FreeRADIUS LDAP WPA Enterprise?



  • Hi,
    I was wondering if someone could shed some light on what im trying to do. Currently Have pfSense 2.3.5 running FreeRADIUS, with UNIFI AP-AC-LR. On the UNFI i created a RADIUS profile to connect to the pfSense. on pfSense i created LDAP config on the RADIUS. The idea is that when a user connects to the WIFI it automaticly connects if the user is in the Active Directory, if not then it wont connect. currently this is my LDAP config on pfSense
    I somewhat thing i have wrong the base filter

    Thank you

    /usr/local/etc/raddb/mods-enabled/ldap
    ldap {
    	server = "192.168.3.253"
    	port = "389"
    	identity = "CN=administrator,CN=Users,DC=casa,DC=local"
    	password = 'mypassword'
    	base_dn = "DC=casa,DC=local"
    
    	user {
    		base_dn = "${..base_dn}"
    		filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
    		### access_attr = "dialupAccess" ###
    	}
    	group {
    		base_dn = "${..base_dn}"
    		filter = '(objectClass=posixGroup)'
    		### name_attribute = cn ###
    		### membership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ###
    		### membership_attribute = radiusGroupName ###
    		### compare_check_items = yes ###
    		### do_xlat = yes ###
    		### access_attr_used_for_allow = yes ###
    	}
    	profile {
    		filter = "(&(objectclass=person)(uid=%s))"
    		### default_profile = "cn=radprofile,ou=dialup,o=My Company Ltd,c=US" ###
    		### profile_attribute = "radiusProfileDn" ###
    	}
    
    

  • Rebel Alliance

    @killmasta93 pfsense 2.4.4 support LDAP authentication for captive portal out of the box.

    Why don't you just update ?

    Also, i tried to look at your filter but i didnt see anything wrong at the first place, but i am not ldap expert. Perhaps you should run wireshark on the windows server to debug the LDAP request/response?

    @killmasta93 said in FreeRADIUS LDAP WPA Enterprise?:

    	port = "389"
    	identity = "CN=administrator,CN=Users,DC=casa,DC=local"
    	password = 'mypassword' 
    

    Why are you using administrator as bind account ? ...this is superbad from a security point of view, you should create a dedicated bind account.



  • Thanks for the reply, when you mean 2.4.4 support out of the box you mean like client wizard? and yes i was going to create another account rather then admin but wanted to test out first, as im testing it in the lab and not yet in production.

    i also tried to update but im getting this

    Enter an option: 13
    
    >>> Updating repositories metadata...
    Updating pfSense-core repository catalogue...
    pkg-static: Repository pfSense-core has a wrong packagesite, need to re-create database
    Fetching meta.txz: . done
    Fetching packagesite.txz: . done
    Processing entries:
    pkg-static: wrong architecture: FreeBSD:11:amd64 instead of freebsd:11:x86:64
    pkg-static: repository pfSense-core contains packages with wrong ABI: FreeBSD:11:amd64
    Processing entries... done
    Unable to update repository pfSense-core
    Updating pfSense repository catalogue...
    pkg-static: Repository pfSense has a wrong packagesite, need to re-create database
    Fetching meta.txz: . done
    Fetching packagesite.txz: .......... done
    Processing entries:
    pkg-static: wrong architecture: FreeBSD:11:amd64 instead of freebsd:11:x86:64
    pkg-static: repository pfSense contains packages with wrong ABI: FreeBSD:11:amd64
    Processing entries... done
    Unable to update repository pfSense
    Error updating repositories!
    pfSense - Netgate Device ID: 2ce4cad04d559038f1e2
    
    *** Welcome to pfSense 2.3.5-RELEASE (amd64 full-install) on Olympus ***
    
    

    EDIT: Just finished updating to 2.4.4 but i saw the same options from 2.3.5


  • Rebel Alliance

    Do you have an old 32 bit architecture? Or an amd64 one?

    On 2.4.4 captive portal is using the server manager as authentication source instead of "local / radius / none". This mean it does support both Radius servers and LDAP servers as auth source.



  • Thanks for the reply, i got it working im on 2.4.5-DEVELOPMENT (amd64)
    how can i test if the LDAP was correctly connected?