I initially planned on using RADIUS-provided client parameters with OpenVPN but for the moment I’m not due to the following issues discussed in pfSense pull request #4026.
RADIUS actually works, however LDAP is what you get out of the box with UCS without additional services. Though, if you do 802.1x or a secure WiFi network, you might already use the RADIUS feature.
Here are some hints after comparing it against my system:
- Hostname: (the FQDN must be resolvable by your pfSense, i.e. ucs-master.example.org)
- Port: 7389 (specific to UCS)
- Transport: TCP - STARTTLS
- Check that both pfSense and UCS should have NTP time servers configured, can be a source of issues with (START)TLS.
- Peer Certificate Authority:
- Get the UCS root CA certificate via the UCS Web UI,
- Import it using System > Cert. Manager > CAs,
- Then you can select it here in the Dropdown menu.
- Protocol version: 3 (default)
- Search scope: Entire Subtree (unless you don’t have any OUs AFAIK)
- Base DN: Can be identified using ‘ucr get ldap/base’, i.e. dc=example,dc=org)
- Auth containers: Important in large directories (if the connection works after saving it first, use “Select a container”
- Bind anonymous: Disable it.
- Bind credentials: Create an unprivileged user in UCS, obtains its DN using i.e. univention-ldapsearch -LL uid= (i.e. uid=svc.fwauth,cn=users,dc=example,dc=org), enter the password
- User attribute: uid
- Group attribute: cn
- Group membership attribute: memberOf (requires said overlay)
- Group Object Class: posixGroup
This seems to work pretty well here.
- Test LDAP using Diagnostics > Authentication
- If you wan’t you can also grant Admin privileges to the pfSense UI (not SSH) in System > User Manager > Groups
- Create a group in pfSense with the same name as in UCS (Domain Admins for example). Then you can in the User Manager in Settings you can switch from Local Database to your LDAP backend.
Note about certificates: Whenever you renew the UCS root CA, you will have to re-import the renewed UCS root CA certificate into pfSense, otherwise LDAP with STARTTLS will fail.
Keep in mind that this won’t be able to fail-over to a UCS backup or slave DC as is. I haven’t yet played with adding more than one authentication backend.