You can assign an Active Directory group to log in to PfSense’s web interface.
This article has a more elaborate discussion of two different methods to achieve an Active Directory link, here I’ll just describe the LDAP one. RADIUS will work as well.
On your domain controller
– Create a PfSense group and add users who should be allowed to log in to PfSense.
– Create a dedicated account for PfSense to connect to AD with, for example ‘pfsense-ad’. Give the account a hard password, set it to never expire and do not make it a member of any particular groups. This account is only used to establish the connection to Active Directory, not to perform the actual authentication.
On PfSense
Define an Authentication Server: go to System > User Manager Authentication Servers and click Add.
My AD information:
Domain: test.lab
Domain controller: server01.test.lab, 192.168.90.2
Dedicated AD connection user: pfsense-ad@test.lab
| Desciptive nam | AD-adminsgroup |
| Type | LDAP |
| Hostname or IP address | your AD domain controller’s ip address |
| Port value | 389 |
| Transport | TCP – Standard |
| Protocol version | 3 |
| Search Scrope | Entire Subtree |
| Base DN | DC=TEST,DC=LAB |
| Authentication containers | CN=Users,DC=test,DC=lab |
| Extended query | Enabled |
| Query | memberOf=CN=PfSense,CN=Users,DC=test,DC=lab |
| Bind anonymous | Unchecked |
| Bind credentials | pfsense-ad@test.lab (your dedicated PfSense AD account) |
| Initial Templace | Microsoft AD (this will set the next three values correctly) |
| User naming attribute | samAccountName |
| Group naming attribute | cn |
| Group member attribute | memberOf |
| RFC 2307 Groups | Unchecked |
Add the AD group to PfSense: go to System > User Manager > Groups and click Add.
| Group name | PfSense (your AD group name) |
| Scope | Remote |
| Group membership | leave empty |
Click Save, then click the Edit icon for the group you just created and click Add.
Select WebCfg – All pages (or any other pages you want to assign – ‘WebCfg – All pages’ gives admin access) and click Save.
Point the User Manager to the new Authentication Server: go to System > User Manager > Settings and set Authentication Server to AD-adminsgroup (the Authentication Server you just created).
Click Save & Test.
Now you can log into the PfSense web interface with your AD account if you are a member of the right group.
Troubleshoot with Diagnostics > Authentication if necessary.
Notes:
– Log in using just the username part, without the domain name – for example just pino, not test\pino or pino@test.lab.
– You can still log in with the old admin account.
– For nested groups replace “memberOf” with “memberOf:1.2.840.113556.1.4.1941:” in the LDAP query.
– If you can’t log in and the log out link doesn’t work use your browser’s privacy mode or a different browser or computer altogether to log in to PfSense using the old admin account and troubleshoot.
Thanks for the post. I followed every step and did not work so I looked it over and noticed you have Cert Authority defined but I do not have any Cert Authority. Would this be a problem?
Yes. Follow the steps described here to install one: https://vorkbaard.nl/set-up-openvpn-on-pfsense-with-user-certificates-and-active-directory-authentication/#onpfsense
thanks for your post, can you please post a topic how connect Freeradius package on pfsense to Microsoft AD via LDAP ?
Even if it is possible, why would you do that and not just connect directly to AD?
Hi! I followed every step and still can’t connect. And I have one difference in config:
(&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=CN=pfSense,OU=Groups,OU=Pentegy-UA,DC=pentegy-ua,DC=local))
In the log I see only one error:
php-fpm[73496]: /index.php: webConfigurator authentication error for user ‘My_USER’ from: x.x.x.12
I’ve tried to run query in the shell with success:
/root: ldapsearch -LLL -x -D SERVICE_USER@pentegy-ua.local -w p@ssword -h x.x.x.61 -s sub -b “OU=Pentegy-UA,DC=pentegy-ua,DC=local” sAMAccountName=My_USER “(&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=CN=pfSense,OU=Groups,OU=Pentegy-UA,DC=pentegy-ua,DC=local))”
dn: CN=A***** ************y,OU=DAdmin,OU=Users,OU=Pentegy-UA,DC=pentegy-ua,DC=local
What could be wrong???
Which versions are you using? Perhaps the new Nextcloud/OwnCloud version is doing thing differently. Otherwise just start over. I’ve seen this a few times: you are certain it should work but it just doesn’t.
hi, thanks for all the help given, I have a doubt with the authenticated proxy, could you make a post?
Hello, thanks for the information published. My question is about pfsense proxy authentication. Can you establish proxy filtering by Active Directory users?
Not sure what you mean by proxy filtering. You either authenticat through AD or PfSense. Closest I can think of is radius.
hi
thanks for tutorial,
because of my network topology i can not configure AD dns IP address on my pfsense, can i use RADIUS authentication instead AD in this scenario ?
Sure, radius is just a protocol. You could use any ldap server, for example any OpenLDAP implementation, or any other authentication scheme that supports radius.
But why not just use local users?
Pingback: pfSense: OpenVPN mit Benutzeranmeldung via Active Directory – Andy's Blog
Can you have this auth server setup for local login and an auth server setup for VPN users to auth against AD also?
Currently we use AD for users to authenticate against the FW to login, but we also want to use AD to authenticate for the admins to login to the webpage GUI. When I setup another auth server I have to choose the auth server setup for the GUI to login, but that then breaks the users logging into the VPN with their AD creds.
Shouldn’t be a problem. In any case you can define a second authentication server. The two should play together nicely. If that doesn’t help please post the description and the error message to the PfSense forum. “That then breaks” is not a very helpful description of what exactly is going on.
It doesn’t give an error message, just states that username or password incorrect. I’ve used the auth test and it authenticates against the second directory I have setup and says I’m a member of the group but it won’t let me login. If it said an actual error I would have posted it.
Hm, I suggest posting it on the PfSense forums then. Sorry, I’ve been out of practise for a bit.
Thanks for the tutorial!
Here is another step by step guide showing how to configure LDAP authentication on active directory:
– LDAP Active directory authentication: https://techexpert.tips/pfsense/pfsense-ldap-authentication-active-directory/
– LDAPS Active directory authentication (SSL encrypted connection): https://techexpert.tips/pfsense/pfsense-active-directory-authentication-ldap-over-ssl/
Brgds,
Bruno
The Quick Installation Guide provides instructions for quick internet setup, while this guide contains details for TP Link ac1200 Setup. Learn how you can get setup the WiFi router. For more information feel free to visit our website to get in touch with our experts to get the job done. Visit: https://routererrorcode.com/tp-link-ac1200-setup/
Thanks for this one. I think you can write more details for this topics. Any ways Thanks again to you.
https://gadzbook.com/configuration-instructions-on-paleoer-wifi-extender/
What an Outstanding post is shared. I found the post too much informatics. It is what that I was seeking for. I would like to recommend you that please keep sharing such type of info. read more https://orbisetup.com/orbi-rbk50v-setup/
Pingback: Login Pfsense - My Blog