1. Home
  2. pfSense® Software
  3. Captive Portal
  4. CP with FreeRadius and LDAP

CP with FreeRadius and LDAP

  • D

    Hi Everybody!

    I'd like to get some help with the setup as described in je subject. I currently have a pfSense setup with FreeRadius2 setup to use LDAP for user authentication. This all works like I want it to. I just have one issue that needs to be resolved.

    How can I make use of groups in my W2K8R2 AD? My current setup allows me to authenticate on the Captive Portal with any account that exists in the AD. I don't like the idea that every account used will grant a user access. What I actually want is to place users in an AD group and have FreeRadius check if the useraccount entered on the Captive Portal is a member of this AD group. How do I do this with LDAP? What should I enter in the GroupMembership filter/attributes/ and Groupname attribute fields?? I haven't the faintest idea.

    Checking the group membership for a user would greatly improve the user friendlyness for me and my customers. Thank you in advance!

    0
  • A

    Same Problem here !
    Seems like the Group Membership check is yet not implemented correctly to work with AD ( pfsense 2.2.4 ) ?

    Is there anybody out there got it working ?

    0
  • jimp
    Rebel Alliance Developer Netgate

    I don't run FreeRADIUS with LDAP but in general with LDAP what you must do is setup a filter. In the User Manager Server entries in pfSense it's called "Extended Filter" and for AD you'd use one such as "memberOf=CN=portalusers,CN=Users,DC=example,DC=com" with your setup details filled in, of course.

    0
  • A

    As describe in this post : https://forum.pfsense.org/index.php?topic=43675.msg515428#msg515428 there seems to be an issue in the Freeradius2 Implementation in pfsense.
    I solved the problem as follows :
    1. in Freeradius-LDAP enabled Authentication and Authorization.
    2. Set Group Membership Filter for AD : (|(&(objectClass=group)(member=%{control:Ldap-UserDn})))
    Saved Configuration
    3. Inserted in radius Users File first line : DEFAULT LDAP-Group == "AD-Group Users have Access", Auth-Type := LDAP
    4. in freeradius sites-enabled/default authorize-section disabled the ldap part ( here  line 207-210 : #redundant {

    ldap

    ldap2 disabled

    #}
    You have to disable this everytime the freeradius configuration changes and is saved !
    5. restart freeradius  :)

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy