User Authentication with FreeRadius and Active Directory - possible?
-
Hello,
I am currently testing pfSense 2.4.4 and did also install FreeRadius3.
I did some testing, but unsuccessfull.I am not sure, if what I want to achieve is possible, or even recommended. Maybe there is also another way to do it better. I appreciate any input.
What I want:
I would like to use a RADIUS Server in my network for authentication of users in our Wireless Network.
We are running a Windows Active Directory Domain. So the best way for me, would be to authenticate the users with the AD.In my tests, I got it to run successfully (NTRadPing), but only without CHAP.
Group membership checks also work fine.Whith CHAP, or with a Windows-Client (WiFi Connection) it will not work.
FreeRadius complains about a non clear-text pasword.So my questions are:
- Is it possible to authenticate users with FreeRadius on pfSense with Active-Directory?
- Does pfSense need to be Domain joined in some way?
Maybe there is a better way. All I want is users beeing able to use their domain user/pw to authenticate with out wifi APs. I wanted to use this on pfSense, because without it, our VLANs dont work anyways.
Thanks in advance.rlm_ldap (ldap): Reserved connection (5) (2) ldap: EXPAND (sAMAccountName=%{mschap:User-Name}) (2) ldap: --> (sAMAccountName=test2) (2) ldap: Performing search in "DC=localdomain,DC=local" with filter "(sAMAccountName=test2)", scope "sub" (2) ldap: Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.localdomain.local/DC=ForestDnsZones,DC=localdomain,DC=local rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.localdomain.local/DC=DomainDnsZones,DC=localdomain,DC=local rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://localdomain.local/CN=Configuration,DC=localdomain,DC=local rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (2) ldap: User object found at DN "CN=test2,OU=Spezialkonten-IT,OU=Users,OU=MyBusiness,DC=localdomain,DC=local" (2) ldap: Processing user attributes (2) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (2) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Deleting connection (5) - Was referred to a different LDAP server (2) [ldap] = ok (2) } # redundant = ok (2) if (&request:Calling-Station-Id == &control:Calling-Station-Id) { (2) ERROR: Failed retrieving values required to evaluate condition (2) [expiration] = noop (2) [logintime] = noop Not doing PAP as Auth-Type is already set. (2) [pap] = noop (2) } # authorize = ok (2) Found Auth-Type = CHAP (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) Auth-Type CHAP { (2) chap: ERROR: &control:Cleartext-Password is required for authentication (2) [chap] = fail (2) } # Auth-Type CHAP = fail (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject: EXPAND %{User-Name} (2) attr_filter.access_reject: --> test2 (2) attr_filter.access_reject: Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) [eap] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = updated (2) Login incorrect (Failed retrieving values required to evaluate condition): [test2/<via Auth-Type = CHAP>] (from client pfSense_NAT port 0) (2) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (2) Sending delayed response (2) Sent Access-Reject Id 42 from 172.16.1.254:1812 to 172.16.1.253:59069 length 20