The problem I am encountering is, I always get a message stating that “Error during Radius authentication: No: valid Radius responses received”. I also made sure that the password that I use is working by logging into a lab computer using the vpn test account. Any suggestion as to what I may have missed?
You don’t need RADIUS in order to only authenticate. All you need to do is setup the authentication server under User Manager → Authenitcation Server. In order to tighten up security make a group in AD for all your users that will be using using the client and enable extended query and set the memberof for the group you specified for authentication.
Then when going through the OpenVPN wizard you’ll select your authentication server from the list.
Do you allow anonymous binding on your domain? Try to disable anonymous binding and use your domain admin account (for testing only) in your auth server config. Then you can test authentication under Diagnostics → Authentication and select your auth server.
You need to generate a self-signed CA Certficate on your LDAP server and import it into pfsense (System | Certificate Manager) if you want to authenticate users for OpenVPN via LDAP.
Then in LDAP Server setting, you need to specify that certificate there.
And in your OpenVPN server settings, you will be able to reference that CA Certificate too.
thank you for the providing that link, unfortunately I encounter a step which I don’t understand.
(memberOf:1.2.840.1135184.108.40.2061:=CN=VPNusers,CN=Users,DC=test,DC=lab) This will only return objects with objectClass ‘person’ (users you created) who are a member of (groups who are a member of) the VPNusers group. That memberOf:1.2.840.1135220.127.116.111: is a static name: it does not vary per installation and it is not a string. It is the literal name of the group.
I don’t understand this entry from the article you provided. I don’t understand what is the purpose of the value “1.2.840.113518.104.22.1681” not sure where I can find this in my AD?