• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

PfSense Active Directory Admin authentication via RADIUS

Scheduled Pinned Locked Moved General pfSense Questions
12 Posts 5 Posters 13.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    rcampbell
    last edited by Nov 28, 2015, 1:26 AM

    Im trying to setup RADIUS authentication for pfSense so that certain users (admins) can login to pfSense using their Active Directory accounts.

    I have the NPS Role deployed on Windows 2012 R2 and created an AD security group called 'pfSense' and placed a user account in it.  In the Network Policy I have specified this group as allowed and authentication is PAP (if I get this working, I will try to get EAP working later).

    On the pfSense side I have created a group called 'pfSense' and given it access to all pages.

    Under Diagnostics - Authentication I can test the login.  It says the user authenticated successfuly and says it is a member of these groups.  However there are no groups listed.

    What am I missing?

    1 Reply Last reply Reply Quote 0
    • J
      jamesonp
      last edited by Nov 28, 2015, 6:58 PM

      I would just use LDAP:

      https://forum.pfsense.org/index.php?topic=44689.0

      1 Reply Last reply Reply Quote 0
      • R
        rcampbell
        last edited by Nov 28, 2015, 7:02 PM

        Thanks for the link James, but I'm really trying to do the same thing with RADIUS.  Someone must have set this up before with RADIUS I'm sure.

        1 Reply Last reply Reply Quote 0
        • J
          jamesonp
          last edited by Nov 28, 2015, 7:38 PM

          @rcampbell:

          Thanks for the link James, but I'm really trying to do the same thing with RADIUS.  Someone must have set this up before with RADIUS I'm sure.

          Just out of curiosity sake, why RADIUS?

          1 Reply Last reply Reply Quote 0
          • R
            rcampbell
            last edited by Nov 29, 2015, 2:32 AM

            I've used LDAP for years on many different types of setups so I know how it works.  I had heard of RADIUS but only started using it about two years ago, and I'm converted.  Now, whenever there is a something that has a choice between LDAP or RADIUS, I go RADIUS.  Once you have a RADIUS server setup I find it easier to work with and there is more you can do with it.

            In my opinion RADIUS is a simpler, cleaner and more extensible solution overall.

            1 Reply Last reply Reply Quote 0
            • R
              rcampbell
              last edited by Dec 2, 2015, 9:00 PM

              I think this might be an existing bug based on this post:

              https://forum.pfsense.org/index.php?topic=65586.0

              I also tried creating a user and group in pfSense of the same name to match the ones in AD as suggested in the link, but the same occurs… user athenticates but belongs to no groups.

              Is there anyone who has this working?

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by Dec 3, 2015, 12:55 AM

                RADIUS works there. You have to be on 2.2.5, and have to return groups in Class attribute.
                https://doc.pfsense.org/index.php/2.2.5_New_Features_and_Changes#User_Management.2FAuthentication

                LDAP is the best option for AD, because it's always there with no additional services, and it doesn't require storing passwords in a reversible encryption (though if you require RADIUS for other purposes, that doesn't matter).

                1 Reply Last reply Reply Quote 0
                • G
                  GomezAddams
                  last edited by Dec 3, 2015, 1:55 AM Dec 3, 2015, 1:51 AM

                  @cmb:

                  RADIUS works there. You have to be on 2.2.5, and have to return groups in Class attribute.
                  https://doc.pfsense.org/index.php/2.2.5_New_Features_and_Changes#User_Management.2FAuthentication

                  LDAP is the best option for AD, because it's always there with no additional services, and it doesn't require storing passwords in a reversible encryption (though if you require RADIUS for other purposes, that doesn't matter).

                  RADIUS does not require reversible encryption. We use RADIUS for admin access to our Cisco network equipment, and our AD does not store passwords with reversible encryption. The RADIUS encrypts the client's user id and password with the shared secret and sends it to the RADIUS server. The RADIUS server does the normal windows authentication test.

                  I'm by no means sure, but I don't think there is any way to get Microsoft's NPS (network policy server - their RADIUS server) to send the group membership in an authentication request reply. I've never seen such an option.

                  Try this: make group membership a requirement of the associated NPS policy on the NPS server. Don't put any tests on the pfsense side.

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by Dec 3, 2015, 3:17 AM

                    Yeah thanks for the correction, that's only for CHAP.

                    1 Reply Last reply Reply Quote 0
                    • F
                      FisherKing
                      last edited by May 18, 2016, 7:00 PM

                      @rcampbell:

                      I think this might be an existing bug based on this post:

                      https://forum.pfsense.org/index.php?topic=65586.0

                      I also tried creating a user and group in pfSense of the same name to match the ones in AD as suggested in the link, but the same occurs… user athenticates but belongs to no groups.

                      Is there anyone who has this working?

                      I realize this thread is old - but I recently had the same issue and this thread was one of 3 that showed up in my search, so I thought I'd post what I learned.

                      I was able to resolve this by changing the Search scope - Level: value (Under System => User Manager => Servers => LDAP Server Settings => Edit or Create LDAP server) from "One Level" to "Entire Subtree".

                      I didn't need to create a "dummy" user. Once the search level was changed and the group was created on both AD and pfSense, it worked.

                      1 Reply Last reply Reply Quote 0
                      • R
                        rcampbell
                        last edited by May 19, 2016, 5:20 PM

                        Its been a while since I've looked at this post, so I've missed some replies…

                        Thanks PJ2 but you're setting up LDAP where this thread is about setting up RADIUS.

                        RADIUS is finally working correctly now in 2.3.1
                        https://doc.pfsense.org/index.php?title=2.3.1_New_Features_and_Changes#User_Manager

                        1 Reply Last reply Reply Quote 0
                        • R
                          rcampbell
                          last edited by May 23, 2016, 5:41 PM

                          I created a how-to to set it up here:

                          https://community.spiceworks.com/how_to/128944-pfsense-admin-logins-via-radius-using-active-directory-accounts

                          1 Reply Last reply Reply Quote 1
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            [[user:consent.lead]]
                            [[user:consent.not_received]]