hello list, am experiencing troubles while configuring 2.2.6-RELEASE to authenticate against a FreeRADIUS (3.0.15) that forwards requests to a MS DC via NTLM/Samba/Winbindd.
despite of "Access-Accepted" message flowing from FreeRADIUS to NAS the resulting web page is always returning "No page assigned to this user! Click here to logout." even adding a local group matching the AD group (NET-ADMINS, with "WebCfg - All pages" privilege granted) and updating RADIUS response with "pfSense-Group-Name = NET-ADMINS" (as in https://github.com/pfsense/pfsense/pull/1552) the behavior don't change an the packet capture reports 09:47:04.470325 00:0c:29:7c:c9:8c > 00:0c:29:28:64:b5, ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 63, id 33115, offset 0, flags [none], proto UDP (17), length 66) 10.20.48.21.1812 > 10.6.20.39.3795: [udp sum ok] RADIUS, length: 38 Access Accept (2), id: 0x74, Authenticator: e8e7c7a23079b9fed529452e560a1579 Vendor Specific Attribute (26), length: 18, Value: Vendor: Unknown (15000) Vendor Attribute: 1, Length: 10, Value: NET-ADMINS 0x0000: 0000 3a98 010c 4e45 542d 4144 4d49 4e53 so the question is : what kind of AVP need I to send back to NAS to allow local (to pfsense) group mapping of the user? wish you great day. Alessandro _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
