IPSEC Windows Authentication: Allow/Deny user access?

  • Hi, we have setup IPSEC for remote users so that they can connect via iphone or a vpn client.  We are using active directory authentication (2008 R2) and so far everything is working pretty good however we wanted to improve security on it and found something we cannot resolve.  Not sure if its meant to be this way, a misconfig or a bug.

    Our active directory is setup something like this:
    -Local.host (Domain)
      -Users (OU)
        -Dept1 (sub OU)
            -Group (Security)
        -Dept2 (sub OU)
            -Group (Security)
        -Dept3 (sub OU)
            -Group (Security)
      -VPN Users (OU)
        -VPNusers (Security)

    We are using PFSense 2.1 and within the user manager, we have setup out AD server.

    Base DN: DC=local,DC=host
    Auth Containers:  OU=Users,DC=local,DC=host

    When its setup like above, users can get into the VPN without issue.  However, we don’t want everybody within the company to have VPN access so we’d like to limit this.  Our idea was to setup a new OU named VPN Users as seen above.  With this we made a security group called ‘VPNusers’ and added the necessary active directory user accounts to the group that need VPN access.

    Within PFSense I make a group called VPNusers and give it corresponding vpn permissions.  I then test authentication as is with user7 and it works and states he’s part of the VPNusers group…Great.  I test the VPN and it works.  I then test with lets say user2 and PFSense says its authenticates however he not part of any group but the ironic part is that if I test the account using a vpn client, it still let him in.

    I looked at my config and though I needed to change my AD containers for the VPN OU so I changed it to this:

    Base DN: DC=local,DC=host
    Auth Containers:  OU=VPN Users,DC=local,DC=host

    Now when I test authentication for any user, it always fails.  It seems I cannot authenticate if the user is in a group within an OU.  The only time authentication succeeds if it I specify the exact OU that the user is in.

    My primary question would be is there any way to use windows authentication and at the same time tell the system who has rights to login and who should be denied access?

    Thanks in advance.

  • Nobody?  Trying to figure out if its a config issue or just suppose to be this way.  Any ideas would be helpful.

    Thanks.  8)