Log in to PfSense based on Active Directory group membership

You can assign an Active Directory group to log in to PfSense’s web interface.

This article has a more elaborate discussion of two different methods to achieve an Active Directory link, here I’ll just describe the LDAP one. RADIUS will work as well.

On your domain controller
– Create a PfSense group and add users who should be allowed to log in to PfSense.
– Create a dedicated account for PfSense to connect to AD with, for example ‘pfsense-ad’. Give the account a hard password, set it to never expire and do not make it a member of any particular groups. This account is only used to establish the connection to Active Directory, not to perform the actual authentication.

On PfSense
Define an Authentication Server: go to System > User Manager Authentication Servers and click Add.

My AD information:
Domain: test.lab
Domain controller: server01.test.lab, 192.168.90.2
Dedicated AD connection user: pfsense-ad@test.lab

Desciptive nam AD-adminsgroup
Type LDAP
Hostname or IP address your AD domain controller’s ip address
Port value 389
Transport TCP – Standard
Protocol version 3
Search Scrope Entire Subtree
Base DN DC=TEST,DC=LAB
Authentication containers CN=Users,DC=test,DC=lab
Extended query Enabled
Query memberOf=CN=PfSense,CN=Users,DC=test,DC=lab
Bind anonymous Unchecked
Bind credentials pfsense-ad@test.lab (your dedicated PfSense AD account)
Initial Templace Microsoft AD (this will set the next three values correctly)
User naming attribute samAccountName
Group naming attribute cn
Group member attribute memberOf
RFC 2307 Groups Unchecked

Add the AD group to PfSense: go to System > User Manager > Groups and click Add.

Group name PfSense (your AD group name)
Scope Remote
Group membership leave empty

Click Save, then click the Edit icon for the group you just created and click Add.

Select WebCfg – All pages (or any other pages you want to assign – ‘WebCfg – All pages’ gives admin access) and click Save.

Point the User Manager to the new Authentication Server: go to System > User Manager > Settings and set Authentication Server to AD-adminsgroup (the Authentication Server you just created).

Click Save & Test.

Now you can log into the PfSense web interface with your AD account if you are a member of the right group.

Troubleshoot with Diagnostics > Authentication if necessary.

Notes:
– Log in using just the username part, without the domain name – for example just pino, not test\pino or pino@test.lab.
– You can still log in with the old admin account.
– For nested groups replace “memberOf” with “memberOf:1.2.840.113556.1.4.1941:” in the LDAP query.
– If you can’t log in and the log out link doesn’t work use your browser’s privacy mode or a different browser or computer altogether to log in to PfSense using the old admin account and troubleshoot.

17 Comments

  1. Atkins

    Thanks for the post. I followed every step and did not work so I looked it over and noticed you have Cert Authority defined but I do not have any Cert Authority. Would this be a problem?

  2. jMurr

    Hi! I followed every step and still can’t connect. And I have one difference in config:
    (&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=CN=pfSense,OU=Groups,OU=Pentegy-UA,DC=pentegy-ua,DC=local))
    In the log I see only one error:
    php-fpm[73496]: /index.php: webConfigurator authentication error for user ‘My_USER’ from: x.x.x.12
    I’ve tried to run query in the shell with success:
    /root: ldapsearch -LLL -x -D SERVICE_USER@pentegy-ua.local -w p@ssword -h x.x.x.61 -s sub -b “OU=Pentegy-UA,DC=pentegy-ua,DC=local” sAMAccountName=My_USER “(&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=CN=pfSense,OU=Groups,OU=Pentegy-UA,DC=pentegy-ua,DC=local))”

    dn: CN=A***** ************y,OU=DAdmin,OU=Users,OU=Pentegy-UA,DC=pentegy-ua,DC=local

    What could be wrong???

    • Kapitein Vorkbaard

      Which versions are you using? Perhaps the new Nextcloud/OwnCloud version is doing thing differently. Otherwise just start over. I’ve seen this a few times: you are certain it should work but it just doesn’t.

  3. Jose Ali

    Hello, thanks for the information published. My question is about pfsense proxy authentication. Can you establish proxy filtering by Active Directory users?

  4. soheil

    hi
    thanks for tutorial,
    because of my network topology i can not configure AD dns IP address on my pfsense, can i use RADIUS authentication instead AD in this scenario ?

    • Kapitein Vorkbaard

      Sure, radius is just a protocol. You could use any ldap server, for example any OpenLDAP implementation, or any other authentication scheme that supports radius.

      But why not just use local users?

  5. Pingback: pfSense: OpenVPN mit Benutzeranmeldung via Active Directory – Andy's Blog

  6. Tommy

    Can you have this auth server setup for local login and an auth server setup for VPN users to auth against AD also?

    Currently we use AD for users to authenticate against the FW to login, but we also want to use AD to authenticate for the admins to login to the webpage GUI. When I setup another auth server I have to choose the auth server setup for the GUI to login, but that then breaks the users logging into the VPN with their AD creds.

    • Kapitein Vorkbaard

      Shouldn’t be a problem. In any case you can define a second authentication server. The two should play together nicely. If that doesn’t help please post the description and the error message to the PfSense forum. “That then breaks” is not a very helpful description of what exactly is going on.

      • Tommy

        It doesn’t give an error message, just states that username or password incorrect. I’ve used the auth test and it authenticates against the second directory I have setup and says I’m a member of the group but it won’t let me login. If it said an actual error I would have posted it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.