IKEv2 and Active Directory



  • Hi there

    I'm using pfSense 2.2.1

    Is it possible to set up an IKEv2 VPN, but authenticate username/password using Active Directory?  Looking at the StrongSwan wiki seems to indicate that we'd need to compile in the 'eap-radius' plugin, but I'm not sure if that is available.

    What I am trying to do is set up an IPsec VPN to authenticate Windows remote clients against the local AD (this is to replace a TMG 2010 install).

    Thanks in advance for any advice/help - I can post config etc if this should be possible to troubleshoot further
    Peter



  • Do not look at strongswan but just setup an login server as you would do for pfSense AD user authentication and use that on the mobile settings.



  • Thanks for the reply Ermal

    I've actually already done that, but it does not seem to try authentication against the AD if I select IKE2 and EAP-MSCHAPv2 as the authentication method - should I be using a different authentication method?

    Just to clarify - I actually followed this guide:
    https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

    Except did exactly what you suggest and changed "Local database" to my AD server setup in User Manager



  • Still not getting anywhere with this - I have my auth server set up as LDAP - should it be RADIUS for this to work?

    Thanks again for any advice
    Peter



  • EAP-MSCHAPv2 will not work with LDAP. In essence, your client sends over an MD4 hash of your password, not the actual password itself.
    See "The Protocol" section: https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

    LDAP expects a clear-text username and password to look-up, which EAP-MSCHAPv2 cannot provide. EAP-Radius should allow us to authenticate against a Windows NPS server, which is able to perform a hash look-up directly on AD. We already do this on our network for Wi-Fi where we use PEAP-EAP-MSCHAPv2. It appears NPS can also do EAP-MSCHAPv2 directly avoiding the redundant TLS tunnel.

    When I run "ipsec listplugins" from ssh, it does list EAP-Radius as a plugin, so I think strongSwan on pfSense already has it compiled in. The UI of pfSense simply does not support it yet.

    Ermal, are there any plans to support configuring EAP-Radius? If there are, will it support redundant radius servers like seen here:
    https://wiki.strongswan.org/projects/strongswan/wiki/EAPRAdius#Example-configuration

    Is there a way to edit the ipsec.conf and strongswan.conf config files directly without them interfering with the UI or being blown away when the UI is modified?



  • Thanks ltctech!  That explains why it won't work for me.

    Whilst there is no support for this currently in the UI, as you say, maybe we can config the files manually, or is there any other way of VPN authenticating against AD?  I don't want to use OpenVPN, just native Windows VPN.

    Any advice much appreciated
    Peter



  • Should I raise a feature request to get support for Strongswan EAP-RADIUS plugin added to the GUI config?  Is there any other way of authenticating a VPN user against Active Directory without using OpenVPN?

    Thanks
    Peter



  • I am in need for this feature as well.



  • I need this too and hacked around in the project. Can someone please test the patches before I submit pull requests?

    For the 2.2 release:
    https://github.com/ibauersachs/pfsense/tree/ipsec-mobile-eap-radius_2-2
    https://github.com/ibauersachs/pfsense/commit/1aa6a7685020ad179d7b612200f6edfa87b6152a

    Based on the master development branch:
    https://github.com/ibauersachs/pfsense/tree/ipsec-mobile-eap-radius
    https://github.com/ibauersachs/pfsense/commit/4a47c6f8a744c69936742e4f222d721fac51ef99

    You can "install" the files from these commits by logging in via SSH and use fetch to overwrite the local files, e.g. for 2.2:

    
    cd /etc/inc
    fetch https://github.com/ibauersachs/pfsense/raw/1aa6a7685020ad179d7b612200f6edfa87b6152a/etc/inc/ipsec.inc
    
    


  • Thanks so much for this ibauersachs

    I've successfully applied the patch on top of 2.2.1, and I can see the EAP-RADIUS option and pre-shared key fields.  I hope to find some time later today to test if this works for us - I'll post back the results as soon as I can

    Thanks again!
    Peter



  • This should work already in pfSense.
    An external script is executed to perform authentication by pfSense tools.

    Granted accounting is still not implemented by that.

    I will analyse the pull request as well also noted on redmine https://redmine.pfsense.org/issues/4614

    @ibauersachs,

    can you submit a pull request for this and sign the contributor agreement?
    Mention the redmine in your pull request.



  • I couldn't get RADIUS to work with the external script and the Windows IKEv2 client. As far as I can tell this cannot work because the script relies on the cleartext username/password, which Windows doesn't provide with the MSCHAP authentication.

    Pull requests:
    Master: https://github.com/pfsense/pfsense/pull/1612
    RelEng 2.2: https://github.com/pfsense/pfsense/pull/1613

    (Those are rebased on today's commits, so the commit-links of my previous post are no longer valid)

    I've already signed the CLA.



  • Can you add in "secondary" radius server support, not just "primary". It would be great to have redundancy in case an NPS server has to be taken down for maintenance. Thanks.



  • It normally should allow for multi selection like all other places.



  • @ermal:

    It normally should allow for multi selection like all other places.

    It allows you to select multiple radius servers in mobile clients tab. Problem is that it doesn't actually properly write strongSwan.conf then. Instead of properly populating the radius attr section with primary and secondary, it sticks their names into x-auth generic which will not work.


  • Rebel Alliance Developer Netgate

    @ltctech:

    @ermal:

    It normally should allow for multi selection like all other places.

    It allows you to select multiple radius servers in mobile clients tab. Problem is that it doesn't actually properly write strongSwan.conf then. Instead of properly populating the radius attr section with primary and secondary, it sticks their names into x-auth generic which will not work.

    This should be fixed on 2.3, it didn't make 2.2.5.



  • @jimp:

    @ltctech:

    @ermal:

    It normally should allow for multi selection like all other places.

    It allows you to select multiple radius servers in mobile clients tab. Problem is that it doesn't actually properly write strongSwan.conf then. Instead of properly populating the radius attr section with primary and secondary, it sticks their names into x-auth generic which will not work.

    This should be fixed on 2.3, it didn't make 2.2.5.

    I now see that it was fixed, the issue didn't mention the multiple server problem though:
    https://redmine.pfsense.org/issues/5219
    https://redmine.pfsense.org/projects/pfsense/repository/revisions/6684d5944eacf4dbd717edba9d82c30001b5bc3b/diff/src/etc/inc/vpn.inc

    Are there any plans to support "preference" of these servers? Thanks.


  • Rebel Alliance Developer Netgate

    Not currently, though if you make sure to add the one you want to prefer to the user manager servers first it would be preferred. It will go from the top down the list.



  • @jimp:

    Not currently, though if you make sure to add the one you want to prefer to the user manager servers first it would be preferred. It will go from the top down the list.

    Didn't know that, if that's the case that's good enough.



  • @lctech Allowing to select multiple servers for your use case (load balancing, high availability) could be easily implemented because strongSwan can do that already. I opted against allowing multi-selection in April because in my understanding multiple defined servers would mean asking each of them in turn, which is what the xauth-generic script does. So the selection there would have been ambiguous.


Log in to reply