RADIUS vs LDAP for AD authentication for OpenVPN



  • So I plan to setup an OpenVPN server in pfSense, but I'm a little unclear on something.

    I want to have OpenVPN access delegated by our Active Directory domain. I see two ways this is done.

    1. Setup auth through a RADIUS server that then auths through Active Directory

    2. Setup auth through LDAP that directly queries Active Directory

    Now, both seem to fulfill the needs I have, but #2 seems to be more straight-forward.

    Is there any good reason to use RADIUS instead of LDAP in this particular regard? Can anyone speak on the pros/cons of each? I don't see why LDAP queries would be an issue, but I am curious if RADIUS would offer something I would not see in LDAP queries.

    Lend me your brains.



  • @BloodyIron:

    1. Setup auth through LDAP that directly queries Active Directory

    actually I am also looking for a similar solution, having to maintain 3 diff passwords on our network is pissing off a lot of ppl in my office. lol



  • @BloodyIron:

    Is there any good reason to use RADIUS instead of LDAP in this particular regard?

    You might find that RADIUS suits you better if you're allowing VPN connections from machines that have never joined your network - especially if you're using Network Access Protection or other granular remote access policies.  You may also want to use it if you've deployed RADIUS for other systems (non Microsoft routers, for example).  Combine all your network authentication needs in one place.

    Personally I'd go for LDAP/Active Directory (which is what I'm doing right now).  Simple set-up.



  • When using LDAP or RADIUS for authentication with openVPN, are users prompted for login/password when connecting? We use another openVPN implementation where it doesn't, and I'm not familiar with the expected behavior with LDAP/RADIUS.

    Thanks for the info :)

    @Rob:

    @BloodyIron:

    Is there any good reason to use RADIUS instead of LDAP in this particular regard?

    You might find that RADIUS suits you better if you're allowing VPN connections from machines that have never joined your network - especially if you're using Network Access Protection or other granular remote access policies.  You may also want to use it if you've deployed RADIUS for other systems (non Microsoft routers, for example).  Combine all your network authentication needs in one place.

    Personally I'd go for LDAP/Active Directory (which is what I'm doing right now).  Simple set-up.



  • @BloodyIron:

    When using LDAP or RADIUS for authentication with openVPN, are users prompted for login/password when connecting?

    I'm in a proof of concept phase at the moment, so I'm not sure how much this can be tweaked.  I can say for sure that when firing up the OpenVPN client, as I have configured it on a Windows 7 machine, there's a username/password prompt.  The username doesn't require a domain part.  There's probably a configuration option to pre-fill the username?

    Ideally I'd like to aim for what the native Windows VPN client is capable of: pass through the currently logged-on user's domain credentials.  Not sure if that's even possible though - I suspect Kerberos credentials are used in that instance.

    Then after that, I'll be investigating whether it's possible to establish the VPN connection before (and as part of) log on to the computer.  Single sign on effectively.  I'm sure there will be documentation about that - just haven't got to it yet.



  • @Rob:

    @BloodyIron:

    Is there any good reason to use RADIUS instead of LDAP in this particular regard?

    You might find that RADIUS suits you better if you're allowing VPN connections from machines that have never joined your network - especially if you're using Network Access Protection or other granular remote access policies.  You may also want to use it if you've deployed RADIUS for other systems (non Microsoft routers, for example).  Combine all your network authentication needs in one place.

    Personally I'd go for LDAP/Active Directory (which is what I'm doing right now).  Simple set-up.

    Hi Rob,

    You say it's a simple set-up.
    Can you tell me what steps to follow? Since everything I tried doesn't work.

    I'm trying to setup an vpn-connection via openvpn that authenticates by active directory.
    It works already when not authenticating by active directory.
    I believe this is what you are talking about.



  • Sure.  From the OpenVPN: Server page, I clicked the "Wizards" and followed that through.  I do recall that the LDAP configuration wasn't entirely intuitive.  So here are a few settings that work for me, with a Windows 2008 domain controller:

    • Protocol version: 3

    • Search scope: entire subtree

    • BaseDN: DC=Our domain,DC=local

    • Authentication containers: OU=Our users,DC=Our domain,DC=local

    • Bind credentials: a dedicated "domain user" account

    • User naming attribute: samAccountName

    • Group naming attribute: cn

    • Group member attribute: memberOf

    Have you managed to get authentication working?  Are you on a recent release of pfSense?



