[strongSwan] Authentication against Active Directory?

Sun Jan 28 17:00:53 CET 2018

This is my case:
PAP backend is pam_ldap or FreeRADIUS, which can integrate to Windows AD by LDAP or winbind.
EAP-MSCHAPv2 backend is FreeRADIUS.

XAuth-PSK(PAP):
iOS:         IPSec
Android:     IPSec XAuth PSK

EAP-MSCHAPv2(MSCHAPv2):
Windows 7+:  IKEv2+EAP-MSCHAPv2

#-----------------------------------------

conn XAuth-PSK
    keyexchange=ikev1
    ike=aes128-sha1-modp1024
    esp=aes128-sha1
    dpdaction=clear
    rekey=no
    left=%any
    leftauth=psk
    leftsubnet=0.0.0.0/0
    #leftfirewall=yes
    right=%any
    rightauth=psk
    rightauth2=xauth
    #rightauth2=xauth-radius | xauth-generic | xauth-pam | xauth-eap
    rightsourceip=192.168.3.0/24
    auto=add

conn EAP-MSCHAPv2
    keyexchange=ikev2
    ike=aes256-sha256-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha256,aes128-sha1,3des-sha1!
    dpdaction=clear
    rekey=no
    leftid=@vpn.mydomain.com
    left=%any
    leftauth=pubkey
    leftcert=vpn-server.cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    #leftfirewall=yes
    right=%any
    #rightauth=eap-mschapv2
    rightauth=eap-radius
    rightsendcert=never
    rightsourceip=192.168.3.0/24
    eap_identity=%any
    auto=add

############################################################
# /usr/local/strongswan/etc/strongswan.d/charon/xauth-pam.conf
############################################################

pam_service = ldap

#----------------------------------------------------------

yum install pam_ldap -y

vi /etc/pam_ldap.conf
host ldap.example.com
base dc=example,dc=com
binddn CN=user1,CN=users,DC=example,DC=com
bindpw user1-password
scope sub
#pam_groupdn cn=group1,ou=groups,dc=example,dc=com
#pam_min_uid 0
#pam_max_uid 0
# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter &(objectClass=user)(!(userAccountControl=514))
pam_password ad
referrals no
# 注：binddn/bindpw/pam_filter不加引号或括号，即便有空格

vi /etc/pam.d/ldap
#%PAM-1.0
auth        sufficient    pam_ldap.so
account     sufficient    pam_ldap.so
password    sufficient    pam_ldap.so
#auth       sufficient    pam_unix.so
#account    sufficient    pam_unix.so
#password   sufficient    pam_unix.so
# 注：启用unix模块可同时认证系统账号。

############################################################
# /usr/local/strongswan/etc/strongswan.d/charon/eap-radius.conf
############################################################

eap-radius {
    accounting = yes
    load = yes

    servers {
        localhost {
            address = 127.0.0.1
            auth_port = 1812
            acct_port = 1813
            sockets = 10
            secret = radiuspsk
            nas_identifier = StrongSwan
        }
    }
}

JWD

From: Marc Roos
Date: 2018-01-28 06:30
To: users
Subject: [strongSwan] Authentication against Active Directory?

Authenticating users against an Active Directory or Windows domain is 
still not possible? Or maybe via a workaround like adding a linux samba 
server to a domain?

https://wiki.strongswan.org/issues/2320
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180129/4e311202/attachment.html>