Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    User Authentication with FreeRadius and Active Directory - possible?

    Scheduled Pinned Locked Moved pfSense Packages
    2 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      FrankoniaDKB
      last edited by

      Hello,

      I am currently testing pfSense 2.4.4 and did also install FreeRadius3.
      I did some testing, but unsuccessfull.

      I am not sure, if what I want to achieve is possible, or even recommended. Maybe there is also another way to do it better. I appreciate any input.

      What I want:
      I would like to use a RADIUS Server in my network for authentication of users in our Wireless Network.
      We are running a Windows Active Directory Domain. So the best way for me, would be to authenticate the users with the AD.

      In my tests, I got it to run successfully (NTRadPing), but only without CHAP.
      Group membership checks also work fine.

      Whith CHAP, or with a Windows-Client (WiFi Connection) it will not work.
      FreeRadius complains about a non clear-text pasword.

      So my questions are:

      • Is it possible to authenticate users with FreeRadius on pfSense with Active-Directory?
      • Does pfSense need to be Domain joined in some way?

      Maybe there is a better way. All I want is users beeing able to use their domain user/pw to authenticate with out wifi APs. I wanted to use this on pfSense, because without it, our VLANs dont work anyways.
      Thanks in advance.

      rlm_ldap (ldap): Reserved connection (5)
      (2) ldap: EXPAND (sAMAccountName=%{mschap:User-Name})
      (2) ldap:    --> (sAMAccountName=test2)
      (2) ldap: Performing search in "DC=localdomain,DC=local" with filter "(sAMAccountName=test2)", scope "sub"
      (2) ldap: Waiting for search result...
      rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.localdomain.local/DC=ForestDnsZones,DC=localdomain,DC=local
      rlm_ldap (ldap): Waiting for bind result...
      rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.localdomain.local/DC=DomainDnsZones,DC=localdomain,DC=local
      rlm_ldap (ldap): Waiting for bind result...
      rlm_ldap (ldap): Rebinding to URL ldap://localdomain.local/CN=Configuration,DC=localdomain,DC=local
      rlm_ldap (ldap): Waiting for bind result...
      rlm_ldap (ldap): Bind successful
      rlm_ldap (ldap): Bind successful
      rlm_ldap (ldap): Bind successful
      (2) ldap: User object found at DN "CN=test2,OU=Spezialkonten-IT,OU=Users,OU=MyBusiness,DC=localdomain,DC=local"
      (2) ldap: Processing user attributes
      (2) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
      (2) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
      rlm_ldap (ldap): Deleting connection (5) - Was referred to a different LDAP server
      (2)       [ldap] = ok
      (2)     } # redundant = ok
      (2)     if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
      (2)     ERROR: Failed retrieving values required to evaluate condition
      (2)     [expiration] = noop
      (2)     [logintime] = noop
      Not doing PAP as Auth-Type is already set.
      (2)     [pap] = noop
      (2)   } # authorize = ok
      (2) Found Auth-Type = CHAP
      (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
      (2)   Auth-Type CHAP {
      (2) chap: ERROR: &control:Cleartext-Password is required for authentication
      (2)     [chap] = fail
      (2)   } # Auth-Type CHAP = fail
      (2) Failed to authenticate the user
      (2) Using Post-Auth-Type Reject
      (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
      (2)   Post-Auth-Type REJECT {
      (2) attr_filter.access_reject: EXPAND %{User-Name}
      (2) attr_filter.access_reject:    --> test2
      (2) attr_filter.access_reject: Matched entry DEFAULT at line 11
      (2)     [attr_filter.access_reject] = updated
      (2)     [eap] = noop
      (2)     policy remove_reply_message_if_eap {
      (2)       if (&reply:EAP-Message && &reply:Reply-Message) {
      (2)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
      (2)       else {
      (2)         [noop] = noop
      (2)       } # else = noop
      (2)     } # policy remove_reply_message_if_eap = noop
      (2)   } # Post-Auth-Type REJECT = updated
      (2) Login incorrect (Failed retrieving values required to evaluate condition): [test2/<via Auth-Type = CHAP>] (from client pfSense_NAT port 0)
      (2) Delaying response for 1.000000 seconds
      Waking up in 0.3 seconds.
      Waking up in 0.6 seconds.
      (2) Sending delayed response
      (2) Sent Access-Reject Id 42 from 172.16.1.254:1812 to 172.16.1.253:59069 length 20
      
      
      S 1 Reply Last reply Reply Quote 0
      • S
        sebauer @FrankoniaDKB
        last edited by

        Hi @FrankoniaDKB, did you find how to this? I'm trying the same, I want auth users on a Wireless Network but i can't make this work

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.