• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Authenticting multiple services with RADIUS based on groups

Scheduled Pinned Locked Moved General pfSense Questions
2 Posts 1 Posters 418 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    Jim-bob-the-grand
    last edited by Jun 23, 2020, 2:10 AM

    Hi all,

    First off, I want to say how much I appreciate the PFSense project. Over all things are great and the documentation is good. I have been a long time user generally solving my own problems, but I have finally hit a snag I can't seem to figure out.

    I can (with out problems) point things like OpenVPN and the captive portal to AD using NPS and RADIUS, and everything works. My problem now is getting multiple services to work on the same box.

    For instance if I want to make a captive portal authenticate users based on the backend NPS with group membership, I can do that using the class (25) and group with remote group defined in PFSense. The problem is when you try to do the same on the same NPS server from the same PFSense machine using a different group in the NPS policy. For example, in AD if you create two groups (say VPN and CaptivePortal) then add that group membership as a condition to authenticate in two separate NPS policies so you can control access individually, you can't really tell them apart in PFSense when configured multiple services; you can only add by the same backend authentication server in the captive portal or openvpn settings. The NPS will just authenticate them (and send the class group value) but I can't figure out how to get PFSense to understand the difference.

    So what I am asking is, is there a way to get the captive portal or the OpenVPN server to some how use the group returned in the class from the NPS server and play nicely with each other?

    I tried setting the authentication to local and using a group with the same name as a remote group scope but that doesn't work. I am also aware it could be solved with multiple authentication servers using LDAP(S) but for various reasons I can't do that, I am limited by what the Windows admins will allow me to do. Or maybe I am going about it entirely wrong and there is a better approach to this?

    I hope I articulated my issue correctly.

    1 Reply Last reply Reply Quote 0
    • J
      Jim-bob-the-grand
      last edited by Jun 23, 2020, 8:08 AM

      So, if anyone is interested. After digging around I managed to find https://redmine.pfsense.org/issues/3686

      So in NPS if you set the condition to the string you can find in Wireshark as the NAS-Identifier you can handle things on a per service request.

      Typical that you search for weeks for an answer but you find it only after you post online for help. It would be great if this appeared somewhere in the manual, or maybe it already does and I am blind?

      1 Reply Last reply Reply Quote 0
      1 out of 2
      • First post
        1/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received