Pfsense-Freeradius authentication to Active Directory



  • I am new user and using Pfsense, first time.

    I want to implement Freeradius authentication with AD. I need to assign Service-Type = Administrative-User
    to Active directory user, who are member of group NedworkAdmin, and reject to the non-administrators.

    Pfsense-Freeradius is able to authenticate every Active Directory user, so LDAP -> GENERAL CONFIGURATION - SERVER 1 is OK.
    But when I configure filters for the group on LDAP-> Group Membership Options - SERVER 1 which modifies
    radiusd.conf it stop working.
    I also need to modify /etc/raddb/users file in order to tune the Service Type.

    This is the configuration:

    radiusd.conf
    […]
                 groupname_attribute = cn
                 groupmembership_filter = "(&(cn=NetworkAdmin)(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn}))))"
                 groupmembership_attribute = memberOf

    […]
    /etc/raddb/users

    DEFAULT Ldap-Group == “NetworkAdmin”
           Service-Type := Administrative-User,
      Reply-Message  = “Welcome Administrator”

    DEFAULT Auth-Type := Reject
      Reply-Message  = “Not allowed”

    Can anyone help to get authentication working with active directory group?
    Thanks



  • At the end I left the group check. Users who are added on the pfSense freeradius database are authenticated and the rest are rejected.

    Verification of users is sequential. When reaching the end of the file list the attempt is rejected:

    /usr/local/etc/raddb/users

    "user1" Cleartext-Password: = ""
            Service-Type: = Administrative-User
    "user2" Cleartext-Password: = ""
            Service-Type: = Administrative-User
    "user2" Cleartext-Password: = ""
            Service-Type: = Administrative-User
    DEFAULT Auth-Type: = Reject

    When adding new users using the Pfsense menu, the last line is overwriten.
    "DEFAULT Auth-Type: = Reject" has to be added at the end of the file editing manually /usr/local/etc/ raddb/users

    Hope this helps someone.



  • You can add "DEFAULT Auth-Type: = Reject" with the GUI:

    You just create a new entry on "Users" and put this in the correct custom-options box.

    In pfsense 2.1 - when it is done and freeradius2 package is ready for pfsense 2.1 - you will be able to easy move entries in "Users" using the GUI.


Locked