Squid Proxy / Filter using AD Groups for Access or non Access

Schischi

Good Morning,

i am a pfsense-newbee and trying to set up some useful configurations.. Firewall and NAT etc.. everything ist fine so i am going to configure the squid Proxy. In different Networks i use Sophos and WatchGuard, so i am able to use AD_Groups to manage internet-Access by using Security-Groups like "Internet_Access_Full", "Internet-Access", and "No_Internet"..

So, i set up the Ad-Connection in pfsense, works fine, but i am not able to use the ad-Groups because i am not shure how to use the "Client (source)" in the Policy.. as i unterstood, there i have to set up the Connection to AD..?

Thanks for help!

Schischi

Just some more Info:

My aim is, that users who are member of a Group can Access the Internet but i don't want them to enter their username and Password again, so i am Looking for a passthrough ad authentication..
If user ist loggend on PC with ad-account he shall be able to browse Internet, users who are not member of this Group shall not Access the Internet..

If this is possible, in second step i want to difference between "Full Access" and "limited Access"... Maybe by using Group acl…

mcury

Check this link: https://journeyofthegeek.com/2017/12/30/pfsense-squid-kerberos/
It has the instructions on how to set kerberos auth through squid/squidguard.

Schischi

Thx for the link.. did all the steps… an got in same Problems as commented below.. Everything seems fine but i get authentication prompt when starting the browser… this error is loggend in real time list

WARNING: negotiateauthenticator #Hlpr3317 exited

periko

@Schischi exist a third party called PF2AD, I create a video tutorial but is Spanish:

Pf2AD

But u need 2 Pfsense boxes, https://www.pf2ad.com/

Greetings.