Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense + Windows 2003: Block a group1 to access URL, but allow group2

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vgobbo
      last edited by

      I'm setting up pfSense with captive portal authenticating against Windows 2003. The authentication works fine using RADIUS.

      Now, I wish to implement the following scenario:

      • Block users belonging to Active Directory group "group1" to access all websites but the company website;
      • Block users belonging to Active Directory group "group2" to access all websites but the company website and a Facebook (those marketing guys…);
      • Allow users beloging to Active Directory group "group3" to access all websites.

      I've searched all around the web, but could not find a way to implement this.

      Is it possible to implement with pfSense?

      I've just upgraded my pfSense installation (2.0.2) to pfSense 2.1-rc1.

      Thank you for your help.

      1 Reply Last reply Reply Quote 0
      • K
        kathampy
        last edited by

        This functionality is not available because there is no way to do this securely. Captive portals identify clients by MAC address which can be spoofed. Any implementation would just be security through obscurity and such flawed functionality should not be provided out of the box.

        The only secure way would be if there was an authenticated "link" between the firewall and the client such as a PPPoE connection. The RADIUS server would then know which IP address was associated with each Active Directory user when they connect and the URL filter should use this information to enforce policy.

        Commercial firewalls such as Forefront TMG and FortiGate appliances use proprietary client software on the PC to enable authenticated Internet access with per-user policies.

        1 Reply Last reply Reply Quote 0
        • V
          vgobbo
          last edited by

          Is it possible to achieve such functionality without the Captive Portal or some other way with pfSense?

          Since my clients can not access administrative features, like changing IP and proxy settings, I don't need the Captive Portal funcionality.

          Without Captive Portal, I could simply use NTLM for authentication (or any other proxy authentication scheme).

          With a naked Squid installation (I mean without pfSense) I can implement this (my old scheme works like this), but I wish to continue with pfSense because it works really well, is easy to configure, and have so many cool features that would make my life easier, so I don't have to reimplement the wheel.

          1 Reply Last reply Reply Quote 0
          • K
            kathampy
            last edited by

            So why can't you configure Squid manually on pfSense like that?

            1 Reply Last reply Reply Quote 0
            • V
              vgobbo
              last edited by

              I can, but I prefer not. Reasons:

              First because I might change a configuration somewhere and have pfSense to rewrite the squid configuration file, losing my custom squid configuration.
              Second, since pfSense provides an interface to configure a Firewall/Proxy, I think manual configuration is not the right thing to do (this is more philosophy than functionality).

              Can you point any feature I might loose or interfere with the whole setup?

              Sorry if I'm being a little lot pain in the ass.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.