FreeRADIUS LDAP WPA Enterprise?
-
Hi,
I was wondering if someone could shed some light on what im trying to do. Currently Have pfSense 2.3.5 running FreeRADIUS, with UNIFI AP-AC-LR. On the UNFI i created a RADIUS profile to connect to the pfSense. on pfSense i created LDAP config on the RADIUS. The idea is that when a user connects to the WIFI it automaticly connects if the user is in the Active Directory, if not then it wont connect. currently this is my LDAP config on pfSense
I somewhat thing i have wrong the base filterThank you
/usr/local/etc/raddb/mods-enabled/ldap ldap { server = "192.168.3.253" port = "389" identity = "CN=administrator,CN=Users,DC=casa,DC=local" password = 'mypassword' base_dn = "DC=casa,DC=local" user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ### access_attr = "dialupAccess" ### } group { base_dn = "${..base_dn}" filter = '(objectClass=posixGroup)' ### name_attribute = cn ### ### membership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ### ### membership_attribute = radiusGroupName ### ### compare_check_items = yes ### ### do_xlat = yes ### ### access_attr_used_for_allow = yes ### } profile { filter = "(&(objectclass=person)(uid=%s))" ### default_profile = "cn=radprofile,ou=dialup,o=My Company Ltd,c=US" ### ### profile_attribute = "radiusProfileDn" ### } -
@killmasta93 pfsense 2.4.4 support LDAP authentication for captive portal out of the box.
Why don't you just update ?
Also, i tried to look at your filter but i didnt see anything wrong at the first place, but i am not ldap expert. Perhaps you should run wireshark on the windows server to debug the LDAP request/response?
@killmasta93 said in FreeRADIUS LDAP WPA Enterprise?:
port = "389" identity = "CN=administrator,CN=Users,DC=casa,DC=local" password = 'mypassword'Why are you using administrator as bind account ? ...this is superbad from a security point of view, you should create a dedicated bind account.
-
Thanks for the reply, when you mean 2.4.4 support out of the box you mean like client wizard? and yes i was going to create another account rather then admin but wanted to test out first, as im testing it in the lab and not yet in production.
i also tried to update but im getting this
Enter an option: 13 >>> Updating repositories metadata... Updating pfSense-core repository catalogue... pkg-static: Repository pfSense-core has a wrong packagesite, need to re-create database Fetching meta.txz: . done Fetching packagesite.txz: . done Processing entries: pkg-static: wrong architecture: FreeBSD:11:amd64 instead of freebsd:11:x86:64 pkg-static: repository pfSense-core contains packages with wrong ABI: FreeBSD:11:amd64 Processing entries... done Unable to update repository pfSense-core Updating pfSense repository catalogue... pkg-static: Repository pfSense has a wrong packagesite, need to re-create database Fetching meta.txz: . done Fetching packagesite.txz: .......... done Processing entries: pkg-static: wrong architecture: FreeBSD:11:amd64 instead of freebsd:11:x86:64 pkg-static: repository pfSense contains packages with wrong ABI: FreeBSD:11:amd64 Processing entries... done Unable to update repository pfSense Error updating repositories! pfSense - Netgate Device ID: 2ce4cad04d559038f1e2 *** Welcome to pfSense 2.3.5-RELEASE (amd64 full-install) on Olympus ***EDIT: Just finished updating to 2.4.4 but i saw the same options from 2.3.5
-
Do you have an old 32 bit architecture? Or an amd64 one?
On 2.4.4 captive portal is using the server manager as authentication source instead of "local / radius / none". This mean it does support both Radius servers and LDAP servers as auth source.
-
Thanks for the reply, i got it working im on 2.4.5-DEVELOPMENT (amd64)
how can i test if the LDAP was correctly connected?