PfSense Active Directory Admin authentication via RADIUS

rcampbell · Nov 28, 2015, 1:26 AM

Im trying to setup RADIUS authentication for pfSense so that certain users (admins) can login to pfSense using their Active Directory accounts.

I have the NPS Role deployed on Windows 2012 R2 and created an AD security group called 'pfSense' and placed a user account in it. In the Network Policy I have specified this group as allowed and authentication is PAP (if I get this working, I will try to get EAP working later).

On the pfSense side I have created a group called 'pfSense' and given it access to all pages.

Under Diagnostics - Authentication I can test the login. It says the user authenticated successfuly and says it is a member of these groups. However there are no groups listed.

What am I missing?

jamesonp · Nov 28, 2015, 6:58 PM

I would just use LDAP:

https://forum.pfsense.org/index.php?topic=44689.0

rcampbell · Nov 28, 2015, 7:02 PM

Thanks for the link James, but I'm really trying to do the same thing with RADIUS. Someone must have set this up before with RADIUS I'm sure.

jamesonp · Nov 28, 2015, 7:38 PM

@rcampbell:

Thanks for the link James, but I'm really trying to do the same thing with RADIUS. Someone must have set this up before with RADIUS I'm sure.

Just out of curiosity sake, why RADIUS?

rcampbell · Nov 29, 2015, 2:32 AM

I've used LDAP for years on many different types of setups so I know how it works. I had heard of RADIUS but only started using it about two years ago, and I'm converted. Now, whenever there is a something that has a choice between LDAP or RADIUS, I go RADIUS. Once you have a RADIUS server setup I find it easier to work with and there is more you can do with it.

In my opinion RADIUS is a simpler, cleaner and more extensible solution overall.

rcampbell · Dec 2, 2015, 9:00 PM

I think this might be an existing bug based on this post:

https://forum.pfsense.org/index.php?topic=65586.0

I also tried creating a user and group in pfSense of the same name to match the ones in AD as suggested in the link, but the same occurs… user athenticates but belongs to no groups.

Is there anyone who has this working?

cmb · Dec 3, 2015, 12:55 AM

RADIUS works there. You have to be on 2.2.5, and have to return groups in Class attribute.
https://doc.pfsense.org/index.php/2.2.5_New_Features_and_Changes#User_Management.2FAuthentication

LDAP is the best option for AD, because it's always there with no additional services, and it doesn't require storing passwords in a reversible encryption (though if you require RADIUS for other purposes, that doesn't matter).

GomezAddams · Dec 3, 2015, 1:55 AM

@cmb:

RADIUS works there. You have to be on 2.2.5, and have to return groups in Class attribute.
https://doc.pfsense.org/index.php/2.2.5_New_Features_and_Changes#User_Management.2FAuthentication

LDAP is the best option for AD, because it's always there with no additional services, and it doesn't require storing passwords in a reversible encryption (though if you require RADIUS for other purposes, that doesn't matter).

RADIUS does not require reversible encryption. We use RADIUS for admin access to our Cisco network equipment, and our AD does not store passwords with reversible encryption. The RADIUS encrypts the client's user id and password with the shared secret and sends it to the RADIUS server. The RADIUS server does the normal windows authentication test.

I'm by no means sure, but I don't think there is any way to get Microsoft's NPS (network policy server - their RADIUS server) to send the group membership in an authentication request reply. I've never seen such an option.

Try this: make group membership a requirement of the associated NPS policy on the NPS server. Don't put any tests on the pfsense side.

cmb · Dec 3, 2015, 3:17 AM

Yeah thanks for the correction, that's only for CHAP.

FisherKing · May 18, 2016, 7:00 PM

@rcampbell:

I think this might be an existing bug based on this post:

https://forum.pfsense.org/index.php?topic=65586.0

I also tried creating a user and group in pfSense of the same name to match the ones in AD as suggested in the link, but the same occurs… user athenticates but belongs to no groups.

Is there anyone who has this working?

I realize this thread is old - but I recently had the same issue and this thread was one of 3 that showed up in my search, so I thought I'd post what I learned.

I was able to resolve this by changing the Search scope - Level: value (Under System => User Manager => Servers => LDAP Server Settings => Edit or Create LDAP server) from "One Level" to "Entire Subtree".

I didn't need to create a "dummy" user. Once the search level was changed and the group was created on both AD and pfSense, it worked.

rcampbell · May 19, 2016, 5:20 PM

Its been a while since I've looked at this post, so I've missed some replies…

Thanks PJ2 but you're setting up LDAP where this thread is about setting up RADIUS.

RADIUS is finally working correctly now in 2.3.1
https://doc.pfsense.org/index.php?title=2.3.1_New_Features_and_Changes#User_Manager

rcampbell · May 23, 2016, 5:41 PM

I created a how-to to set it up here:

https://community.spiceworks.com/how_to/128944-pfsense-admin-logins-via-radius-using-active-directory-accounts