So far, we have used the pfsense router cum firewall and the packages that it provides to serve as a firewall and proxy for our corporate environment. We tasted the powers of SquidGuard, were we where able to filter contents, only allowing access to certain sites using the common ACL rule, while blocking access to every other thing.
In this guide, “PFSense Squid Active Directory Authentication”, we will go a step further to grant access to the internet and allowed sites only to those who need access while completely denying access to all those who do not need it using microsoft active directory authentication.
To get up to date with what we are doing here, please familiarize yourself with these guide:
PFSense Squid Active Directory Authentication.
We will use microsoft active directory authentication to enable users in our internet group access the internet. If you are ready tp get this guide rolling, then make sure you have your pfsense router up and running and that squid/squidguard is installed and configured.
Click on services=>squid proxy and uncheck the box next to enable transparent mode to forward all request for destination port 80 to the proxy server. This step is necessary since squid authentication doesnt work with transparent mode proxy.
Note that now, you may have to go to the LAN settings of your client computers to manually enter in the proxy ip address. If you need to dish out this proxy address automaticatlly to the clients, visit these guide on how to do just that:
With that out of the way, click Services=>Squid Proxy=>Authentication.
The authentication method should be ldap
The authentication server should be the ip address of fqdn of the active directory server.
The auth server port should be 389. Leave other things as the defaults.
Now in the Squid Authentication ldap settings, use ldap version of 3
The ldap server User DN should be where the administrator account is located which in my case is CN=Administrator,CN=Users,DC=carehealth,DC=local
The base domain should be OU=Support,DC=carehealth,DC=local. Please adjust as per your needs.
The ldap username DN attributes should be sAMAccountName and the
Ldap search should be (&(objectClass=person)(sAMAccountName=%s)(memberof=CN=internet,OU=Support,DC=carehealth,DC=local))
Now click on save.
With this setting in place, go to your domain controller and create an OU called Support or whatever you like. Now, create a group in this OU called internet. Add users who should have internet access to this group.
The picture below illustrates this.
Now log into a domain computer and try to access google.com. You will be prompted to enter in a username and password as seen below.
Enter in the username that has access to the internet and that user should be granted access.
All other users will never be able to access the internet.
RESOLVING SOME ISSUES
Some readers have complained that after installing squid/squidguard using the configuration examples giving on this page, https://topnetworkguide.com/squid-proxy-server-and-squidguard-configuration-on-pfsense/, they get an error of 403 forbidden, target group = in addr. As such, they are not able to login to the pfsense box the next time they reboot the server.
If you have experienced this issue, there is a quick and simple fix.
First, the issue is caused by accessing your pfsense webgui using an ip address e.g (192.168.10.1). Remember, that in our squid/squidguard configuration guide, we ticked a box in squidguard commonACL that states “do not allow ip address in url”.
Now we are locked out! Phew.
Well, thanks to the pfsense command line, we can easily delete the squidguard.conf file and reconfigure squidguard.
To do this, go to your pfsense command line, hit the key 8 on your keyboard to take you to the shell.
#squid -k reconfigure
This will give you the opportunity to log into pfsense and either untick the “do not allow ip address in url”.
Also you can configure pfsense so that you can always use a fqdn to login. Hope this helps!.