Simpliest network access by active directory group with native MS client?
-
Hello!
Please advice me.I need to make a connection from multiple users to private network according by Active Directory group membership over the existing smb network.
I see a couple of solutions but they aren't suitable:
- OpenVPN with AD auth. -> fine but there is no native client in windows.
- IPSEC+L2TP+mobile clients -> i have tried that several times in previous pfsense versions but no success.
- ISAKMP + mobile clients + AD authentication -- is it possible? is it a working solution ?
May be there is any other solutions?
-
You should be able to use mobile IKEv2 with EAP-Radius as shown here:
https://www.netgate.com/docs/pfsense/vpn/ipsec/ikev2-with-eap-radius.html#eap-radius-with-windows-network-policy-server-npsSteve
-
@stephenw10 Thank you for advice.
But there is may only be a maximum of 50 RADIUS clients as Windows Server Standard Edition.
Is there way to escape radius authentication and use only active directory authentication instead ? -
Not using IKEv2. LDAP doesn't support the hashed passwords sent by the EAP types we have. I guess you would need EAP-GTC but that is considered weak.
For standard xauth types you have to use IKEv1.Or change the Windows server version.
Steve
-
I haven't tested it myself but winradius might help with that 50 user limit
-
You would probably still be afoul of the M$ CALs somewhere.
-
I say that's a constant regardless of what you do :)