Hi, Everyone.
I have setup a lab where I am trying to configure pfsense to use AD for Authentication. I have followed the netgate document:
The problem I am encountering is, I always get a message stating that “Error during Radius authentication: No: valid Radius responses received”. I also made sure that the password that I use is working by logging into a lab computer using the vpn test account. Any suggestion as to what I may have missed?
What are function do you want to use AD for,
Permissions to smb shares and folders ? or another function
oh it will be for OpenVPN.
You don’t need RADIUS in order to only authenticate. All you need to do is setup the authentication server under User Manager → Authenitcation Server. In order to tighten up security make a group in AD for all your users that will be using using the client and enable extended query and set the memberof for the group you specified for authentication.
Then when going through the OpenVPN wizard you’ll select your authentication server from the list.
Thanks for that info, I have tried that but I am getting “Cannot connect to LDAP server” My LDAP server has an IP address of 172.16.254.10:
Here is screenshot of my AD breakdown, I want the member of vpnusers group to be able to authenticate
Here is what I have configured on my pfsense under “System->User Manager->Authentication Servers”
Incase it was not clear in the screenshot, the value for Authentication containers is: CN=VPNUsers,OU=Groups,OU=LABNETWORK,DC=Labnetwork,DC=lan
and for Extendended query:
memberof=CN=VPNUsers,OU=Groups,OU=LABNETWORK,DC=Labnetwork,DC=lan
Please help out to point out what I have misconfigured or over looked
Do you allow anonymous binding on your domain? Try to disable anonymous binding and use your domain admin account (for testing only) in your auth server config. Then you can test authentication under Diagnostics → Authentication and select your auth server.
Thanks for giving this info, I’l try this and get back to you on this.
I was able to make it work. By configuring the following:
For authentication containers, I have also to indicate the Users OU
OU=Groups,OU=LABNETWORK,DC=Labnetwork,DC=lan;OU=Users,OU=LABNETWORK,DC=Labnetwork,DC=lan
After configuring those I was able to authenticate when I go to Diagnostics->Authentication
Thank you again for your help.
You need to generate a self-signed CA Certficate on your LDAP server and import it into pfsense (System | Certificate Manager) if you want to authenticate users for OpenVPN via LDAP.
Then in LDAP Server setting, you need to specify that certificate there.
And in your OpenVPN server settings, you will be able to reference that CA Certificate too.
Can’t I use the certificate that from pfsense open vpn configuration using ldap users?
(edit)
To authenticate against the LDAP server you need a certificate.
I am probably not explaining it clearly, but follow this link to a really great tutorial (the previous one was not complete):
https://vorkbaard.nl/set-up-openvpn-on-pfsense-with-user-certificates-and-active-directory-authentication/
With that you will be able to setup OpenVPN properly.
If you are using LDAPs then you’ll need a certificate. If you are using regular LDAP you do not need a certificate.
thank you for the providing that link, unfortunately I encounter a step which I don’t understand.
(memberOf:1.2.840.113556.1.4.1941:=CN=VPNusers,CN=Users,DC=test,DC=lab) This will only return objects with objectClass ‘person’ (users you created) who are a member of (groups who are a member of) the VPNusers group. That memberOf:1.2.840.113556.1.4.1941: is a static name: it does not vary per installation and it is not a string. It is the literal name of the group.
I don’t understand this entry from the article you provided. I don’t understand what is the purpose of the value “1.2.840.113556.1.4.1941” not sure where I can find this in my AD?
“That weird looking filter (1.2.840.113556.1.4.1941) is an OID called LDAP_MATCHING_RULE_IN_CHAIN”
You can find a better explanation here: Recursive retrieval of all AD group memberships of a user.
Thank you so much for the help. I was able to make this work. I was able to connect my test machine to the Openvpn using AD user account.
