Just a quick reminder that this guide, “Login To Pfsense Using Active Directory Accounts”, does not show us how to authenticate against a squid proxy server using active directory accounts. Rather, it explains how to log into the web configurator graphical user interface for pfsense router using active directory accounts.
Like always, this is going to be a practical hands off guide.
Recently, we had a need in a small company that employs pfsense router and Microsoft active directory, to allow some users who are part of an active directory group access to log into the pfsense server. To make this work, we had to configure our Microsoft active directory server with the names of these users and then configure pfsense to allow them login to the web Gui.
Login To Pfsense Using Active Directory Accounts.
First things first, make sure that you have your pfsense router up and running. Also make sure you have installed windows server 2012r2 or later and that your windows server is configured as a domain controller..
Now log into your pfsense box and click on system => user manager.
Now click on authentication server and click add.
Fill in the details as shown below:
Descriptive name : Active Directory or any name of your choice
Type: select LDAP
Hostname: Enter ip address of your domain controller
Search Scope: Select choose entire subtree
Base DN = DC=carehealth,DC=local
I would like users in the Users container and users in the Support organization group to be able to authenticate against this pfsense box. So,
Authentication Containers = CN=Users,DC=carehealth,DC=local;OU=Support,DC=carehealth,DC=local
Untick Bind Anonymouns
Enter in bind credentials. A user with domain admin rghts.
In my case, Bind Credentials = CAREHEALTH\Administrator
password= **************(enter appropriate password for the user above).
Leave the other defaults and click save.
The diagram below captures all these steps.
Now click on select a container and your auth container should be populated as shown:
Now click on settings in your user manager tab. In the Authentication Server, select Active Directory(or your own descriptive name) which happens to be the descriptive name I choose for my server in the authentication tab.
To test if your pfsense box can pull in information from the active directory server, click
You should get an ok message for all the test done as shown under:
Now in the user manger, create a group by clicking on the group tab.
Click add to add a group name.
In my case, I will give this group a name of Pfsense.
The scope will be Remote since i will be connecting from remote accounts.
Now click on add privileges and select WebCfg-All pages for the assigned privileges
Then click save and save again.
Do you remember you created a group above in pfsense called Pfsense?
Do the same thing in your active directory server. Create a group in the Support OU called Pfsense and add users from the domain who should have access to log into pfsense GUI.
You should add the domain administrator to the group but for testing purpose, we are not going to do that. Instead as seen by the diagram above, we will only add oro.nene to the group.
Log out of pfsense and try to login with the domain controller administrator username and password.
Repeat the same process but with oro.nene as username and the password for the user.
Access Granted! Tada!
Great! This implementation worked great for the small company I introduced it to, and I am feeling happy and fulfilled. This experience actually prompted me to write out this guide to help all who would want to achieve something similar. For any questions and inquiries, please hit the comment button below or send a message.