IPSec VPN -> RADIUS authentication via NPS -> using CLASS property returned by RADIUS in firewall rules
-
Hi all
I'm using the RADIUS class property (Group Membership) like described here. I would like to use this property to build firewall rules based on the value.
For example.
VPN User 1 has only access to the IP-address of system A
VPN User 2 has only access to the IP-address of system B
and so on...I know from WatchGuard where such a thing is possible. I can not find out how to use a local group (that matches to the value of the class returned by RADIUS) within the firewall policies.
Does somebody have experience with that? Any chance to make this work?
Regards
Tom -
@tomtheone You would need to use these attributes:
Framed-IP-Address=x.x.x.x Framed-IP-Netmask=255.255.255.0Then, create a firewall rule for the user using the static IP address.
In the example below, user vpnuser1 gets a membership of group pfsense_admins, and also a static ip, which I can use in a firewall rule.
Elseif gives the other users a group vpn_access, this group doesn't have permissions to manage pfsense.
These users receive a dynamic IP address.#IPSec road warrior if (&control:LDAP-UserDN =~ /cn=vpnuser1,cn=users,dc=home,dc=arpa$/i && NAS-Port-Id == "con-mobile") { update { reply:Class := "pfsense_admins" reply:Framed-IP-Address := "172.16.98.100" reply:Framed-Netmask := "255.255.255.0" } noop } elsif (LDAP-Group == "vpn_access" && NAS-Port-Id == "con-mobile") { update { reply:Class := "vpn_access" } noop }There is a little ´hack' to allow the use of IP pools based on groups, but I wouldn't use this 'hack'if you can avoid it..
https://forum.netgate.com/topic/172476/a-guide-to-assign-vpn-group-and-user-ip-pool-from-radius-in-22-01-2-6
https://redmine.pfsense.org/issues/13227 -
Hey, thank you for you feedback.
tomtheone You would need to use these attributes:
Framed-IP-Address=x.x.x.x
Framed-IP-Netmask=255.255.255.0I tried to implement those attributes including the "class" attribute at the NPS server (network policy server aka RADIUS on Windows server).
Unfortanetly those settings are ignored. The pfSense box still assignes an IP address from the virtual address pool for mobile clients.
Any idea?
-
Oh, i think i understand.
- I need to modify /etc/inc/ipsec.inc
It easily done by editing the /etc/inc/ipsec.inc file in pfSense.
Locate the major section called: "/***f ipsec/ipsec_setup_userpools" about halfway into the file.
Locate the line: "$scconf['connections'][$upconn]['remote']['id'] = $clientid;"
Change it to "$scconf['connections'][$upconn]['remote']['groups'] = $clientid;"
Save the ipsec.inc file and you are good to go!!- Then i can use the VPN > IPsec > Pre-Shared Keys - GUI to specify what IP addresses should be assigned to what RADIUS conditions.
Define any new pools under "Preshared secrets" by creating a new EAP type preshared secret with a pool - remember the "identity" is now the group name you need to return via the "Class" attribute". The PSK key is ignored and not used in this setup, but must be filled with something random :-)
Additionally i read:
This config will not survive a pfSense version update as the ipsec.inc file is replaced at that time - so you would need to repeat the config again.
Boaahh.... ugly
nothing for prod-env.Thanks for helping out.
Btw: something available to push this feature up in the prio?
-
Adding your comments to the open Redmine feature request is best for that.
Steve
-
I'm using the RADIUS class property (Group Membership) > like described here.
Is there not a way to write into the radius server certificate
in wich vlan the user must be put in? And each vlan has
then its own IP range. Done.