Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    freeradius + LDAP + MS AD

    General pfSense Questions
    1
    1
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kostfastnix
      last edited by

      Hi,
      I've seen several threads about his topic but currently i catched no final solution or statement the it won't work. My scenario:

      • pfSense 2.5.1
      • Microsoft 2019 Server as DC

      Current status:

      For preliminary testing purpose I have configured under Authentication Servers LDAP with SSL and memberOfgroup against the MS AD Server. Works! At least with testing on the pfsense under: Diagnostics=>Authentication

      So I would like to have this working using the freeradius + LDAP against the same MS AD Server.
      My radius.log shows the following when trying to authenticate:

      As far as I understand:

      • LDAP connection and binding => OK
      • LDAP search for the reuqested user => OK
      • Authentication for the User => NOK

      my research points to something with PAP/NTLM Auth-Type, etc., etc. - and maybe something to adjust in the radius configuration.
      Also read something to use SAMBA for NTLM Auth, but all in all I am confused.

      So any suggestions are welcome.

      Kind regards

      *** radius.log ***
      php-fpm[21286]: /diag_authentication.php: Successful login for user 'admin' from: 172.16.1.10 (Local Database)
      (0) Received Access-Request Id 233 from 127.0.0.1:48330 to 127.0.0.1:1812 length 112
      (0) Service-Type = Login-User
      (0) User-Name = "bb"
      (0) User-Password = "mypassword"
      (0) NAS-IP-Address = 172.16.1.1
      (0) NAS-Identifier = "pfsHQ.mylab.intern"
      (0) Called-Station-Id = "00:0c:29:bc:65:86:pfsHQ.mylab.intern"
      (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
      (0) authorize {
      (0) [preprocess] = ok
      (0) [chap] = noop
      (0) [mschap] = noop
      (0) [digest] = noop
      (0) suffix: Checking for suffix after "@"
      (0) suffix: No '@' in User-Name = "bb", skipping NULL due to config.
      (0) [suffix] = noop
      (0) ntdomain: Checking for prefix before ""
      (0) ntdomain: No '' in User-Name = "bb", skipping NULL due to config.
      (0) [ntdomain] = noop
      (0) eap: No EAP-Message, not doing EAP
      (0) [eap] = noop
      (0) [files] = noop
      (0) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
      (0) EXPAND %{%{Control:Auth-Type}:-No-Accept}
      (0) --> No-Accept
      (0) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) -> TRUE
      (0) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
      (0) if (true) {
      (0) if (true) -> TRUE
      (0) if (true) {
      (0) redundant {
      rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare"
      rlm_ldap (ldap): Opening additional connection (0), 1 of 5 pending slots used
      rlm_ldap (ldap): Connecting to ldap://dc.mylab.intern:389
      rlm_ldap (ldap): Waiting for bind result...
      rlm_ldap (ldap): Bind successful
      rlm_ldap (ldap): Reserved connection (0)
      (0) ldap: EXPAND (SAMAccountName=%{mschap:User-Name})
      (0) ldap: --> (SAMAccountName=bb)
      (0) ldap: Performing search in "DC=mylab,DC=intern" with filter "(SAMAccountName=bb)", scope "sub"
      (0) ldap: Waiting for search result...
      rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.mylab.intern/DC=ForestDnsZones,DC=mylab,DC=intern
      rlm_ldap (ldap): Waiting for bind result...
      rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.mylab.intern/DC=DomainDnsZones,DC=mylab,DC=intern
      rlm_ldap (ldap): Waiting for bind result...
      rlm_ldap (ldap): Rebinding to URL ldap://mylab.intern/CN=Configuration,DC=mylab,DC=intern
      rlm_ldap (ldap): Waiting for bind result...
      rlm_ldap (ldap): Bind successful
      rlm_ldap (ldap): Bind successful
      rlm_ldap (ldap): Bind successful
      (0) ldap: User object found at DN "CN=Bernd Buettner,OU=Verwaltung,DC=mylab,DC=intern"
      (0) ldap: Processing user attributes
      (0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
      (0) ldap: WARNING: PAP authentication will NOT work with Active Directory (if that is what you were trying to configure)
      rlm_ldap (ldap): Deleting connection (0) - Was referred to a different LDAP server
      Need 5 more connections to reach min connections (5)
      rlm_ldap (ldap): Opening additional connection (1), 1 of 5 pending slots used
      rlm_ldap (ldap): Connecting to ldap://dc.mylab.intern:389
      rlm_ldap (ldap): Waiting for bind result...
      rlm_ldap (ldap): Bind successful
      (0) [ldap] = ok
      (0) } # redundant = ok
      (0) if (notfound || noop) {
      (0) if (notfound || noop) -> FALSE
      (0) } # if (true) = ok
      (0) } # if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) = ok
      rlm_counter: Entering module authorize code
      rlm_counter: Could not find Check item value pair
      (0) [daily] = noop
      rlm_counter: Entering module authorize code
      rlm_counter: Could not find Check item value pair
      (0) [weekly] = noop
      rlm_counter: Entering module authorize code
      rlm_counter: Could not find Check item value pair
      (0) [monthly] = noop
      rlm_counter: Entering module authorize code
      rlm_counter: Could not find Check item value pair
      (0) [forever] = noop
      (0) if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
      (0) ERROR: Failed retrieving values required to evaluate condition
      (0) [expiration] = noop
      (0) [logintime] = noop
      (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
      (0) pap: WARNING: Authentication will fail unless a "known good" password is available
      (0) [pap] = noop
      (0) } # authorize = ok
      (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
      (0) Failed to authenticate the user
      (0) Using Post-Auth-Type Reject
      (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
      (0) Post-Auth-Type REJECT {
      (0) attr_filter.access_reject: EXPAND %{User-Name}
      (0) attr_filter.access_reject: --> bb
      (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
      (0) [attr_filter.access_reject] = updated
      (0) [eap] = noop
      (0) policy remove_reply_message_if_eap {
      (0) if (&reply:EAP-Message && &reply:Reply-Message) {
      (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
      (0) else {
      (0) [noop] = noop
      (0) } # else = noop
      (0) } # policy remove_reply_message_if_eap = noop
      (0) } # Post-Auth-Type REJECT = updated
      (0) Login incorrect (Failed retrieving values required to evaluate condition): [bb/mypassword] (from client pfSense port 0)
      (0) Delaying response for 1.000000 seconds
      Waking up in 0.2 seconds.
      Waking up in 0.7 seconds.
      (0) Sending delayed response
      (0) Sent Access-Reject Id 233 from 127.0.0.1:1812 to 127.0.0.1:48330 length 20
      Waking up in 3.9 seconds.
      (0) Cleaning up request packet ID 233 with timestamp +38
      Ready to process requests

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.