IPsec-only users



  • If I want to use the User Manager to create a user who only has access to login via IPsec Mobile for example (using Xauth), do I need to do anything other than put them in a new group that has no GUI rights assigned, or is there any other configuration I need to do to make sure the users can't make any pfSense configuration changes but can use their username/password to authenticate via IPsec?

    Also, on a somewhat related note, are there plans to allow firewall rules to be defined based on the currently logged-on VPN user, via IPsec or OpenVPN? For example, if I connect to IPsec with Xauth username "david" I would like to be able to set a firewall rule that allows/limits traffic from VPN user "david" regardless of whatever IP I was assigned from the pool, so I could give some users (or groups? much better solution) access to some resources and other users to others. I don't see anything like this being possible now, but curious if it's on the list of goals at some point (2.1 at least I'm sure now).


  • Rebel Alliance Developer Netgate

    If a user has no group assigned and no per-page permissions, they cannot even login to the GUI. Adding them with just a username and password (and PSK if needed) should be sufficient.

    I'm not sure if it's possible to do that specific filtering with IPsec, but it can be done with OpenVPN if you assign that user a specific IP using a CSC entry.



  • Thanks, that first part is the answer I was looking for.

    I do know you can filter by IP address for inbound OpenVPN and IPsec traffic, but I was hoping (knowing it doesn't exist now) for a way to select a group and dynamically apply rules whenever the VPN user connects based on their group membership, regardless of what IP address they get assigned. I've done this in the past with Microsoft ISA server because authenticating with PPTP or L2TP to ISA means you are authenticated as a user and firewall rules can be configured based on user/group name. Not 100% required for what I'm doing now, but is pretty slick and very handy in the right situation :-) Not sure what the backend would have to look like to implement it though, I'm sure it would take some work.

    Thanks for the info!



  • The captive portal is one exception to this.  Currently there is no method to block a user from being able to log in on the captive portal other than setting it up for authenticating against something other than the local user database or disabling the user completely.  Not relevant if you aren't using the captive portal on that system, but I just wanted to mention it for those who have a configuration where this is relevant.



  • Good exception to know about. Of course, one might argue that if you're allowed to VPN in, using the captive portal probably won't hurt. And in most cases that's probably accurate, I'd imagine, though I'm sure there are edge cases.



  • That partly depends on whether your VPN gives access only to your network or also to your internet connection. :)

    That part about the captive portal is likely to change at some point in the future.



  • True, true :-) But, the position of user on the outside getting in is still, I'd argue, a more sensitive one than the same user being inside going out. Generally. Maybe not the principle of least privilege in practice, but at least it's not captive portal users also able to VPN in by default :-)


Log in to reply