You can assign an Active Directory group to log in to PfSense’s web interface.
This article has a more elaborate discussion of two different methods to achieve an Active Directory link, here I’ll just describe the LDAP one. RADIUS will work as well.
On your domain controller
– Create a PfSense group and add users who should be allowed to log in to PfSense.
– Create a dedicated account for PfSense to connect to AD with, for example ‘pfsense-ad’. Give the account a hard password, set it to never expire and do not make it a member of any particular groups. This account is only used to establish the connection to Active Directory, not to perform the actual authentication.
Define an Authentication Server: go to System > User Manager Authentication Servers and click Add.
My AD information:
Domain controller: server01.test.lab, 192.168.90.2
Dedicated AD connection user: email@example.com
|Hostname or IP address||your AD domain controller’s ip address|
|Transport||TCP – Standard|
|Search Scrope||Entire Subtree|
|Bind firstname.lastname@example.org (your dedicated PfSense AD account)|
|Initial Templace||Microsoft AD (this will set the next three values correctly)|
|User naming attribute||samAccountName|
|Group naming attribute||cn|
|Group member attribute||memberOf|
|RFC 2307 Groups||Unchecked|
Add the AD group to PfSense: go to System > User Manager > Groups and click Add.
|Group name||PfSense (your AD group name)|
|Group membership||leave empty|
Click Save, then click the Edit icon for the group you just created and click Add.
Select WebCfg – All pages (or any other pages you want to assign – ‘WebCfg – All pages’ gives admin access) and click Save.
Point the User Manager to the new Authentication Server: go to System > User Manager > Settings and set Authentication Server to AD-adminsgroup (the Authentication Server you just created).
Click Save & Test.
Now you can log into the PfSense web interface with your AD account if you are a member of the right group.
Troubleshoot with Diagnostics > Authentication if necessary.
– Log in using just the username part, without the domain name – for example just pino, not test\pino or email@example.com.
– You can still log in with the old admin account.
– For nested groups replace “memberOf” with “memberOf:1.2.840.113518.104.22.1681:” in the LDAP query.
– If you can’t log in and the log out link doesn’t work use your browser’s privacy mode or a different browser or computer altogether to log in to PfSense using the old admin account and troubleshoot.