IPsec Mobile Group based Firewall rules - Multiple IP pools?
I desperately looking for solutions to assign different firewall rules to different groups of users using IKEv2 Mobile IPSec VPN - impressively pfsense still does not support this, which renders pfSense IPsec Mobile VPN useless in larger environments.
I’m using EAP-Radius authentication to a Windows NPS server, but pfSense cannot use a returned group identifier to assign group rights/firewall rules.
Nor can it use the Cisco-AV-Pair ACL’s since we are using EAP-Radius authentication.
Since IPsec rules are interface based - one size fits all -
The only possible way to differentiate users so far is to assign a static IP to each user by returning the Framed-IP-Address attribute, but that does not scale well with 8000 users needing individual rules on a Windows NPS server :-)
So my last attempt is this:
Is there any way to setup multiple Virtual IP pools instead of just one one for IPsec Mobile users? The Radius server can return a Framed-Pool identifier, and if pfsense could use that to select which pool a user gets and IP from, then I could easily make different Firewall rules based on Windows group membership via radius authentication.
IPsec Mobile VPN
Use Framed-IP addresses in Radius, then create firewall rules based on the ip address handed out.
A bit of a pain but it works.
Yeah, but like I said, that does not work for us as we are currently about 8000 users with a high churn in new users.
8000+ Radius policies and 10 - 100+ new policies per day is not a solution
there is one idea - but I need to understand , is there something in common in the usernames belonging to the same group ?
I'm baffled that IPsec Mobile does not have any integration features towards Radius to allow for firewall rules separation.
It must truely only be meant for Site-to-Site.... with Mobile User being a "bolt on" that really only has Site-to-Site features.