Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    User Authentication with FreeRadius and Active Directory - possible?

    Scheduled Pinned Locked Moved
    pfSense Packages
    2
    2
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      FrankoniaDKB
      last edited by

      Hello,

      I am currently testing pfSense 2.4.4 and did also install FreeRadius3.
      I did some testing, but unsuccessfull.

      I am not sure, if what I want to achieve is possible, or even recommended. Maybe there is also another way to do it better. I appreciate any input.

      What I want:
      I would like to use a RADIUS Server in my network for authentication of users in our Wireless Network.
      We are running a Windows Active Directory Domain. So the best way for me, would be to authenticate the users with the AD.

      In my tests, I got it to run successfully (NTRadPing), but only without CHAP.
      Group membership checks also work fine.

      Whith CHAP, or with a Windows-Client (WiFi Connection) it will not work.
      FreeRadius complains about a non clear-text pasword.

      So my questions are:

      • Is it possible to authenticate users with FreeRadius on pfSense with Active-Directory?
      • Does pfSense need to be Domain joined in some way?

      Maybe there is a better way. All I want is users beeing able to use their domain user/pw to authenticate with out wifi APs. I wanted to use this on pfSense, because without it, our VLANs dont work anyways.
      Thanks in advance.

      rlm_ldap (ldap): Reserved connection (5)
(2) ldap: EXPAND (sAMAccountName=%{mschap:User-Name})
(2) ldap:    --> (sAMAccountName=test2)
(2) ldap: Performing search in "DC=localdomain,DC=local" with filter "(sAMAccountName=test2)", scope "sub"
(2) ldap: Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.localdomain.local/DC=ForestDnsZones,DC=localdomain,DC=local
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.localdomain.local/DC=DomainDnsZones,DC=localdomain,DC=local
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://localdomain.local/CN=Configuration,DC=localdomain,DC=local
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(2) ldap: User object found at DN "CN=test2,OU=Spezialkonten-IT,OU=Users,OU=MyBusiness,DC=localdomain,DC=local"
(2) ldap: Processing user attributes
(2) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(2) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Deleting connection (5) - Was referred to a different LDAP server
(2)       [ldap] = ok
(2)     } # redundant = ok
(2)     if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
(2)     ERROR: Failed retrieving values required to evaluate condition
(2)     [expiration] = noop
(2)     [logintime] = noop
Not doing PAP as Auth-Type is already set.
(2)     [pap] = noop
(2)   } # authorize = ok
(2) Found Auth-Type = CHAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2)   Auth-Type CHAP {
(2) chap: ERROR: &control:Cleartext-Password is required for authentication
(2)     [chap] = fail
(2)   } # Auth-Type CHAP = fail
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2)   Post-Auth-Type REJECT {
(2) attr_filter.access_reject: EXPAND %{User-Name}
(2) attr_filter.access_reject:    --> test2
(2) attr_filter.access_reject: Matched entry DEFAULT at line 11
(2)     [attr_filter.access_reject] = updated
(2)     [eap] = noop
(2)     policy remove_reply_message_if_eap {
(2)       if (&reply:EAP-Message && &reply:Reply-Message) {
(2)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(2)       else {
(2)         [noop] = noop
(2)       } # else = noop
(2)     } # policy remove_reply_message_if_eap = noop
(2)   } # Post-Auth-Type REJECT = updated
(2) Login incorrect (Failed retrieving values required to evaluate condition): [test2/<via Auth-Type = CHAP>] (from client pfSense_NAT port 0)
(2) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(2) Sending delayed response
(2) Sent Access-Reject Id 42 from 172.16.1.254:1812 to 172.16.1.253:59069 length 20
      S 1 Reply Last reply Reply Quote 0
      • S
        sebauer @FrankoniaDKB
        last edited by

        Hi @FrankoniaDKB, did you find how to this? I'm trying the same, I want auth users on a Wireless Network but i can't make this work

        1 Reply Last reply Reply Quote 0
        • First post
          Last post