OpenVPN & AD user authentication in 2.1



  • Hi All,

    Can it be done is probably my first question… Seen mixed msg on diff fora and google.

    Would like to setup OpenVPN to authenticate user against an MS Active Directory...
    Keep in mind, I am not a AD specialist at all - but understand the basic concepts of LDAP.

    Environment =
    PfSense
    Version 2.1-RELEASE (i386)
    built on Wed Sep 11 18:16:50 EDT 2013
    FreeBSD 8.3-RELEASE-p11

    When using the
    Diagnostics: Authentication
    via the pfSense webpage
    I get a hopeful result.

    User: Xxxx authenticated successfully.
    This user is a member of these groups:

    <there are="" no="" groups="" reported,="" but="" the="" user="" is="" member="" of="" several="" in="" ad...="">Config
    System: Authentication Servers

    Descriptive name AD
    Type LDAP

    Search scope
    Level: One level
    Base DN:  DC=company,DC=local

    Authentication containers (3)
    OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,DC=local
    CN=Users,DC=company,DC=local;OU=Domain Controllers,DC=company,DC=local;
    OU=MyBusiness,DC=company,DC=local

    Bind credentials with user OpenVPN + password (doesn't seem to work at all when using anonymous binds)

    User naming attribute samAccountName
    Group naming attribute cn
    Group member attribute MemberOf

    VPN config

    Server Mode: Remote Access (User Auth)
    Backend for authentication
    AD
    Local Database

    OpenVPN log (newest to oldest) when using a AD user.
    Jan 16 19:52:33 openvpn[92746]: 183.x.y.z:57610 Peer Connection Initiated with [AF_INET]183.x.y.z:57610
    Jan 16 19:52:32 openvpn[92746]: 183.x.y.z:57610 TLS Auth Error: Auth Username/Password verification failed for peer
    Jan 16 19:52:31 openvpn[92746]: 183.x.y.z:57610 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 255
    Jan 16 19:52:30 openvpn: user 'Xxxx' could not authenticate.

    Connection is coming from a linux based openvpn client (command line)
    but that should make a difference, I hope -
    If we get this going clients will be on Android phones, Mac's, Windows PCs etc.

    Any idea as to why the Diagnostics: Authentication returns a successful authentication but no groups?
    Do we need a group(s) to be returned?

    Any ideas as to why the authentication completely fails with OpenVPN?
    We don't need AD for authentication to get into pfSense itself, only for OpenVPN...

    Suggestions & recent howto's would be great.

    Thanks

    Peter</there>



  • Small progress

    Adjusted Authentication server setup so that

    Level: Entire SubTree

    Authentication containers (4)

    CN=Users,DC=company,DC=local;
    OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,DC=local;
    OU=Security Groups,OU=MyBusiness,DC=company,DC=local;
    OU=Users,OU=MyBusiness,DC=company,DC=local

    Now
    Diagnostics: Authentication

    return a group (1 not all)

    User: Xxxxx authenticated successfully.
    This user is a member of these groups:
    Mobile Users

    OpenVPN authentication (from linux based laptop…)
    works if user name is in local database
    but NOT when trying to use a name in the AD...

    Any suggestions?

    Thx

    Peter


Log in to reply