  • authentication is working. (Diagnostics -> Authentication -> Test)

    2.1-RELEASE (i386)
    built on Wed Sep 11 18:16:22 EDT 2013
    FreeBSD 8.3-RELEASE-p11



  • Okay, good.

    Next, these are some of the settings I needed on my OpenVPN configuration:

    • Server mode: Remote Access (User Auth)

    • Backend for auth: obviously the LDAP connection configured earlier

    • Protocol: UDP

    • Device mode: tun

    • Interface: the WAN interface

    • Local port: 1194

    • TLS auth: enabled; certificate shown in the next box

    • Peer certificate auth, etc.: the one configured by the wizard

    • IPv4 tunnel network: here I used a network that does not exist on the internal network.  Internally, we use 10.12.0.0/16, so here I entered 192.168.20.0/24.  Doesn't really matter what you use as long as it's from a private range and doesn't overlap any other network.

    • Redirect gateway: disabled (no check mark)

    • IPv4 local network: 10.12.0.0/16, see above

    • Dynamic IP: checked

    • Address pool: checked

    • DNS/NTP stuff: everything here was from the LAN side

    • NetBIOS: not checked



  • Thanks for the help
    Now it works !!



  • Ah, brilliant!



  • Oh, now the next problem…

    when I have a VPN-connection and I try to go to our server I can't use its name, I have to use the IP-adress.
    At the Openvpn-server-configuration on PfSense I checked "Provide a DNS server list to clients" and I placed our internal DNS-server in that list.



  • Do you have an "allow all" rule on the OpenVPN network?  (You probably do, if you used the wizard.)  Sounds like DNS traffic isn't being allowed through the tunnel for some reason.

    You could possibly enable NetBIOS over TCP/IP in the OpenVPN server settings.  That would enable the remote computer to fall back to WINS if DNS isn't working.  I think I usually choose "H-node", but experiment perhaps.  You can also switch on "Redirect Gateway", if you prefer all traffic to go via your LAN's gateway while the tunnel's established.

    Mind you, if DNS isn't working, you'll probably have a lot of other problems too.



  • It looks it has something to do with dns-suffix's

    when I set the dns-suffix in the network-connection settings, it works.
    or when i go to \server.domain.local instead of \server it works.

    Is there are way this is not necessary?



  • Ah okay.  Yeah, your remote workstation does need to know the full domain somehow.  Sounds like you've cracked it?



  • Looks like I did  :)
    I did set the "Provide a default domain name to clients"
    but there I only placed our domain, not domain.local

    Now it's working. Thanks a lot !!



  • Cool.  Good work.



  • Adding to the original topic of this thread, my testing so far is very successful with using LDAP to auth against AD. I haven't yet found a reason to use RADIUS over LDAP, and RADIUS seems like added work.

    I'll try to post more information as it comes.



  • You'd probably want RADIUS for granular NAP/VPN quarantine, I'd think.



  • Where I'm stuck now is figuring out how to get pfSense to only allow members of a domain group to successfully connect, not just rely on the cert.

    @Rob:

    You'd probably want RADIUS for granular NAP/VPN quarantine, I'd think.



  • Surely you'd control that through the remote dial-in permission in AD, which OpenVPN has to honour?



  • From what I'm seeing using LDAP to auth in pfsense just does an LDAP query against the domain. I can't yet get it to query against a domain group for members, which is what I want. Whenever I adjust the scope of the query to a specific group it seems to not authorize the user under diagnostics -> authentication.

    @Rob:

    Surely you'd control that through the remote dial-in permission in AD, which OpenVPN has to honour?



  • Yeah, I saw similar.  But if you use the Remote Dial-In permission, you'll achieve the result you desire.  You can even use Group Policy to apply that to the group you have in mind.



  • I don't see how an LDAP query can pull that permission info. Additionally we're running a SAMBA4 AD so I'm uncertain of the relevance of dial-in permission for this implementation. I also don't know how GPO would affect an LDAP query?

    @Rob:

    Yeah, I saw similar.  But if you use the Remote Dial-In permission, you'll achieve the result you desire.  You can even use Group Policy to apply that to the group you have in mind.



