Need to make IPSec auth from FreeIPA

bmmcwhirt

I currently have PFSense set up so that all our mobile devices can connect to our local resources. This all works fine. I'm using a PSK and the users login/pass on PFSense.

Handeling account management has become a mess so we now have a FreeIPS authentication server.

What is the best way to have PFSense use the FreeIPA server and what do I need to do to implement this?

jimp

Upgrade to 2.1, and then you can setup a RADIUS or LDAP entry under System > User Manager, on the Servers tab and then use it for IPsec auth.

Can't do that on 2.0.x.

bmmcwhirt

Thanks!  2.0.2 actually has this and authentication works. I'm just trying to sort out what I need for my group info now and I should be good. I just really needed to know where it was and that it was there. 2.0.2 tells me there are no updates available, so I am guessing 2.1.x is beta?

jimp

2.1 is beta.

2.0.x supported using that for auth on OpenVPN, but not IPsec.

bmmcwhirt

Good to know.

I will put up 2.1 on a test VM and make sure everything works the way I expect before I move to it.

Thanks for the details.

bmmcwhirt

Is there a nightly build of 2.1 or how do I go about building the iso from github?

jimp

http://snapshots.pfsense.org/

bmmcwhirt

Thanks.

Now I am trying to figure out what I need to put in "Group naming attribute" and "Group member attribute". Test Authentication works but it's not fetching any groups.

I'm including some outputs of ldapsearch.

Groups

[root@auth ~]# ldapsearch -Y GSSAPI -b "cn=groups,cn=accounts,dc=MYHHCA,dc=COM" 
SASL/GSSAPI authentication started
SASL username: admin@MYHHCA.COM
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=accounts,dc=myhhca,dc=com>with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# groups, accounts, myhhca.com
dn: cn=groups,cn=accounts,dc=myhhca,dc=com
objectClass: top
objectClass: nsContainer
cn: groups

# admins, groups, accounts, myhhca.com
dn: cn=admins,cn=groups,cn=accounts,dc=myhhca,dc=com
objectClass: top
objectClass: groupofnames
objectClass: posixgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: nestedGroup
cn: admins
description: Account administrators group
gidNumber: 154200000
member: uid=admin,cn=users,cn=accounts,dc=myhhca,dc=com
ipaUniqueID: 820fea98-6bc8-11e2-ab49-0002a5517755
memberOf: cn=replication administrators,cn=privileges,cn=pbac,dc=myhhca,dc=com
memberOf: cn=add replication agreements,cn=permissions,cn=pbac,dc=myhhca,dc=co
 m
memberOf: cn=modify replication agreements,cn=permissions,cn=pbac,dc=myhhca,dc
 =com
memberOf: cn=remove replication agreements,cn=permissions,cn=pbac,dc=myhhca,dc
 =com
memberOf: cn=host enrollment,cn=privileges,cn=pbac,dc=myhhca,dc=com
memberOf: cn=manage host keytab,cn=permissions,cn=pbac,dc=myhhca,dc=com
memberOf: cn=enroll a host,cn=permissions,cn=pbac,dc=myhhca,dc=com
memberOf: cn=add krbprincipalname to a host,cn=permissions,cn=pbac,dc=myhhca,d
 c=com
memberOf: cn=unlock user accounts,cn=permissions,cn=pbac,dc=myhhca,dc=com
memberOf: cn=manage service keytab,cn=permissions,cn=pbac,dc=myhhca,dc=com

# ipausers, groups, accounts, myhhca.com
dn: cn=ipausers,cn=groups,cn=accounts,dc=myhhca,dc=com
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
description: Default group for all users
cn: ipausers
ipaUniqueID: 82677ccc-6bc8-11e2-b1a3-0002a5517755
member: uid=bmcwhirt,cn=users,cn=accounts,dc=myhhca,dc=com

# editors, groups, accounts, myhhca.com
dn: cn=editors,cn=groups,cn=accounts,dc=myhhca,dc=com
objectClass: top
objectClass: groupofnames
objectClass: posixgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: nestedGroup
gidNumber: 154200002
description: Limited admins who can edit other users
cn: editors
ipaUniqueID: 826e5042-6bc8-11e2-888e-0002a5517755

