OpenVPN client authentication base on LDAP and certificate from domain CA
-
Hello.
I am trying to implement OpenVPN on pfSense 2.7.2.
The goal is that users to log in using their Active Directory credentials and a certificate issued from the domain CA.
I have spent a lot of time looking for information on how to implement this, unfortunately without success.
Can I ask for your support in providing information on how to implement such a solution?Thanks.
-
Hey, I dont know if you found a solution for it or not yet.
Im also looking for same setup and there is a little poor support in this topic on the internet or anywhere else.
What I've found:
There is no automation to create user certificates from pfsense CA. So it would be hard to enroll them to 1000+ users if you would like to because you would have to manually generate 1000+ certificates, download them and handover to people.
Yet it works if you would follow this way so pfsense checks cert and the ldap\radius checks credentials.About enrolling user certificates by Windows CA;
you can do it on windows machines automaticly by GPO, or use unsecure and unsupported anymore certsrv but it works only automatically on Internet Explorer, if you would like to use it on chrome then people would have to generate their own cert and create CSR putting cert inside... users in organisation would have issues with that :)
"Solution" for non microsoft domain devices:
You as an admin get the Enroll Agent certificate and then you will be able to download certificate in behalf of other domain user, then export cert and pass to a person as pkcs12.Now I got issue, I wanted to somehow use windows CA user certificates and verify user and his cert on NPS but I dont know how to enforce pfsense openvpn server to either pass the user cert to NPS to verify it or pfsense to verify and trust the user cert from domain CA.
If anyone got any info please help :)
-
Hey, In here I've decribed my work on this topic :)
https://forum.netgate.com/topic/189447/openvpn-ssl-tls-user-auth-over-ldap/3