Skip to content

PfSense can use LDAP servers to authenticate users from remote sources. In this example, the firewall connects to a Windows Domain Controller to authenticate an AD Security Group.

Notifications You must be signed in to change notification settings

HamllerM/pfSense-LDAP-AuthN

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 

Repository files navigation

pfSense-LDAP-AuthN

PfSense can use LDAP servers to authenticate users from remote sources. In this example, the firewall connects to a Windows Domain Controller to authenticate an AD Security Group.

Virtual Machine IP Address Description
WINPCLAB01 192.168.1.5 Windows Client where pfSense is accessed from
BSDPFSLAB01 192.168.1.1 pfSense Firewall
WINDCLAB01 192.168.2.5 Windows Domain Controller

On Active Directory, we need a security group and at least two accounts. One account will be used as the service account attempting to bind to the server. Any other account will be a member of the security group that will be able to log in on pfSense.

Below are the security group and the accounts that already exist in AD:

Security Group Description
ITAdminSG SG to log in on the pfSense web console
Accounts Description
ITUser Account member of the ITAdminSG security group
pfSense-SA Service account to establish a connection to AD

With the Active Directory module for Windows PowerShell, we can use a group of cmdlets to manage domains, users, groups, and objects:

Now log in to the pfSense web console with the local account and password - "admin/pfsense" by default.

System > User Manager > Authentication Servers and click Add:

Setting Value
Descriptive name AuthN-WINDCLAB01
Type LDAP
Hostname or IP address 192.168.2.5
Port value 389
Transport Standard TCP
Peer Certificate Authority Global Root CA List
Protocol version 3
Server Timeout 25
Search Scrope Entire Subtree
Base DN DC=homelab,DC=local
Authentication containers OU=IT,OU=Users,OU=USA,DC=homelab,DC=local
Extended query Checked
Query memberOf=CN=ITAdminSG,OU=IT,OU=Users,OU=USA,DC=homelab,DC=local
Bind anonymous Unchecked
Bind credentials CN=pfSense SA,OU=Service Accounts,OU=Admin,DC=homelab,DC=local
Initial Template Microsoft AD (automatically sets the following 3 values)
User naming attribute samAccountName
Group naming attribute cn
Group member attribute memberOf
RFC 2307 Groups Unchecked
Group Object Class posixGroup
Shell Authentication Group DN
UTF8 Encode Unchecked
Username Alterations Unchecked
Allow unauthenticated bind Unchecked

pfSense:

Before moving forward, we can test these configurations by clicking "Select a container". A list of containers should appear, which means that the firewall crafted LDAP queries. Otherwise, we will get an error such as "Could not connect to the LDAP server. Please check the LDAP configuration."

Additionally, an AD authentication test can be performed as follows:

Diagnostics > Authentication > Provide the previously configured Authentication Server (AuthN-WINDCLAB01) and an AD user (ITUser) that is a member of the SG (ITAdminSG) configured in the Query:

Even though it says ITUser authenticated successfully, it cannot log in because first, ITUser doesn't seem to be a member of a group yet, and second, the Authentication Server is still disabled.

When working with group privileges and authentication servers, there must be local groups with names that exactly match the groups in AD:

Active Directory pfSense
ITAdminSG ITAdminSG

System > User Manager > Groups and click Add:

Setting Value
Group name ITAdminSG
Scope Remote
Description AD Users

pfSense:

Click Save, then it will return to the previous Group screen:

Click the Edit icon for the ITAdminSG group then Add to assign privileges and finally Save.

Going back to Diagnostics > Authentication > Provide the previously configured Authentication Server (AuthN-WINDCLAB01) and an AD user (ITUser) that is a member of the SG (ITAdminSG) configured in the Query:

Now we can move forward and enable the Authentication Server.

System > User Manager > Settings > Select the Authentication Server (AuthN-WINDCLAB01) and click Save & Test:

Finally, we are able to log in to the pfSense web console with the ITUser account or any other account in the ITAdminSG security group:

This example uses plain TCP, but if the Certificate Authority for the AD structure is imported under the Certificate Manager, the connection can also use SSL as well by selecting that option and choosing the appropriate CA from the Peer Certificate Authority drop down, and setting the Hostname to the match the server certificate.

References

About

PfSense can use LDAP servers to authenticate users from remote sources. In this example, the firewall connects to a Windows Domain Controller to authenticate an AD Security Group.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published