Active Directory authenticated VPN
Pisch Tamás
pischta at gmail.com
Tue May 4 11:36:57 CEST 2021
> > Why vpn at ad.ourdomain.hu doesn't work?
> Because Active Directory is too dumb to notice that it's responsible for
> "ad.ourdomain.hu".
> The solution is two steps:
> 1) edit proxy.conf, and add:
> realm ad.ourdomain.hu {
> }
> That defines the domain as something that FreeRADIUS knows about. So
> that it will take "vpn at ad.ourdomain.hu", and split it into pieces.
>
> 2) set
> winbind_username = "%{%{Stripped-User-Name}:-%{mschap:User-Name}}"
> Which says "use the Stripped-User-Name ("vpn" here), and if that doesn't
> exist, use %{mschap:User-Name}
>
Thanks, the authentication works now.
Next step would be the user filtering, based on vpnusers Active Directory
group. You said:
> You just need to enable TLS transport in the LDAP module. You don't
> necessarily need a client cert.
>
In the ldap module:
server=localhost
tls {
start_tls = yes
...
group {
membership_attribute = 'memberOf=CN=vpnusers,CN=Users,${base_dn})'
Then the freeradius server says:
rlm_ldap (ldap): Connecting to ldap://localhost:389
TLS: can't connect: (unknown error code).
rlm_ldap (ldap): Could not start TLS: Connect error
I ran certs/bootstrap
In radiusd.conf:
certdir = ${confdir}/certs
cadir = ${confdir} /certs
In the ldap module:
ca_file = ${certdir}/ca.pem
ca_path = ${certdir}
certificate_file = ${certdir}/server.crt
private_key_file = ${certdir}/server.key
random_file = /dev/urandom
Freeradius server:
TLS: could not use private key: The requested data were not available. (-56)
rlm_ldap (ldap): Failed setting connection option new TLS context: Unknown
error
Thanks,
Tamas.
More information about the Freeradius-Users
mailing list