PfSense can use LDAP servers to authenticate users from remote sources. In this example, the firewall connects to a Windows Domain Controller to authenticate an AD Security Group.
| Virtual Machine | IP Address | Description |
|---|---|---|
| WINPCLAB01 | 192.168.1.5 | Windows Client where pfSense is accessed from |
| BSDPFSLAB01 | 192.168.1.1 | pfSense Firewall |
| WINDCLAB01 | 192.168.2.5 | Windows Domain Controller |
On Active Directory, we need a security group and at least two accounts. One account will be used as the service account attempting to bind to the server. Any other account will be a member of the security group that will be able to log in on pfSense.
Below are the security group and the accounts that already exist in AD:
| Security Group | Description |
|---|---|
| ITAdminSG | SG to log in on the pfSense web console |
| Accounts | Description |
|---|---|
| ITUser | Account member of the ITAdminSG security group |
| pfSense-SA | Service account to establish a connection to AD |
With the Active Directory module for Windows PowerShell, we can use a group of cmdlets to manage domains, users, groups, and objects:
Now log in to the pfSense web console with the local account and password - "admin/pfsense" by default.
System > User Manager > Authentication Servers and click Add:
| Setting | Value |
|---|---|
| Descriptive name | AuthN-WINDCLAB01 |
| Type | LDAP |
| Hostname or IP address | 192.168.2.5 |
| Port value | 389 |
| Transport | Standard TCP |
| Peer Certificate Authority | Global Root CA List |
| Protocol version | 3 |
| Server Timeout | 25 |
| Search Scrope | Entire Subtree |
| Base DN | DC=homelab,DC=local |
| Authentication containers | OU=IT,OU=Users,OU=USA,DC=homelab,DC=local |
| Extended query | Checked |
| Query | memberOf=CN=ITAdminSG,OU=IT,OU=Users,OU=USA,DC=homelab,DC=local |
| Bind anonymous | Unchecked |
| Bind credentials | CN=pfSense SA,OU=Service Accounts,OU=Admin,DC=homelab,DC=local |
| Initial Template | Microsoft AD (automatically sets the following 3 values) |
| User naming attribute | samAccountName |
| Group naming attribute | cn |
| Group member attribute | memberOf |
| RFC 2307 Groups | Unchecked |
| Group Object Class | posixGroup |
| Shell Authentication Group DN | |
| UTF8 Encode | Unchecked |
| Username Alterations | Unchecked |
| Allow unauthenticated bind | Unchecked |
pfSense:
Before moving forward, we can test these configurations by clicking "Select a container". A list of containers should appear, which means that the firewall crafted LDAP queries. Otherwise, we will get an error such as "Could not connect to the LDAP server. Please check the LDAP configuration."
Additionally, an AD authentication test can be performed as follows:
Diagnostics > Authentication > Provide the previously configured Authentication Server (AuthN-WINDCLAB01) and an AD user (ITUser) that is a member of the SG (ITAdminSG) configured in the Query:
Even though it says ITUser authenticated successfully, it cannot log in because first, ITUser doesn't seem to be a member of a group yet, and second, the Authentication Server is still disabled.
When working with group privileges and authentication servers, there must be local groups with names that exactly match the groups in AD:
| Active Directory | pfSense |
|---|---|
| ITAdminSG | ITAdminSG |
System > User Manager > Groups and click Add:
| Setting | Value |
|---|---|
| Group name | ITAdminSG |
| Scope | Remote |
| Description | AD Users |
pfSense:
Click Save, then it will return to the previous Group screen:
Click the Edit icon for the ITAdminSG group then Add to assign privileges and finally Save.
Going back to Diagnostics > Authentication > Provide the previously configured Authentication Server (AuthN-WINDCLAB01) and an AD user (ITUser) that is a member of the SG (ITAdminSG) configured in the Query:
Now we can move forward and enable the Authentication Server.
System > User Manager > Settings > Select the Authentication Server (AuthN-WINDCLAB01) and click Save & Test:
Finally, we are able to log in to the pfSense web console with the ITUser account or any other account in the ITAdminSG security group:
This example uses plain TCP, but if the Certificate Authority for the AD structure is imported under the Certificate Manager, the connection can also use SSL as well by selecting that option and choosing the appropriate CA from the Peer Certificate Authority drop down, and setting the Hostname to the match the server certificate.
References