FreeRADIUS, RADIUS, LDAP, Active Directory, User Authentication
-
Hi Everyone!
Main question:
The LDAP tab
(Services -> FreeRadius -> LDAP)
does not work with Active Directory?Sub questions:
- Or if it works, somebody could give the attributes to use with Active Directory please?
General Configuration - Server 1
Filter /some say it is (sAMAccountName=)/
LDAP search filter. Default: (uid=%{%{Stripped-User-Name}:-%{User-Name}})
Base Filter /some say it is (ObjectClass=*) or User/
Default: (objectclass=radiusprofile)Miscellaneous Configuration - Server 1
Profile Attribute /use deafult or else?/
(Default: radiusProfileDn)
Access Attribute /use deafult or else?/
(Default: dialupAccess)Group Membership Options - Server 1
Group Membership Filter /use default or else?/
Default: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
Group Membership Attribute /I guess it is "memberOf" but who knows/
(Default: radiusGroupName)- If all this does not work with Active Directory.
But I do not understand why the option is there.
Active Directory Compatibility
Enable
If you see the helpful "operations error" being returned to the LDAP module, enable this. (Default: Disable)
Then why can not use the Authentication Servers?
(System -> User Manager -> Authentication Servers)Like with IPsec.
(VPN -> IPsec -> Mobile Clients)
Extended Authentication (Xauth)
User Authentication
/LDAP, RADIUS servers are listed here/
Local Database /default/Because the Authentication Servers settings work perfectly fine with the Active Directory.
It would be much elegant to authenticate Active Directory users to use WIFI Access Points connected to PFSENSE clients, through FreeRADIUS Server for example, and non of the less, it would be a point to use Active Directory LDAP Authentication instead of configuring NPS/RADIUS separately from PFSENSE.
Any ideas, thoughts, anything?
PFSENSE version:
2.4.5-RELEASE-p1 (amd64)
built on Tue Jun 02 17:51:17 EDT 2020
FreeBSD 11.3-STABLERADIUS version:
freeradius3 0.15.7_20 -
It would be easier to use LDAP for authentication. I currently use LDAP for internet access authentication and for squidguard.
-
The LDAP query you use there depends entirely on how you have your AD server setup.
It's not something we can guess for you.Though if you search the forum you will find examples of other users queries that are typical.
Steve
-
@mr-newbie
How?? i have some issues, i can't find the error,
can you helpme??I have Ldap with freeipa and packages radius in the pfsense
-
How do you have it configured?
What is happening?
What do you expect to happen?
Steve