2. Project Notes
● 2.3 is progressing, should have public
snapshots soon
● There may be a 2.2.5, not definite yet
● Book is still being updated
● SG-2220 shipping in a few days
3. About this Hangout
● RADIUS and LDAP intro
● Areas of pfSense that support RADIUS and LDAP
● Configuring RADIUS and LDAP servers for use by pfSense
● RADIUS and LDAP for the pfSense GUI
● RADIUS and LDAP for VPNs
● RADIUS for Captive Portal
● RADIUS for Wireless WPA2 Enterprise/802.1x
● User Manager, VPNs, Captive Portal, Wireless have all been
covered in past hangouts, this hangout will focus only on
RADIUS and LDAP authentication.
4. RADIUS Intro
● Remote Authentication Dial-In User Service
● Often used by ISPs for dialup, DSL, etc. Or by companies for central auth
● Provides AAA – Authentication, Authorization, and Accounting
● Lots of implementations: FreeRADIUS, RADIATOR, Windows Server via
NPS, etc
– Also various frontends such as daloRADIUS or billing systems with RADIUS
● In addition to auth, can send back reply info about users
● Accounting allows for tracking usage over time (e.g. X MB per day), total
login time (X hours per day), and so on
● Can be compatible with external systems for additional auth such as OTP,
tokens, and similar Multi-Factor implementations
● Protocol itself is not encrypted, so (ideally) run it locally or over a VPN
5. LDAP Intro
● Lightweight Directory Access Protocol
● Primarily a repository of information about users and organizations, but can be used for
authentication via LDAP BIND operations
● Can be searched to find user info (e.g. group membership)
● Commonly used not just for authentication but also for e-mail contact storage, user
profile information, and similar tasks.
● Found in many systems such as OpenLDAP, Active Directory, Novell Directory
Services, Apple Open Directory, and many more
– Some distributions such as ClearOS and Turnkey Linux use OpenLDAP
● LDAP Schemas vary widely, two common variations:
– RFC 2307 (OpenLDAP default) – Group membership indicated by a list of users on a group
object
– RFC 2307bis/Active Directory – Group membership indicated by a list of groups on user object
● Can use SSL to encrypt queries
6. RADIUS and LDAP on pfSense
● GUI Auth
– LDAP on <= 2.2.4, RADIUS also with >= 2.2.5
– Groups must be present on pfSense with the same name plus desired privileges
● VPN Auth
– OpenVPN supports RADIUS and LDAP
● IP address, Routes, firewall rules, and DNS servers can be passed back via RADIUS attributes
– IPsec supports RADIUS and LDAP
– PPPoE, L2TP, and PPTP support only RADIUS
● Captive Portal
– RADIUS Only
– Per-user bandwidth restrictions can be passed back from RADIUS
– Time/day limits and transfer total limits may also be enacted by the RADIUS server
● Wireless
– 802.1x / WPA2 Enterprise
– RADIUS only
7. RADIUS and LDAP Server Config
● Configure the auth server such that the firewall
can query it
● Add users and groups as needed
● Determine the required parameters for the
server necessary for pfSense to use it
– Varies by protocol, but would include things such as
server address and port, query credentials, and so
on.
8. Configuring RADIUS Servers
● FreeRADIUS
– Install the FreeRADIUS2 pfSense package, or use an external server
– Add an Interface to FreeRADIUS to listen/bind
– Add a NAS Client entry for the firewall, note the shared secret
– Add users
● Active Directory (via NPS)
– Add Network Policy and Access Services role
– Configure NPS/NAP
– Add RADIUS client entry for the firewall, note the shared secret
– Add a Network Policy to grant access based on the attributes you want (e.g.
users in a specific group)
– May need to ensure users have Dial-In permission set to be managed by NPS
– Add users/groups as needed
9. Configuring LDAP Servers
● OpenLDAP
– Too complex to cover here, but there are many how-to docs out there
– Be sure to add a cert for SSL support
– Or use a distro such as Turnkey Linux or similar that has a frontend for it
– Web-based LDAP Frontends can be helpful for finding info and managing users
● Active Directory
– Support is already there in Windows Server by default
– Add Certificate Authority role to use SSL
– Use ADSI Edit to easily locate Base DN
● Others
– Consult OS docs for info on what, if anything, needs to be done
10. Setup pfSense for a RADIUS Server
● System > User Manager, Servers tab, +
● Enter a Descriptive Name
● Set Type to RADIUS
● Enter the address of the RADIUS server
● Enter the Shared Secret configured for this firewall's NAS/Client entry on the
RADIUS server
● Pick which services the RADIUS server supplies, typically either Authentication
or both Authentication and Accounting
● Unless the server ports have been changed, leave them at defaults.
