Mobile IPsec VPN and Group Rules
I have been running Mobile IPsec VPN with Radius Authentication (Windows NPS) of users for a while now, and it works great.
But we now have a need to differentiate access to ressources based on who the user is (group membership).
So I was wondering if it’s possible to have Radius return a groupname so I could change the firewall rules in the IPSec interface to allow specific trafic based on source groups rather than Source IPs (Which is not really usefull since addresses are dynamic for users)?
Hmm, not much response on this issue...
I have been doing a lot of further investigation, and it seems it's impossible to do any kind of firewall filtering based on users/groups if you are using Mobile IPsec VPN.
I'm very disappointed by this as Mobile IPsec VPN has the MAJOR advantage it works with the built in VPN client in Windows, MacOS, iOS, Android....
There are some "workarounds" if you start using OPENvpn instead, but even that is not implemented very effectively.
You either have to send ACL rules from Radius, or assign static IP's/user, or implement several OPENvpn instances (Each with it's own Firewall ruleset, and assign users to the fitting OPENvpn instance).
Quite choking that pfSense does not have a mobile VPN solution that supports user/group based rules....
Feature request: How about implementing a little service that add's a clients VPN ipaddress to a builtin FW Alias group if the user authenticated with a user belonging to a usergroup? Then we could make VPN usergroup firewall rules by using aliases as usual.
If this was done upon VPN connect, and removed on VPN disconnect (needs a bit of state handling as well), it should work regardless if the user authenticates with a local database user, or via a Radius user if the Radius returns the groupname with CLASS attribute.