• Hi,

    Some questions concerning the freeRADIUS implementation on pfSense:

    • Can you use ldap (389) port when you select TLS options (i.e. use StartTLS over 389)?  Or does this only work over ldaps?

    • Do you have to supply a copy of the server cert?  Normally with LDAP clients I only need the CA cert.  Does pfSense work if I only select the CA cert and leave the server cert as none?

    • Do any explicit firewall rules need to exist to allow traffic from the router to the LDAP server on the LAN?  Does the traffic get seen as coming from the gateway address on the LAN, or does the router automatically have access to the LAN net from the localhost?

    Regards,
    Rob.


  • Solved.

    • Yes you can, the config option "start_tls" is used, independent of the protocol type.

    • No you do not, however there is some "faf" you have to go through to get FreeRadius to operate with only the CA cert, see here: https://forum.pfsense.org/index.php?topic=84564.0

    • No rules appear to be required, the router services have access onto the VLAN without explicit rules.

    Regards,
    Rob.