User Authentication with FreeRadius and Active Directory - possible?


  • Hello,

    I am currently testing pfSense 2.4.4 and did also install FreeRadius3.
    I did some testing, but unsuccessfull.

    I am not sure, if what I want to achieve is possible, or even recommended. Maybe there is also another way to do it better. I appreciate any input.

    What I want:
    I would like to use a RADIUS Server in my network for authentication of users in our Wireless Network.
    We are running a Windows Active Directory Domain. So the best way for me, would be to authenticate the users with the AD.

    In my tests, I got it to run successfully (NTRadPing), but only without CHAP.
    Group membership checks also work fine.

    Whith CHAP, or with a Windows-Client (WiFi Connection) it will not work.
    FreeRadius complains about a non clear-text pasword.

    So my questions are:

    • Is it possible to authenticate users with FreeRadius on pfSense with Active-Directory?
    • Does pfSense need to be Domain joined in some way?

    Maybe there is a better way. All I want is users beeing able to use their domain user/pw to authenticate with out wifi APs. I wanted to use this on pfSense, because without it, our VLANs dont work anyways.
    Thanks in advance.

    rlm_ldap (ldap): Reserved connection (5)
    (2) ldap: EXPAND (sAMAccountName=%{mschap:User-Name})
    (2) ldap:    --> (sAMAccountName=test2)
    (2) ldap: Performing search in "DC=localdomain,DC=local" with filter "(sAMAccountName=test2)", scope "sub"
    (2) ldap: Waiting for search result...
    rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.localdomain.local/DC=ForestDnsZones,DC=localdomain,DC=local
    rlm_ldap (ldap): Waiting for bind result...
    rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.localdomain.local/DC=DomainDnsZones,DC=localdomain,DC=local
    rlm_ldap (ldap): Waiting for bind result...
    rlm_ldap (ldap): Rebinding to URL ldap://localdomain.local/CN=Configuration,DC=localdomain,DC=local
    rlm_ldap (ldap): Waiting for bind result...
    rlm_ldap (ldap): Bind successful
    rlm_ldap (ldap): Bind successful
    rlm_ldap (ldap): Bind successful
    (2) ldap: User object found at DN "CN=test2,OU=Spezialkonten-IT,OU=Users,OU=MyBusiness,DC=localdomain,DC=local"
    (2) ldap: Processing user attributes
    (2) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
    (2) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
    rlm_ldap (ldap): Deleting connection (5) - Was referred to a different LDAP server
    (2)       [ldap] = ok
    (2)     } # redundant = ok
    (2)     if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
    (2)     ERROR: Failed retrieving values required to evaluate condition
    (2)     [expiration] = noop
    (2)     [logintime] = noop
    Not doing PAP as Auth-Type is already set.
    (2)     [pap] = noop
    (2)   } # authorize = ok
    (2) Found Auth-Type = CHAP
    (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    (2)   Auth-Type CHAP {
    (2) chap: ERROR: &control:Cleartext-Password is required for authentication
    (2)     [chap] = fail
    (2)   } # Auth-Type CHAP = fail
    (2) Failed to authenticate the user
    (2) Using Post-Auth-Type Reject
    (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    (2)   Post-Auth-Type REJECT {
    (2) attr_filter.access_reject: EXPAND %{User-Name}
    (2) attr_filter.access_reject:    --> test2
    (2) attr_filter.access_reject: Matched entry DEFAULT at line 11
    (2)     [attr_filter.access_reject] = updated
    (2)     [eap] = noop
    (2)     policy remove_reply_message_if_eap {
    (2)       if (&reply:EAP-Message && &reply:Reply-Message) {
    (2)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
    (2)       else {
    (2)         [noop] = noop
    (2)       } # else = noop
    (2)     } # policy remove_reply_message_if_eap = noop
    (2)   } # Post-Auth-Type REJECT = updated
    (2) Login incorrect (Failed retrieving values required to evaluate condition): [test2/<via Auth-Type = CHAP>] (from client pfSense_NAT port 0)
    (2) Delaying response for 1.000000 seconds
    Waking up in 0.3 seconds.
    Waking up in 0.6 seconds.
    (2) Sending delayed response
    (2) Sent Access-Reject Id 42 from 172.16.1.254:1812 to 172.16.1.253:59069 length 20