Restrict users of the GUI

WhoAmI68

Is it possible to restrict the login to the GUI to a specific user only?
Thanks for help.

WhoAmI68

For example, only user BB can access the GUI from the VPN.

JonathanLee

Yes you can add user accounts with different privileges

WhoAmI68

@JonathanLee Yes, but users BB and admin can still log in to the GUI. I only want to allow user BB to log in.

SteveITS

@WhoAmI68 said in Restrict users of the GUI:

For example, only user BB can access the GUI from the VPN.

Are you trying to block access to pfSense? That can be done by firewall rule though there is some juggling to assign the person an IP by using FreeRADIUS to authenticate for the VPN.

I'm a bit confused because if you don't want them to log in to pfSense, don't create a user in pfSense for them...?

JonathanLee

@WhoAmI68 I’m confused you can add users with different privilege rights again if you want to restrict by machine, you could do that with an IP address based system, but if you want access someone to still be able to look at logs, etc. you could create a different user environment that only has those options within that perspective. You can create users that don’t have admin rights to still access the firewall and restrict them to specific needs

Gertjan

@WhoAmI68 said in Restrict users of the GUI:

Yes, but users BB and admin can still log in to the GUI. I only want to allow user BB to log in.

pfSense is a firewall.
Not a game server, file server, mail server, or something like that.
The very few people that need to admin it (most actually never do) need just the admin password. And the for sure the login name 'admin'.
Don't deactivate the 'admin' user, you'll break your system.

You want a multi users system, get a rasberry PI, throw in a FreeBSD native ISO, and now you can do multi whatever.

Btw : pfSense is a firewall.
So, why not make use of the fact that it is a firewall ?
Like : on all interfaces, block the https and http access on port 80 and 443 to pfSense.
On just one interface, for one designated IP, allow it. Put this rule above the previous one.
Bow, to be able to login as admin, you need to have the right LAN IP, and the password of course.

WhoAmI68

@SteveITS said in Restrict users of the GUI:

Are you trying to block access to pfSense? That can be done by firewall rule though there is some juggling to assign the person an IP by using FreeRADIUS to authenticate for the VPN.

I'm a bit confused because if you don't want them to log in to pfSense, don't create a user in pfSense for them...?

Yes, but not for every users.
E.g. I have Admin users and BB user. I want to allow login to GUI from LAN only Admin user and also I want to allow login to GUI from WIFI only BB user.
Ofcourse, User BB have a low level of privileges.

I have forgotten about the FreeRADIUS, Maybe it will help me. I need to check it because I didn't install it before.

@JonathanLee said in Restrict users of the GUI:

I’m confused you can add users with different privilege rights again if you want to restrict by machine, you could do that with an IP address based system, but if you want access someone to still be able to look at logs, etc. you could create a different user environment that only has those options within that perspective. You can create users that don’t have admin rights to still access the firewall and restrict them to specific needs

E.g. I have Admin users and BB user. I want to allow login to GUI from LAN only Admin user and also I want to allow login to GUI from WIFI only BB user.

@Gertjan said in Restrict users of the GUI:

pfSense is a firewall.

Right, it is a firewall, It is for security.

SteveITS

@WhoAmI68 AFAIK pfSense has no concept of “from” like MySQL does (user@ip).