[Gorian]

I am wondering if anyone has any experience setting up RADIUS (Under Microsoft Server 2008, Network Policy and Access) to authenticate against Microsoft Active Directory?

I am using pfsense to support PPTP VPN, and want to authenticate users with my existing Active Directory. However, I cannot seem to get the policies working correctly, I keep getting reason code 48 or 49, saying that there are no policies that match the request.

As there is possibly a lot of information and variables, let me know is any other information is needed.

This post has been edited by Gorian: 29 January 2011 - 09:10 PM

[Trakker]

Aren't you using a domain? You could make the computers log into said domain, and it would authenticate using your current active directory. I don't see the sense in using a radius server in this manner, or maybe I just didn't understand.

[Gorian]

well, I need the RADIUS server to authenticate them through the domain, as they are connecting PPTP to the FreeBSD based pfsense box. Is there a better way to do it?

[Trakker]

I have no idea. Just for SAGs, you're pretty much trying to use AD authentication to login to a FreeBSD box over a software VPN connection, right?
To re-iterate, I have no idea. I know there is a way to join a windows domain in linux, but after that I'm clueless. Perhaps after you've explained it a few times someone else will chime in.

This post has been edited by Trakker: 05 February 2011 - 02:56 PM

[Gorian]

Yes, you are correct. I am trying to use Active Directory to login to a FreeBSD box, over a sofware VPN connection. It partly works. The problem, I think, is my NPA policies, except that I don't know why. I have policies in place, but they don't seem to be working correctly. I can successfully connect to the PPTP VPN if I don't authenticate via RADIUS, and just use a name and password specified on the local machine (that isn't what I want though). When I specify the Windows 2008 machine as the RADIUS server, it sees the user's trying to login, and then give me an even message saying there is no matching policy... except there is.... that is where I am getting stuck....

[Trakker]

Have you tried joining the linux box to the windows domain instead of using the radius server? Or is that not acceptable?

[Gorian]

I don't know as that would work.... The point is to allow users to connect to the PPTP VPN using their Active Directory accounts. Successfully configuring a RADIUS server seems the easiest way to do that.... Would joining the FreeBSD box to the domain make that work?

[Trakker]

Ok seems I misunderstood again. So you want the software vpn connection to use AD to authenticate? In that case yes a radius server would make more sense, you're completely correct. In that case, just do a google search for the specific radius server you're using and active directory. The results are sparse, and very discouraging for the windows based radius servers. The linux based radius servers however have a few articles about authenticating against AD.

As for joining the FreeBSD box to the domain, I found this page on the tubes:
http://joseph.random...tive-directory/

It involves samba, if you don't already have that installed. The article seems thorough and the end result is what you want for your machine, to be able to log in using a user in AD.

[Gorian]

Yes, that is what I thought, that it would be the simplest. I do a lot googling before asking for help, and I also have a lot of friends in IT who are unable to help with this problem. I have noticed that results for windows RADIUS is sparse, and unhelpful. I have found about 2 tutorials for it, but I am still encountering and error after following them. I have noticed the more numerous articles about FreeRADIUS authenticating against Active Directory, and have considered using that instead, however it would be a lot more extra work to get a system up and running with FreeRADIUS, and it make more sense to get the WindowsRADIUS working....

Yeah, I knew that, but the only FreeBSD box I currently have is my pfsense box, which is forked, and not supporting a lot of packages like that...

Argh.... why do computers always have to be so ornery?

[Trakker]

You noticed the same things I did in my searching haha.

PFSense sounds wicked cool though, I'm glad you mentioned it. I might boot up a VM of it and start playing around with your problem if school doesn't kill all my free time.

Perhaps what you could do is get your windows box to export its active directory users list (and passwords...this would be unsecure unless you encrypt it) to some sort of csv file or text file...send it across the network, and have your pfsense box update it's user account list based on this file perhaps once a day? Its a theoretical solution, I wouldn't be able to help you with the workings of it...but it is possible. And like I had mentioned, some sort of encryption of said file would be in order. It would definitely be fun and a learning experience.

[Gorian]

Yeah, I also considered that, but again, a lot of work to learn how to do that

yeah, I have been happy with pfsense so far. I have it running on an old PIII system, with 348MBs of RAM, and it works really well. It has replaced my router, and I am working on getting it working as a wireless access point (the other problem I haven't been able to solve yet, but that is a different problem thread )

While I am pretty good with computers in general, and windows, I am new to *nix and *BSD, so I am learning as I going along, and trying to understand the underlying basics. However, it has a really good WebGUI, so it isn't really neccessary