Authenticting multiple services with RADIUS based on groups
-
Hi all,
First off, I want to say how much I appreciate the PFSense project. Over all things are great and the documentation is good. I have been a long time user generally solving my own problems, but I have finally hit a snag I can't seem to figure out.
I can (with out problems) point things like OpenVPN and the captive portal to AD using NPS and RADIUS, and everything works. My problem now is getting multiple services to work on the same box.
For instance if I want to make a captive portal authenticate users based on the backend NPS with group membership, I can do that using the class (25) and group with remote group defined in PFSense. The problem is when you try to do the same on the same NPS server from the same PFSense machine using a different group in the NPS policy. For example, in AD if you create two groups (say VPN and CaptivePortal) then add that group membership as a condition to authenticate in two separate NPS policies so you can control access individually, you can't really tell them apart in PFSense when configured multiple services; you can only add by the same backend authentication server in the captive portal or openvpn settings. The NPS will just authenticate them (and send the class group value) but I can't figure out how to get PFSense to understand the difference.
So what I am asking is, is there a way to get the captive portal or the OpenVPN server to some how use the group returned in the class from the NPS server and play nicely with each other?
I tried setting the authentication to local and using a group with the same name as a remote group scope but that doesn't work. I am also aware it could be solved with multiple authentication servers using LDAP(S) but for various reasons I can't do that, I am limited by what the Windows admins will allow me to do. Or maybe I am going about it entirely wrong and there is a better approach to this?
I hope I articulated my issue correctly.
-
So, if anyone is interested. After digging around I managed to find https://redmine.pfsense.org/issues/3686
So in NPS if you set the condition to the string you can find in Wireshark as the NAS-Identifier you can handle things on a per service request.
Typical that you search for weeks for an answer but you find it only after you post online for help. It would be great if this appeared somewhere in the manual, or maybe it already does and I am blind?