● If the RADIUS is across a slow link, consider raising the timeout
● Save and visit Diagnostics > Authentication to test
● For group membership to work, the RADIUS server must return the group
name(s) in the Class attribute as a string AND the same group names must be
present on pfSense (Groups tab)
11. Setup pfSense for an LDAP Server
● If SSL will be used, import the CA from the LDAP server under System > Cert
Manager, CA tab before proceeding
● System > User Manager, Servers tab, +
● Enter a Descriptive Name
● Set Type to LDAP
● Enter the address of the LDAP server
– If using SSL, this should be the hostname!
– Also make sure the server certificate (not imported to pfSense) contains this hostname, and
that the hostname also exists in DNS
● Pick the transport, plain TCP or SSL
– SSL is highly recommended as TCP would transmit credentials in the clear!
● Adjust the port if needed
● If using SSL, pick the CA imported previously
● Pick the LDAP protocol version, commonly 3 but may vary depending on server
12. pfSense LDAP Server (cont'd)
● Parameters from here on all depend on LDAP server style
● Search Scope
– Level typically should be “Entire Subtree” – Especially on AD!
– Base DN, e.g. DC=example,DC=com
● If unknown, check LDAP schema, GUI, ADSI Edit, etc
● Authentication Containers
– Typically set to an OU, varies by LDAP schema
– Select button will show containers from the server. BIND credentials will need to be correct for it to
work.
● Extended Query
– Specifies an LDAP filter to limit search results, such as:
– memberOf=CN=VPNUsers,CN=Users,DC=example,DC=com
● Bind credentials – May or may not be necessary
– OpenLDAP typically allows anonymous binds/searches, but depends on schema
– Active Directory typically requires a valid user to bind, may need to be a service account or admin,
depends on configuration of the server, check Windows server docs
13. pfSense LDAP Server (cont'd)
● Initial Template – OpenLDAP, Microsoft AD, Novell eDirectory
– Pre-fills the User naming, Group naming, and Group member attributes with common defaults for each style
– For OpenLDAP with RFC 2307 groups, group member attribute should be memberUid
● RFC 2307 Groups (added after 2.2.4)
– Default style lists groups on the user object (Used by Active Directory)
– RFC 2307 lists group members on group object (Used by some OpenLDAP schemas)
● Group Object Class (added after 2.2.4)
– Object class needed for RFC 2307 style, typically posixGroup
●
UTF-8 Encoding
– Necessary if using any special characters in LDAP usernames or passwords
– Support varies by server, but should be safe to enable in most cases
●
Username Alterations
– By default if someone enters user@host style naming, the @ and after is stripped. Check to preserve.
●
Save and visit Diagnostics > Authentication to test
●
For group membership to work, the RADIUS server must return the group name(s) in the Class
attribute as a string AND the same group names must be present on pfSense (Groups tab)
14. RADIUS and LDAP for the GUI
● Privileges are assigned based on group membership
● Add groups on pfSense to match groups on the server
– Example: LDAP group “VPNUsers” needs a pfSense group “VPNUsers”
● Add privileges to the group(s) as desired
● Check the authentication server to be sure the groups are setup properly with
users and to be seen by pfSense:
– LDAP – Check the Schema to see if AD style group membership is needed or RFC
2307 (If RFC 2307 is needed, must be on 2.2.5 or later)
– RADIUS (Will only work with 2.2.5 and later) – Ensure the server returns groups in
Class attribute as a String, not binary
● Visit Diagnostics > Authentication, test users and ensure the groups are listed
in the result.
● Visit System > User Manager, Settings tab, select the desired server, Save
15. RADIUS and LDAP for VPNs
● For LDAP, to limit access to a specific group, use Extended
Filter
● On IPsec and OpenVPN, Ctrl-select multiple servers, if first
fails, second is checked and so on
– No way to reorder them currently
● L2TP, PPPoE, and PPTP support only RADIUS and have
RADIUS settings on their configuration pages, nothing fancy.
