• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN client authentication base on LDAP and certificate from domain CA

Scheduled Pinned Locked Moved OpenVPN
openvpnldapdomaincaauthentication
3 Posts 2 Posters 575 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    Czuki91
    last edited by Feb 12, 2024, 5:24 PM

    Hello.

    I am trying to implement OpenVPN on pfSense 2.7.2.
    The goal is that users to log in using their Active Directory credentials and a certificate issued from the domain CA.
    I have spent a lot of time looking for information on how to implement this, unfortunately without success.
    Can I ask for your support in providing information on how to implement such a solution?

    Thanks.

    1 Reply Last reply Reply Quote 0
    • W
      wojciech__
      last edited by Sep 11, 2024, 9:34 AM

      Hey, I dont know if you found a solution for it or not yet.
      Im also looking for same setup and there is a little poor support in this topic on the internet or anywhere else.
      What I've found:
      There is no automation to create user certificates from pfsense CA. So it would be hard to enroll them to 1000+ users if you would like to because you would have to manually generate 1000+ certificates, download them and handover to people.
      Yet it works if you would follow this way so pfsense checks cert and the ldap\radius checks credentials.

      About enrolling user certificates by Windows CA;
      you can do it on windows machines automaticly by GPO, or use unsecure and unsupported anymore certsrv but it works only automatically on Internet Explorer, if you would like to use it on chrome then people would have to generate their own cert and create CSR putting cert inside... users in organisation would have issues with that :)
      "Solution" for non microsoft domain devices:
      You as an admin get the Enroll Agent certificate and then you will be able to download certificate in behalf of other domain user, then export cert and pass to a person as pkcs12.

      Now I got issue, I wanted to somehow use windows CA user certificates and verify user and his cert on NPS but I dont know how to enforce pfsense openvpn server to either pass the user cert to NPS to verify it or pfsense to verify and trust the user cert from domain CA.

      If anyone got any info please help :)

      W 1 Reply Last reply Sep 17, 2024, 8:33 AM Reply Quote 0
      • W
        wojciech__ @wojciech__
        last edited by Sep 17, 2024, 8:33 AM

        Hey, In here I've decribed my work on this topic :)
        https://forum.netgate.com/topic/189447/openvpn-ssl-tls-user-auth-over-ldap/3

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          [[user:consent.lead]]
          [[user:consent.not_received]]