PFSense - LDAP authentication on Active Directory

PFSense - LDAP authentication on Active Directory

Jun 17, 2022 - 09:05
 0  958
PFSense - LDAP authentication on Active Directory

PFSense - LDAP authentication on Active Directory

Would you like to learn how to configure PFsense LDAP authentication on Active directory? In this tutorial, we are going to show you how to authenticate PFSense users using the Active directory database from Microsoft Windows and the LDAP protocol.

• Pfsense 2.4.4-p3

Tutorial Windows - Domain controller Firewall

First, we need to create a Firewall rule on the Windows domain controller.

This firewall rule will allow the Pfsense server to query the Active directory database.

On the domain controller, open the application named Windows Firewall with Advanced Security

Create a new Inbound firewall rule.zabbix active directory

Select the PORT option.

Select the TCP option.

Select the Specific local ports option.

Enter the TCP port 389.zabbix windows firewall port ldap

Select the Allow the connection option.zabbix windows firewall allow connection

Check the DOMAIN option.

Check the PRIVATE option.

Check the PUBLIC option.

Enter a description to the firewall rule.windows firewall active directory

Congratulations, you have created the required firewall rule.

This rule will allow Pfsense to query the Active directory database.

Tutorial Windows - Domain Account Creation

Next, we need to create at least 2 accounts on the Active directory database.

The ADMIN account will be used to login on the Pfsense web interface.

The BIND account will be used to query the Active Directory database.

On the domain controller, open the application named: Active Directory Users and Computers

Create a new account inside the Users container.Zabbix active directory account

Create a new account named: admin

Password configured to the ADMIN user: 123qwe..

This account will be used to authenticate as admin on the Pfsense web interface.active directory admin accountzabbix active directory admin properties

Create a new account named: bind

Password configured to the BIND user: 123qwe..

This account will be used to query the passwords stored on the Active Directory database.active directory bind accountzabbix active directory ldap bind properties

Congratulations, you have created the required Active Directory accounts.

Tutorial Windows - Domain Group Creation

Next, we need to create at least 1 group on the Active directory database.

On the domain controller, open the application named: Active Directory Users and Computers

Create a new group inside the Users container.Radius Active directory group

Create a new group named: pfsense-admin

Members of this group will have the Admin permission on the PFsense web interface.pfsense active directory group

Important! Add the admin user as a member of the pfsense-admin group.pfsense active directory admin group

Congratulations, you have created the required Active Directory group.

PFSense - LDAP authentication on Active Directory

Open a browser software, enter the IP address of your Pfsense firewall and access web interface.

In our example, the following URL was entered in the Browser:

• https://192.168.15.11

The Pfsense web interface should be presented.Pfsense login

On the prompt screen, enter the Pfsense Default Password login information.

• Username: admin
• Password: pfsense

After a successful login, you will be sent to the Pfsense Dashboard.Pfsense dashboard

Access the Pfsense System menu and select the User manager option.pfsense user manager menu

On the User manager screen, access the Authentications servers tab and click on the Add button.pfsense authentication servers

On the Server settings area, perform the following configuration:

• Description name: ACTIVE DIRECTORY
• Type: LDAP

On the LDAP Server settings area, perform the following configuration:

• Hostname or IP address - 192.168.15.10
• Port value - 389
• Transport - TCP - Standard
• Protocol version - 3
• Server Timeout - 25
• Search Scope - Entire Subtree
• Base DN - dc=tech,dc=local
• Authentication containers - CN=Users,DC=tech,DC=local
• Extended query - Disabled
• Bind anonymous - Disabled
• Bind credentials - CN=bind,CN=Users,DC=tech,DC=local
• Bind credentials Password - Password of the BIND user account
• Initial Template - Microsoft AD
• User naming attribute - samAccountName
• Group naming attribute - cn
• Group member attribute - memberOf
• RFC 2307 Groups - Disabled
• Group Object Class - posixGroup
• UTF8 Encode - Disabled
• Username Alterations - Disabled

You need to change the IP address to your domain controller IP.

You need to change the domain information to reflect your Network environment.

You need to change the bind credentials to reflect your Network environment.Pfsense ldap server settingsPfsense active directory settings

Click on the Save button to finish the configuration.

In our example, we configured the Ldap server authentication on the PFSense firewal.

PFSense - Testing the Active Directory authentication

Access the Pfsense Diagnostics menu and select the Authentication option.pfsense diagnostics authentication

Select the Active directory authentication server.

Enter the Admin username, its password and click on the Test button.pfsense ldap authentication test

If your test succeeds, you should see the following message.pfsense active directory login test

Congratulations! Your PFsense LDAP server authentication on Active Directory was sucessfully configured.

PFSense - Active Directory Group Permission

Access the Pfsense System menu and select the User manager option.pfsense user manager menu

On the User manager screen, access the Groups tab and click on the Add button.pfsense group manager

On the Group creation screen, perform the following configuration:

• Group name - pfsense-admin
• Scope - Remote
• Description - Active Directory group

Click on the Save button, you will be sent back to the Group configuration screen.pfsense group creation

Now, you need to edit the permissions of the pfsense-admin group.

On the pfsense-admin group properties, locate the Assigned Privileges area and click on the Add button.

On the Group privilege area, perform the following configuration:

• Assigned privileges - WebCfg - All pagespfsense active directory group permission

Click on the Save button to finish the configuration.

PFSense - Enable the Active Directory authentication

Access the Pfsense System menu and select the User manager option.pfsense user manager menu

On the User manager screen, access the Settings tab.pfsense authentication settings menu

On the Settings screen, select the Active directory authentication server.

Click on the Save and test button.pfsense active directory authentication settings

After finishing your configuration, you should log off the Pfsense web interface.

Try to login using the admin user and the password from the Active Directory database.

On the login screen, use the admin user and the password from the Active Directory database.

• Username: Admin
• Password: Enter the Active directory password.Pfsense login

Congratulations! You have configured the PFSense authentication to use the Active Directory database.

like

dislike

love

funny

angry

sad

wow