Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] [Potential Bug] LDAP/RADIUS Authentication

    Scheduled Pinned Locked Moved
    webGUI
    2
    3
    3.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      geudrik
      last edited by

      Hey guys,

      I've been playing with OpenLDAP and AD (coupled with FreeRADIUS, and NAP on the AD DS side) and have noticed a couple peculiar things as follows…

      OpenLDAP:
      Having created a couple groups and a few users, I set up LDAP authentication from the Users section. Authentication worked fine, but no groups would ever be returned. When an actual test was run from the login page (versus Diagnostics->Authentication), the message of no pages assigned would be returned.

      FreeRADIUS:
      Hoping that using a RADIUS box would solve the issue, I set it up. Sadly, I wound up with the same results. Successful login, no groups assigned.

      Notes:
      Jason McNeil wrote up a post about pfSense doing weird things with LDAP. The only way he was able to get LDAP authentication to work was by adding in extraneous OU entries for individual users. Doing things this way is a hack around method that now no longer conforms to the RFC. You can find his post here The group name was added to pfSense with proper permissions assigned, though that never mattered as the LDAP user never had groups returned.

      AD DS:
      I'm using Windows Server 2012. I've got a couple test users and groups set up that can authenticate to the domain, each one belonging to a handful of groups. Each can log in and have personalized settings, yadda yadda.

      SAP:
      NAP (Network Policy and Access Services) [the snap-in that does RADIUS] is configured and working properly. I can authenticate against it from the WebUI as well as locally. The same issue arises how ever - the user authenticates, but never gets any groups returned. Same result as when testing with OpenLDAP and FreeRADIUS

      Conclusion:
      I believe this is a bug with pfSense in the way that it queries for user information to both RADIUS and LDAP, especially given the support from Jason and his work around using extraneous OU's. I would love some confirmation on this, or just thoughts in general. CentralAuth is something that I would really love to see as a feature of pfSense so that I can bring it into my working environment.

      If I can help in any way further, please don't hesitate to message me on the forums.

      Cheers,
      Geudrik

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The problem is that there just isn't code for the pfSense GUI to pull groups from RADIUS or LDAP currently.

        You have to make the groups on pfSense in the user manager and make dummy users and add them to the groups, and then it will recognize that the users are part of groups that pfSense can interpret.

        I believe there is already an open ticket for that somewhere. It won't get fixed for 2.1, but maybe 2.2.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • G
          geudrik
          last edited by

          Cheers, Jimp! Thank's for the info!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post