You can assign an Active Directory group to log in to PfSense’s web interface.

This article has a more elaborate discussion of two different methods to achieve an Active Directory link, here I’ll just describe the LDAP one. RADIUS will work as well.

On your domain controller
– Create a PfSense group and add users who should be allowed to log in to PfSense.
– Create a dedicated account for PfSense to connect to AD with, for example ‘pfsense-ad’. Give the account a hard password, set it to never expire and do not make it a member of any particular groups. This account is only used to establish the connection to Active Directory, not to perform the actual authentication.

On PfSense
Define an Authentication Server: go to System > User Manager Authentication Servers and click Add.

My AD information:
Domain: test.lab
Domain controller: server01.test.lab,
Dedicated AD connection user: pfsense-ad@test.lab

Desciptive nam AD-adminsgroup
Hostname or IP address your AD domain controller’s ip address
Port value 389
Transport TCP – Standard
Protocol version 3
Search Scrope Entire Subtree
Authentication containers CN=Users,DC=test,DC=lab
Extended query Enabled
Query memberOf=CN=PfSense,CN=Users,DC=test,DC=lab
Bind anonymous Unchecked
Bind credentials pfsense-ad@test.lab (your dedicated PfSense AD account)
Initial Templace Microsoft AD (this will set the next three values correctly)
User naming attribute samAccountName
Group naming attribute cn
Group member attribute memberOf
RFC 2307 Groups Unchecked

Add the AD group to PfSense: go to System > User Manager > Groups and click Add.

Group name PfSense (your AD group name)
Scope Remote
Group membership leave empty

Click Save, then click the Edit icon for the group you just created and click Add.

Select WebCfg – All pages (or any other pages you want to assign – ‘WebCfg – All pages’ gives admin access) and click Save.

Point the User Manager to the new Authentication Server: go to System > User Manager > Settings and set Authentication Server to AD-adminsgroup (the Authentication Server you just created).

Click Save & Test.

Now you can log into the PfSense web interface with your AD account if you are a member of the right group.

Troubleshoot with Diagnostics > Authentication if necessary.

– Log in using just the username part, without the domain name – for example just pino, not test\pino or pino@test.lab.
– You can still log in with the old admin account.
– For nested groups replace “memberOf” with “memberOf:1.2.840.113556.1.4.1941:” in the LDAP query.
– If you can’t log in and the log out link doesn’t work use your browser’s privacy mode or a different browser or computer altogether to log in to PfSense using the old admin account and troubleshoot.