Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec VPN -> RADIUS authentication via NPS -> using CLASS property returned by RADIUS in firewall rules

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 4 Posters 1.1k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      TomTheOne
      last edited by TomTheOne

      Hi all

      I'm using the RADIUS class property (Group Membership) like described here. I would like to use this property to build firewall rules based on the value.

      For example.

      VPN User 1 has only access to the IP-address of system A
      VPN User 2 has only access to the IP-address of system B
      and so on...

      I know from WatchGuard where such a thing is possible. I can not find out how to use a local group (that matches to the value of the class returned by RADIUS) within the firewall policies.

      Does somebody have experience with that? Any chance to make this work?

      Regards
      Tom

      M 1 Reply Last reply Reply Quote 0
      • M Away
        mcury Rebel Alliance @TomTheOne
        last edited by mcury

        @tomtheone You would need to use these attributes:

        Framed-IP-Address=x.x.x.x
        Framed-IP-Netmask=255.255.255.0
        

        Then, create a firewall rule for the user using the static IP address.

        In the example below, user vpnuser1 gets a membership of group pfsense_admins, and also a static ip, which I can use in a firewall rule.

        Elseif gives the other users a group vpn_access, this group doesn't have permissions to manage pfsense.
        These users receive a dynamic IP address.

        #IPSec road warrior
                if (&control:LDAP-UserDN =~ /cn=vpnuser1,cn=users,dc=home,dc=arpa$/i && NAS-Port-Id == "con-mobile") {
                 update  {
                        reply:Class := "pfsense_admins"
                        reply:Framed-IP-Address := "172.16.98.100"
                        reply:Framed-Netmask := "255.255.255.0"
                }
                        noop
                }
                elsif (LDAP-Group == "vpn_access" && NAS-Port-Id == "con-mobile") {
        	  update {
                      reply:Class := "vpn_access"
                }
                        noop
                }
        

        There is a little ´hack' to allow the use of IP pools based on groups, but I wouldn't use this 'hack'if you can avoid it..

        https://forum.netgate.com/topic/172476/a-guide-to-assign-vpn-group-and-user-ip-pool-from-radius-in-22-01-2-6
        https://redmine.pfsense.org/issues/13227

        dead on arrival, nowhere to be found.

        T 1 Reply Last reply Reply Quote 1
        • T Offline
          TomTheOne @mcury
          last edited by

          Hey, thank you for you feedback.

          tomtheone You would need to use these attributes:
          Framed-IP-Address=x.x.x.x
          Framed-IP-Netmask=255.255.255.0

          I tried to implement those attributes including the "class" attribute at the NPS server (network policy server aka RADIUS on Windows server).

          Unfortanetly those settings are ignored. The pfSense box still assignes an IP address from the virtual address pool for mobile clients.

          Any idea?

          1 Reply Last reply Reply Quote 0
          • T Offline
            TomTheOne
            last edited by TomTheOne

            Oh, i think i understand.

            1. I need to modify /etc/inc/ipsec.inc

            It easily done by editing the /etc/inc/ipsec.inc file in pfSense.
            Locate the major section called: "/***f ipsec/ipsec_setup_userpools" about halfway into the file.
            Locate the line: "$scconf['connections'][$upconn]['remote']['id'] = $clientid;"
            Change it to "$scconf['connections'][$upconn]['remote']['groups'] = $clientid;"
            Save the ipsec.inc file and you are good to go!!

            1. Then i can use the VPN > IPsec > Pre-Shared Keys - GUI to specify what IP addresses should be assigned to what RADIUS conditions.

            Define any new pools under "Preshared secrets" by creating a new EAP type preshared secret with a pool - remember the "identity" is now the group name you need to return via the "Class" attribute". The PSK key is ignored and not used in this setup, but must be filled with something random :-)

            Additionally i read:

            This config will not survive a pfSense version update as the ipsec.inc file is replaced at that time - so you would need to repeat the config again.

            Boaahh.... ugly 😵 nothing for prod-env.

            Thanks for helping out.

            Btw: something available to push this feature up in the prio?

            1 Reply Last reply Reply Quote 0
            • stephenw10S Online
              stephenw10 Netgate Administrator
              last edited by

              Adding your comments to the open Redmine feature request is best for that.

              Steve

              1 Reply Last reply Reply Quote 0
              • ? Offline
                A Former User
                last edited by

                I'm using the RADIUS class property (Group Membership) > like described here.

                Is there not a way to write into the radius server certificate
                in wich vlan the user must be put in? And each vlan has
                then its own IP range. Done.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.