Squid Proxy / Filter using AD Groups for Access or non Access



  • Good Morning,

    i am a pfsense-newbee and trying to set up some useful configurations.. Firewall and NAT etc.. everything ist fine so i am going to configure the squid Proxy. In different Networks i use Sophos and WatchGuard, so i am able to use AD_Groups to manage internet-Access by using Security-Groups like "Internet_Access_Full", "Internet-Access", and "No_Internet"..

    So, i set up the Ad-Connection in pfsense, works fine, but i am not able to use the ad-Groups because i am not shure how to use the "Client (source)" in the Policy.. as i unterstood, there i have to set up the Connection to AD..?

    Client_Source.JPG

    Thanks for help!



  • Just some more Info:

    My aim is, that users who are member of a Group can Access the Internet but i don't want them to enter their username and Password again, so i am Looking for a passthrough ad authentication..
    If user ist loggend on PC with ad-account he shall be able to browse Internet, users who are not member of this Group shall not Access the Internet..

    If this is possible, in second step i want to difference between "Full Access" and "limited Access"... Maybe by using Group acl…



  • Check this link: https://journeyofthegeek.com/2017/12/30/pfsense-squid-kerberos/
    It has the instructions on how to set kerberos auth through squid/squidguard.



  • Thx for the link.. did all the steps… an got in same Problems as commented below.. Everything seems fine but i get authentication prompt when starting the browser… this error is loggend in real time list

    WARNING: negotiateauthenticator #Hlpr3317 exited



  • @Schischi exist a third party called PF2AD, I create a video tutorial but is Spanish:

    Pf2AD

    But u need 2 Pfsense boxes, https://www.pf2ad.com/

    Greetings.


Log in to reply