PfSense + Windows 2003: Block a group1 to access URL, but allow group2
-
I'm setting up pfSense with captive portal authenticating against Windows 2003. The authentication works fine using RADIUS.
Now, I wish to implement the following scenario:
- Block users belonging to Active Directory group "group1" to access all websites but the company website;
- Block users belonging to Active Directory group "group2" to access all websites but the company website and a Facebook (those marketing guys…);
- Allow users beloging to Active Directory group "group3" to access all websites.
I've searched all around the web, but could not find a way to implement this.
Is it possible to implement with pfSense?
I've just upgraded my pfSense installation (2.0.2) to pfSense 2.1-rc1.
Thank you for your help.
-
This functionality is not available because there is no way to do this securely. Captive portals identify clients by MAC address which can be spoofed. Any implementation would just be security through obscurity and such flawed functionality should not be provided out of the box.
The only secure way would be if there was an authenticated "link" between the firewall and the client such as a PPPoE connection. The RADIUS server would then know which IP address was associated with each Active Directory user when they connect and the URL filter should use this information to enforce policy.
Commercial firewalls such as Forefront TMG and FortiGate appliances use proprietary client software on the PC to enable authenticated Internet access with per-user policies.
-
Is it possible to achieve such functionality without the Captive Portal or some other way with pfSense?
Since my clients can not access administrative features, like changing IP and proxy settings, I don't need the Captive Portal funcionality.
Without Captive Portal, I could simply use NTLM for authentication (or any other proxy authentication scheme).
With a naked Squid installation (I mean without pfSense) I can implement this (my old scheme works like this), but I wish to continue with pfSense because it works really well, is easy to configure, and have so many cool features that would make my life easier, so I don't have to reimplement the wheel.
-
So why can't you configure Squid manually on pfSense like that?
-
I can, but I prefer not. Reasons:
First because I might change a configuration somewhere and have pfSense to rewrite the squid configuration file, losing my custom squid configuration.
Second, since pfSense provides an interface to configure a Firewall/Proxy, I think manual configuration is not the right thing to do (this is more philosophy than functionality).Can you point any feature I might loose or interfere with the whole setup?
Sorry if I'm being a
littlelot pain in the ass.