory that correspond specifically to RADIUS access permissions, which I do not have configured on the server.

    Is there an easy workaround for this at all?

    I'm really not looking for super granular user management here, this is a small deployment and I just want any user that exists in OpenDirectory / LDAP to be able to authenticate, without applying any restrictions based on user or group.

    Thanks for any advice, greatly appreciated!

    Robin