# trust admins, groups, accounts, myhhca.com
dn: cn=trust admins,cn=groups,cn=accounts,dc=myhhca,dc=com
cn: trust admins
objectClass: top
objectClass: groupofnames
objectClass: ipausergroup
objectClass: nestedgroup
objectClass: ipaobject
member: uid=admin,cn=users,cn=accounts,dc=myhhca,dc=com
description: Trusts administrators group
ipaUniqueID: d4a6baec-6bc9-11e2-8768-0002a5517755

# bmcwhirt, groups, accounts, myhhca.com
dn: cn=bmcwhirt,cn=groups,cn=accounts,dc=myhhca,dc=com
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
cn: bmcwhirt
gidNumber: 154200001
description: User private group for bmcwhirt
mepManagedBy: uid=bmcwhirt,cn=users,cn=accounts,dc=myhhca,dc=com
ipaUniqueID: 2da9fc2a-6c39-11e2-9c6c-0002a5517755

# myhhca, groups, accounts, myhhca.com
dn: cn=myhhca,cn=groups,cn=accounts,dc=myhhca,dc=com
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
gidNumber: 154300000
description: MyHHCA Jabber Users
cn: myhhca
ipaUniqueID: 3702e1a2-6f08-11e2-8882-0002a5517755

# search result
search: 4
result: 0 Success

# numResponses: 8
# numEntries: 7
[root@auth ~]#</cn=groups,cn=accounts,dc=myhhca,dc=com> 

Specific User

[root@auth ~]# ldapsearch -Y GSSAPI -b "dc=MYHHCA,dc=COM" uid=bmcwhirt
SASL/GSSAPI authentication started
SASL username: admin@MYHHCA.COM
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=myhhca,dc=com>with scope subtree
# filter: uid=bmcwhirt
# requesting: ALL
#

# bmcwhirt, users, compat, myhhca.com
dn: uid=bmcwhirt,cn=users,cn=compat,dc=myhhca,dc=com
objectClass: posixAccount
objectClass: top
gecos: Bryan McWhirt
cn: Bryan McWhirt
uidNumber: 154200001
gidNumber: 154300000
loginShell: /bin/sh
homeDirectory: /home/bmcwhirt
uid: bmcwhirt

# bmcwhirt, users, accounts, myhhca.com
dn: uid=bmcwhirt,cn=users,cn=accounts,dc=myhhca,dc=com
displayName: Bryan McWhirt
cn: Bryan McWhirt
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
sn: McWhirt
gecos: Bryan McWhirt
homeDirectory: /home/bmcwhirt
krbPwdPolicyReference: cn=global_policy,cn=MYHHCA.COM,cn=kerberos,dc=myhhca,dc
 =com
mail: bmcwhirt@myhhca.com
krbPrincipalName: bmcwhirt@MYHHCA.COM
givenName: Bryan
uid: bmcwhirt
initials: BM
ipaUniqueID: 2d330e8a-6c39-11e2-9c6c-0002a5517755
uidNumber: 154200001
gidNumber: 154300000
krbPasswordExpiration: 20130201063239Z
krbLastPwdChange: 20130201063239Z
krbExtraData:: 
mepManagedEntry: cn=bmcwhirt,cn=groups,cn=accounts,dc=myhhca,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=myhhca,dc=com
mobile: 7656039179
postalCode: 10000
street: 123 some street
l: City
st: State
facsimileTelephoneNumber: 9876543210
telephoneNumber: 1015551212
title: Director of IT
ou: myhhca
krbLoginFailedCount: 0
krbLastSuccessfulAuth: 20130206225839Z

# search result
search: 4
result: 0 Success

# numResponses: 3
# numEntries: 2
[root@auth ~]#</dc=myhhca,dc=com> 

eri--

Groups are used only for local users at the moment.

For ldap or radius it will just authenticate them that's it.

bmmcwhirt

Ok, so I don't need to worry about them having group access to VPN stuff as long as Im on 2.1beta and the auth inside the IPSec config is set for the LDAP Server?