● IPsec
– Works for IKEv1 xauth style setup, no IKEv2/EAP yet
– VPN > IPsec, Mobile Clients tab, select the desired auth server(s)
● OpenVPN – Next slide
16. RADIUS and LDAP for OpenVPN
● Auth can come from LDAP or RADIUS (or both)
● For use with OpenVPN Client Export Package:
– Auth only mode – One installer works for everyone (no certs)
– SSL/TLS + User Auth – Certs for external users must be manually added to the GUI
● No need to create local users, only certificates
● RADIUS Reply Attributes can be used to pass back info for clients!
– Cisco-AVPair route=x.x.x.x y.y.y.y (IP address, subnet mask)
– Cisco-AVPair dns-servers=x.x.x.x y.y.y.y z.z.z.z (IP addresses separated by spaces)
– Cisco-AVPair inacl= or outacl=<permit|deny> [tcp|udp] from <any|host|net> to <any|
host|net>, wildcard mask/Cisco ACL style
– Framed-IP-Address = x.x.x.x, client gets x.x.x.x, server is x.x.x.x+1
● Multi-Factor Auth should be possible with RADIUS if the RADIUS server
supports it
17. RADIUS for Captive Portal
● Captive Portal only supports RADIUS auth at this time
● RADIUS Authentication can use PAP, CHAP_MD5, MSCHAPv1, or
MSCHAPv2 – Check RADIUS server config/docs to see what it supports
● Enter IP address and port for the RADIUS server
● Shared Secret is the “password” set in the RADIUS server for the firewall
as a NAS/Client
● Four total RADIUS Servers permitted:
– Primary Authentication Source and its backup
– Secondary Authentication Source and its backup
– Backups are consulted if the main servers do not respond
– Secondary authentication source is consulted if the primary fails
– Can be used to effectively have two sources of auth (e.g. pre-paid cards and
standard users) – all up to the servers and what they support
18. RADIUS for Captive Portal
● RADIUS Accounting:
– If enabled, sends information about user login sessions, data transferred, time of login/logout, and so on
– Stop/start accounting only sends data on login and logout
– Interim update sends periodic updates to the accounting server
● RADIUS Options – More here than are supported in the user manager
● Reauthentication – Forces a new auth request every minute. If users must be disconnected for time or
bandwidth usage calculations this must be checked!
● RADIUS MAC Authentication – Sends the MAC address as user name and “MAC Authentication Secret” as
the password. Allows automatic login by MAC address, MACs must be added to the RADIUS server as users.
● NAS IP – IP address sent in RADIUS requests to identify this firewall (e.g. Called-Station-Id)
● Session-Timeout – Obtain the client's allowed session time from the Session-Timeout RADIUS reply attribute.
● Type – Varies by need of RADIUS server, typically “default” – controls show Called-Station-Id and Calling-
Station-Id are handled
● Accounting Style – Inverts value of input and output for bandwidth calculations to suit some RADIUS server
assumptions
● NAT Identifier – A name passed to the RADIUS server to identify this firewall
● MAC Address Format – The format of the MAC address expected by the RADIUS server
19. RADIUS for Captive Portal
● Some parameters may be passed back in RADIUS Reply
Attributes:
– Varies by RADIUS vendor
– WISPr-Bandwidth-Max-Up (and -Down)
● Sets up a limiter for this specific user to the given bw
– WISPr-Redirection-URL
● Passes a string with a full URL to use for redirection
– Acct-Interim-Interval
– Session-Timeout
– Idle-Timeout
● Do not set a simultaneous use limit on users that will use
Captive Portal
20. RADIUS for Wireless
● 802.1x A.K.A. WPA Enterprise
● More secure than plain WPA/WPA2
– Less prone to brute forcing
– Harder to snoop
● RADIUS only, no LDAP
● Second RADIUS server is used if the first fails
● Settings are placed on the wireless Interface (e.g. Interfaces > WiFi)
● Set WPA Key Management to EAP!
● Set client to PEAP (Or whatever mode is configured on RADIUS server)
● Clients will login using the username/password on the RADIUS server
● Check the Wireless log for info if access fails
● The AP daemon (hostapd) supports dynamic VLAN assignment but we do not currently
enable that or support it in the GUI – perhaps in the future
21. Conclusion
● Eventually, all areas will converge on using the
User Manager auth servers (Captive Portal,
Wireless, L2TP, PPPoE, etc)
● Works well now but always room for
improvement
● Questions?
● Ideas for hangout topics? Post on forum,
comment on the blog posts, Reddit, etc