Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CP with FreeRadius and LDAP

    Scheduled Pinned Locked Moved Captive Portal
    4 Posts 3 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      demirdag
      last edited by

      Hi Everybody!

      I'd like to get some help with the setup as described in je subject. I currently have a pfSense setup with FreeRadius2 setup to use LDAP for user authentication. This all works like I want it to. I just have one issue that needs to be resolved.

      How can I make use of groups in my W2K8R2 AD? My current setup allows me to authenticate on the Captive Portal with any account that exists in the AD. I don't like the idea that every account used will grant a user access. What I actually want is to place users in an AD group and have FreeRadius check if the useraccount entered on the Captive Portal is a member of this AD group. How do I do this with LDAP? What should I enter in the GroupMembership filter/attributes/ and Groupname attribute fields?? I haven't the faintest idea.

      Checking the group membership for a user would greatly improve the user friendlyness for me and my customers. Thank you in advance!

      1 Reply Last reply Reply Quote 0
      • A
        Anfänger
        last edited by

        Same Problem here !
        Seems like the Group Membership check is yet not implemented correctly to work with AD ( pfsense 2.2.4 ) ?

        Is there anybody out there got it working ?

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          I don't run FreeRADIUS with LDAP but in general with LDAP what you must do is setup a filter. In the User Manager Server entries in pfSense it's called "Extended Filter" and for AD you'd use one such as "memberOf=CN=portalusers,CN=Users,DC=example,DC=com" with your setup details filled in, of course.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • A
            Anfänger
            last edited by

            As describe in this post : https://forum.pfsense.org/index.php?topic=43675.msg515428#msg515428 there seems to be an issue in the Freeradius2 Implementation in pfsense.
            I solved the problem as follows :
            1. in Freeradius-LDAP enabled Authentication and Authorization.
            2. Set Group Membership Filter for AD : (|(&(objectClass=group)(member=%{control:Ldap-UserDn})))
            Saved Configuration
            3. Inserted in radius Users File first line : DEFAULT LDAP-Group == "AD-Group Users have Access", Auth-Type := LDAP
            4. in freeradius sites-enabled/default authorize-section disabled the ldap part ( here  line 207-210 : #redundant {

            ldap

            ldap2 disabled

            #}
            You have to disable this everytime the freeradius configuration changes and is saved !
            5. restart freeradius  :)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.