Login To Pfsense Using Active Directory Accounts

Login
Just a quick reminder that this guide, “Login To Pfsense Using Active Directory Accounts”, does not show us how to authenticate against a squid proxy server using active directory accounts. Rather, it explains how to log into the web configurator graphical user interface for pfsense router using active directory accounts.
Like always, this is going to be a practical hands off guide.
Recently, we had a need in a small company that employs pfsense router and Microsoft active directory, to allow some users who are part of an active directory group access to log into the pfsense server. To make this work, we had to configure our Microsoft active directory server with the names of these users and then configure pfsense to allow them login to the web Gui.

If you are interested in authenticating against pfsense squid proxy server using Microsoft accounts, visit this guide:

Login To Pfsense Using Active Directory Accounts.

First things first, make sure that you have your pfsense router up and running. Also make sure you have installed windows server 2012r2 or later and that your windows server is configured as a domain controller..

Now log into your pfsense box and click on system => user manager.

pfsense user manager

Now click on authentication server and click add.

Fill in the details as shown below:

Descriptive name : Active Directory or any name of your choice

Type: select LDAP

Hostname: Enter ip address of your domain controller

Search Scope: Select choose entire subtree

Base DN = DC=carehealth,DC=local

I would like users in the Users container and users in the Support organization group to be able to authenticate against this pfsense box. So,

Authentication Containers = CN=Users,DC=carehealth,DC=local;OU=Support,DC=carehealth,DC=local

Untick Bind Anonymouns

Enter in bind credentials. A user with domain admin rghts.

In my case, Bind Credentials = CAREHEALTH\Administrator

password= **************(enter appropriate password for the user above).

Leave the other defaults and click save.

The diagram below captures all these steps.

Now click onĀ  select a container and your auth container should be populated as shown:

Now click on settings in your user manager tab. In the Authentication Server, select Active Directory(or your own descriptive name) which happens to be the descriptive name I choose for my server in the authentication tab.

pfsense user manager setting

To test if your pfsense box can pull in information from the active directory server, click

You should get an ok message for all the test done as shown under:

Now in the user manger, create a group by clicking on the group tab.

Click add to add a group name.

 

In my case, I will give this group a name of Pfsense.

The scope will be Remote since i will be connecting from remote accounts.

Now click on add privileges and select WebCfg-All pages for the assigned privileges

Then click save and save again.

Do you remember you created a group above in pfsense called Pfsense?

Do the same thing in your active directory server. Create a group in the Support OU called Pfsense and add usersĀ  from the domain who should have access to log into pfsense GUI.

You should add the domain administrator to the group but for testing purpose, we are not going to do that. Instead as seen by the diagram above, we will only add oro.nene to the group.

Log out of pfsense and try to login with the domain controller administrator username and password.

Access denied!

Repeat the same process but with oro.nene as username and the password for the user.

Access Granted! Tada!

Great! This implementation worked great for the small company I introduced it to, and I am feeling happy and fulfilled. This experience actually prompted me to write out this guide to help all who would want to achieve something similar. For any questions and inquiries, please hit the comment button below or send a message.

Cheers!:)

 

 

Did You Enjoy What You Read? Sign Up To Our News Letter
I agree to have my personal information transfered to MailChimp ( more information )
Join over 1.000 visitors who are receiving our newsletter and learn how to design networks that work using open source technology and commercial offerings. Also learn how to proactively defend against security threats.
We hate spam. Your email address will not be sold or shared with anyone else.
Share This.