CP with FreeRadius and LDAP



  • Hi Everybody!

    I'd like to get some help with the setup as described in je subject. I currently have a pfSense setup with FreeRadius2 setup to use LDAP for user authentication. This all works like I want it to. I just have one issue that needs to be resolved.

    How can I make use of groups in my W2K8R2 AD? My current setup allows me to authenticate on the Captive Portal with any account that exists in the AD. I don't like the idea that every account used will grant a user access. What I actually want is to place users in an AD group and have FreeRadius check if the useraccount entered on the Captive Portal is a member of this AD group. How do I do this with LDAP? What should I enter in the GroupMembership filter/attributes/ and Groupname attribute fields?? I haven't the faintest idea.

    Checking the group membership for a user would greatly improve the user friendlyness for me and my customers. Thank you in advance!



  • Same Problem here !
    Seems like the Group Membership check is yet not implemented correctly to work with AD ( pfsense 2.2.4 ) ?

    Is there anybody out there got it working ?


  • Rebel Alliance Developer Netgate

    I don't run FreeRADIUS with LDAP but in general with LDAP what you must do is setup a filter. In the User Manager Server entries in pfSense it's called "Extended Filter" and for AD you'd use one such as "memberOf=CN=portalusers,CN=Users,DC=example,DC=com" with your setup details filled in, of course.



  • As describe in this post : https://forum.pfsense.org/index.php?topic=43675.msg515428#msg515428 there seems to be an issue in the Freeradius2 Implementation in pfsense.
    I solved the problem as follows :
    1. in Freeradius-LDAP enabled Authentication and Authorization.
    2. Set Group Membership Filter for AD : (|(&(objectClass=group)(member=%{control:Ldap-UserDn})))
    Saved Configuration
    3. Inserted in radius Users File first line : DEFAULT LDAP-Group == "AD-Group Users have Access", Auth-Type := LDAP
    4. in freeradius sites-enabled/default authorize-section disabled the ldap part ( here  line 207-210 : #redundant {

    ldap

    ldap2 disabled

    #}
    You have to disable this everytime the freeradius configuration changes and is saved !
    5. restart freeradius  :)


Log in to reply