Active Directory authenticated VPN

Alan DeKok aland at deployingradius.com
Mon Apr 26 14:57:22 CEST 2021


On Apr 26, 2021, at 2:58 AM, Pisch Tamás <pischta at gmail.com> wrote:
> I tried to implement this:
> https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD

  I really dislike guides like that style of guide.  It tells you "make the config look like this", without saying *why*.

> Do I need multiple items in the authenticate and the authorize section?

  I would suggest understanding what the configuration does, and what you want to do.  I will *not* be explaining that in detail on the mailing list.  There are many, many, resources already available.

  i.e. start with the default configuration, and *read it*.  The comments explain in great detail what each piece does.

> Wouldn't be enough mschap for authentication (and I set winbind_username
> and winbind_domain in it), and ldap for authorization?

  It depends on what you want to do.

>>  See the LDAP-Group documentation for how to use LDAP groups.
> 
> Where can I find it?

  The server comes with documentation, and there's a wiki.  Please do a little bit of work.

>>  In recent versions of the server, there are even pointers to this in
>> mods-available/ldap
>> 
> I found a group section in the ldap module, but I would need help for that.
> How can I filter for vpnusers group?

  See the documentation that comes with the server.

> I tried to filter according to this:
> http://lists.freeradius.org/pipermail/freeradius-users/2016-December/085979.html

  Hmm...  Ignore the wiki, ignore the documentation.  Just google for things until you stumble across a random post from 5 years ago.

  No, that is *not* the recommended approach.

> Now, I get error message, when I try to start the freeradius server:
> /etc/freeradius/3.0/mods-enabled/eap[14]: Failed to find 'Auth-Type EAP'
> section.  Cannot authenticate users.
> /etc/freeradius/3.0/mods-enabled/eap[14]: Instantiation failed for module
> "eap"
> Before I made my last changes, it didn't complain about eap.

  What were those changes?  Do you know?  You *should* know.

> Eap is not
> listed in my default server file. I removed it from the mods-enabled dir
> (but later I'm going to set up eduroam, and it will need EAP).

  Then why delete all EAP from the default configuration?

  Honestly, this is just making work for yourself.  You don't know what your requirements are.  You don't know what the server does.  You're making random changes to the config.  Without understanding what they do.

  Just go back to the default configuration.  It works.  Then make SMALL changes.  TEST THE CHANGES.  It will work.

> I linked ldap into the mods-enabled. Now I get this error message:
> rlm_ldap (ldap): Bind with cn=vpn,dc=ad,dc=ourdomain,dc=hu to
> ldap://localhost:389 failed: Strong(er) authentication required
> rlm_ldap (ldap): Server said: BindSimple: Transport encryption required..
> I started to create certificate,

  Why?  You just need to enable TLS transport in the LDAP module.  You don't necessarily need a client cert.

> but when I run make, it misses password.mk
> file. I don't have it. How it looks like/how can I generate it?

  There's no "password.mk" in the default configuration.  I have no idea what you're doing here, or why.

  To be perfectly honest, your method of making changes is what's causing work for yourself.  You're trying to configure a complex system by poking at pieces randomly.  This just won't work.

  Alan DeKok.




More information about the Freeradius-Users mailing list