Active Directory authenticated VPN

Pisch Tamás pischta at gmail.com
Tue May 4 11:36:57 CEST 2021


> > Why vpn at ad.ourdomain.hu doesn't work?
>   Because Active Directory is too dumb to notice that it's responsible for
> "ad.ourdomain.hu".
>   The solution is two steps:
> 1) edit proxy.conf, and add:
> realm ad.ourdomain.hu {
> }
>   That defines the domain as something that FreeRADIUS knows about.  So
> that it will take "vpn at ad.ourdomain.hu", and split it into pieces.
>
> 2) set
> winbind_username = "%{%{Stripped-User-Name}:-%{mschap:User-Name}}"
>   Which says "use the Stripped-User-Name ("vpn" here), and if that doesn't
> exist, use %{mschap:User-Name}
>
Thanks, the authentication works now.
Next step would be the user filtering, based on vpnusers Active Directory
group. You said:

> You just need to enable TLS transport in the LDAP module.  You don't
> necessarily need a client cert.
>
In the ldap module:
server=localhost
tls {
start_tls = yes
...
group {

membership_attribute = 'memberOf=CN=vpnusers,CN=Users,${base_dn})'
Then the freeradius server says:
rlm_ldap (ldap): Connecting to ldap://localhost:389
TLS: can't connect: (unknown error code).
rlm_ldap (ldap): Could not start TLS: Connect error

I ran certs/bootstrap
In radiusd.conf:

certdir = ${confdir}/certs

cadir = ${confdir} /certs
In the ldap module:

ca_file = ${certdir}/ca.pem

ca_path = ${certdir}

certificate_file = ${certdir}/server.crt

private_key_file = ${certdir}/server.key

random_file = /dev/urandom

Freeradius server:

TLS: could not use private key: The requested data were not available. (-56)


rlm_ldap (ldap): Failed setting connection option new TLS context: Unknown
error


Thanks,

Tamas.


More information about the Freeradius-Users mailing list