Pfsense + squid/squidguard for captive portal with LDAP auth [title edited]
-
Where in the logs or pfsense can i troubleshoot the active directory profiling ? It doesn't work but the syntax seems ok, so the frustation is high. ;)
You should perhaps start with AD, looking at LDAP log in AD
Also, the logic behind ACLs starts to confuse me after days exploring this, just to make sure:
- will group acls always be taken first before common acl ? The .conf file, to me, confirms this but just wanna be sure, as the "Order" list in the Group ACL just isn't clear to me, what is its point ? (bad english i can feel it)^^
"Access list rules are checked in the order they are written"
This said, as I'm not using Squid on pfSense, I don't know how what you may set through pfSense GUI is transposed into access list rule, in term of sequence.
-
Always an option.
http://sourceforge.net/projects/squidtrust/files/SquidtrustIII/
(works great on pfSense.)
-
Just asking, but the ldap debugging patch here says 2.1 only : https://doc.pfsense.org/index.php/LDAP_Troubleshooting.
Anyone knows if it's gonna work on v2.2.2 or should i not waste time on trying it anyway ?
-
It will work if you use Captive portal integration on squid for pfSense 2.1. On 2.2 the pbi libs location are messing up the integration.
-
ok thanks.
Ok so i'm running into a wall here.
I used tcpdump to log the packets, but i don't see anything going to the AD , when squidguard should (with ldapusersearch option..).
A bit of research on this just pointed me towards this: http://serverfault.com/questions/538123/squidguard-ldap-active-directory-not-working, which indicates squidguard should be compiled –with-ldap=yes option.Since i installed squidguard using pfsense package manager (1.4_7 pkg v.1.9.14), please tell me it should be ok with this version ? :'(
Otherwise, when exactly is squidguard sending data the AD ? (when logging on to the session, browsing the web ?). I filter ports 389 and 3268 with tcddump and only see data sent through 389 by pfsense... Squidguard seems to send nothing :(
-
squidguard will only send data to active directory if squid is able to pass the users authenticated. If squid does not authenticate users using active proxy(not transparent mode), squidguard can't check anything.
-
All right, thanks !
So we've changed the project goal : pfsense filtering the lan trafic to the wan using a captive portal that authenticates against the Active directory.
Any chance you could tell me if i understood correctly what needs to be done ? :-\
** on captive portal setup, setup radius auth with the client ip as 127.0.0.1 and install the freeradius package on pfsense.
** on freeradius package setup:
1/ setup the interfaces tab with 127.0.0.1 as Interface IP Address2/ ldap tab : enable ldap support and go through all the configuration
** on proxy server (squid) setup : use LDAP for authentification (not radius)
** on proxy filter (squidguard) setup: fill LDAP options and then the grouplist, etc….
Is that correct ? Or do i also need to add the AD server in the client tab of freeradius package, which would also need to add a radius client on the active directory in network policy roles.
-
I just don't understand why adding captive portal in the picture will solve problem you face :o
Goal description in your last post looks like a mix of goal and solution so I'm puzzled :-[If goal is to filter URL content (i.e. SquidGuard) with some profiling (i.e. per user or group), then you will need to enable explicit proxy (i.e. not transparent).
Stacking additional components like captive portal can obviously be done but it adds nothing to content filtering (even if you can, at captive portal level, authorize or deny URL) IMHO -
Hello !
Well the goal is simply to filter web trafic with minimum fuss, so we'd rather not have to configure the web browser to add proxy setting, thus the captive portal choice (if transparent can't work…). Also the portal screen is much clearer than the proxy login window.
I also know that proxy login could end up being "transparent" using SSO : https://forum.pfsense.org/index.php?topic=58700.120 but reading the thread, i know it's gonna add a lot of time trying to make it work :) so let's save it for later.
Back to captive portal, so far, i got the LDAP authentication working with proxy logon, and AD group profiling also works.
When i switch to captive portal, there is no ldap setting, just radius, and after trying to install the freeradius package and setting it up, i got a freeradius error when trying to log on the captive portal with a AD user, so that's why i was asking if the "procedure" was correct.
Best regards,
ps: i know that there is a section on captive portal in the forum, so i don't really know if i should create a new thread…
-
Well the goal is simply to filter web trafic with minimum fuss, so we'd rather not have to configure the web browser to add proxy setting, thus the captive portal choice (if transparent can't work…). Also the portal screen is much clearer than the proxy login window.
Clearer (keeping in mind my above comments)
I also know that proxy login could end up being "transparent" using SSO : https://forum.pfsense.org/index.php?topic=58700.120 but reading the thread, i know it's gonna add a lot of time trying to make it work :) so let's save it for later.
To me this is misleading :-\ you mix up transparent (from proxy standpoint) which means that browser is not aware that there is at least one proxy between browser and web server with automatic authentication which aims at automatically providing credential when browser receives HTTP 407 (which means explicit proxy).
Please keep in mind that there is NO authentication is proxy works in transparent mode. This doesn't exist, as far as I understand.Back to captive portal, so far, i got the LDAP authentication working with proxy logon, and AD group profiling also works.
I'm totally puzzled with this :o I even do'nt understand what "proxy logon" means. Proxy authentication supposes that your browser received HTTP 407 authentication request, which is not, as far as I understand, the way captive portal works.
Could you please elaborate a bit on this?
-
Hi,
I think there's just a misanderstanding on my words. :D
-
I put transparent in quotes ("transparent") to mean that once SSO works, the user doesn't see the proxy log on window, so for him it's automatic and he doesn't have to suffer through logging in everytime he opens up a browser.
-
For proxy logon, well it's the log on window in proxy mode, captive portal being disabled.
So i know that in proxy mode, squid and squidguard now manage to work with the Active Directory.
After that, i enable the captive portal, and i have to revert the brower config to standard (by disabling the proxy settings).
This is where i'm puzzled on making captive work with the AD, since captive portal options only propose radius setting (as well as local users, vouchers, no auth).
Thanks for reading and keeping up with me ! ;D
-
-
- I put transparent in quotes ("transparent") to mean that once SSO works, the user doesn't see the proxy log on window, so for him it's automatic and he doesn't have to suffer through logging in everytime he opens up a browser.
Clearer
- For proxy logon, well it's the log on window in proxy mode, captive portal being disabled.
So i know that in proxy mode, squid and squidguard now manage to work with the Active Directory.
Cool, so this works ;)
After that, i enable the captive portal, and i have to revert the brower config to standard (by disabling the proxy settings).
:o :o why? :o :o
If you disable use of proxy at browser level, you will not use it. Why such idea (unless goal is to use only portal, in such case, let's discuss this captive portal stuff in the right section and forget about proxy ;)This is where i'm puzzled on making captive work with the AD, since captive portal options only propose radius setting (as well as local users, vouchers, no auth).
The idea is to use Radius at captive portal level and to configure this Radius server to rely on AD for what concerns account management.
-
Hi,
I think there's just a misanderstanding on my words. :D
As told in my PM, we can also discuss this in French if it helps (PM) and then revert back here once solved to provide feedback to community.
-
N NollipfSense referenced this topic on