  • Gotcha.  My bad.  I assumed you were using AD.  I guess you'll need to debug your LDAP query problem.



  • It is Active Directory. The LDAP queries against this would behave the same as if against a Microsoft Server Active Directory. I have a test user that can authenticate without being granted the dial-in permissions, and in past LDAP query setups I haven't seen such parameters of users passed in queries (but I could be wrong).

    Do you have any idea why my queries to specific groups may be failing? It could be syntax, but online documentation is very unhelpful for pfsense, in this particular topic :/

    @Rob:

    Gotcha.  My bad.  I assumed you were using AD.  I guess you'll need to debug your LDAP query problem.



  • Okay, let me take a step back.  I might be wrong about the dial-in permission.  I'd taken it as a given but never actually tested.

    I have not tried to use LDAP queries against a security group, but they definitely work for me against an OU (not a container mind you).  Have you tried a specific OU?  Eg: OU=VPN  Users,DC=YourDomain,DC=local



  • No I haven't against a specific OU. My understanding though is that in that case I would have to create duplicate accounts, which is not what I'm looking for. We have multiple sites so we organize accounts based on location (like, city). So if I were to use an OU I would have to either move accounts into a VPN OU, or duplicate accounts.

    Or, I'm misunderstanding. Am I? I thought groups were CNs.

    @Rob:

    Okay, let me take a step back.  I might be wrong about the dial-in permission.  I'd taken it as a given but never actually tested.

    I have not tried to use LDAP queries against a security group, but they definitely work for me against an OU (not a container mind you).  Have you tried a specific OU?  Eg: OU=VPN  Users,DC=YourDomain,DC=local



  • You can use multiple DNs separated by semi-colons, so you could have one OU for each site.



  • Be that as it may, I want more granular control. I don't want everyone at a site to inherently have VPN access. I follow the mantra of only needed access. As such I want access delegated by group membership (and having their own cert too of course).

    How can I get LDAP auth to query against a specific group?

    @Rob:

    You can use multiple DNs separated by semi-colons, so you could have one OU for each site.



  • Okay so I think I've found how to configure the LDAP authentication to check against domain groups (or a single group). I had to dig around and found this bug report ( https://redmine.pfsense.org/issues/1009 ) If you read #7 in the list the person refers to this thread ( https://forum.pfsense.org/index.php?topic=48961.0 ).

    So to test I've been using Diagnostics -> Authentication. I have a test account, and tested if auth failed when in and out of the group. Auth succeeded when in the group, and failed when not in the group. Working how I want!

    So how I have it is as follows.

    Level: Entire Subtree (but this can probably work at one level too)
    Base DN: DC=domain,DC=local
    Containers: DC=domain,DC=local
    Extended Query (checked): memberOf=CN=VPNgroup,OU=Groups,DC=domain,DC=local

    The rest is still using the initial recommended Active Directory parameters when I first set up the "Server" configuration.

    Now to complete setup and test this for actual OpenVPN access now, wheee!



  • So with my test account I have this set up exactly how I want. If the user account is disabled, auth fails. If the user is not part of the group, auth fails. To clarify, when I try to connect with the openvpnmanager it keeps prompting for login when either not member of the group or account disabled.

    Now I need to test deleting/revoking the cert to make sure that works how I want. Also testing that the manager does work with a non-privileged user.



  • The cert revocation list works quite well! Interestingly enough it seems to just appear as a connection reset from the user's perspective, there's no "access denied" equivalent. I wonder if this is intentional.

    I'm good to go it seems!



  • I presume you'll need to use a security group and query against the group's DN.  But I've never tried that personally.



  • I've outlined above how this is achieved.

    @Rob:

    I presume you'll need to use a security group and query against the group's DN.  But I've never tried that personally.



  • Oh that's great - missed that.  Good work.



  • btw for those interested, I'm trying to add fail-over for auth for openVPN, the thread is at : https://forum.pfsense.org/index.php?topic=73544.0



  • in case you are still trying to get RADIUS over AD,
    this link is the solution.
    I test and it works fine for me

    https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory
    


  • I actually also got the AD for authentication working for our Openvpn implementation, key is using the extended query option to differentiate between OU, apart this there is nothing much to change in your AD structure.