OpenVPN w/Radius Authententication via AD



  • I've beating my head on this one. I am using AD 2012 and have configured Radius to authenticate VPN users. Now on the remote end authentication works and connection is made no problems. Now when I connect to my 2012 server through the VPN it is successful and I can view all the shares. When I try to connect to one of my PC's it says user is not been given permissions for this type of logon. I figured out what this meant exactly. Even though I am authenticating via AD my PC's are seeing my connection as a guest and not the authenticated AD user through the VPN. I configured the PC's GPO to match my server GPO (User Access Rights) since I can view the shares on the server. But it still gives me the same error. Any thoughts?

    P.S. This is a domain environment that the VPN connects to. All PC's are in the domain if that matters.

    Thanks in advance!


  • Rebel Alliance Developer Netgate

    Using AD for the OpenVPN login phase is not the same as logging in via the domain. The AD structure doesn't know that the VPN user connecting is actually authenticated in a way that is meaningful for the domain. All it saw was a RADIUS access request from the pfSense firewall – it doesn't have a "session" as such to associate that VPN user's traffic with a specific AD account.

    For something like that to work you'd have to run OpenVPN as a service and actually have the user login to the domain over the VPN while it's connected.



  • If I configure it to use LDAP instead would it work in the manner I'm looking for?


  • Rebel Alliance Developer Netgate

    No, it still only does a simple bind request to test that the authentication succeeded.



  • Could you point me in the right direction to do that. Fairly new to pfsense vpn and AD. I want AD users verified not seen as a guest.


  • Rebel Alliance Developer Netgate

    Logging into a VPN won't log you into the domain. Two completely different tasks.


Log in to reply