Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSEC Windows Authentication: Allow/Deny user access?

    IPsec
    1
    2
    1175
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Rubicon last edited by

      Hi, we have setup IPSEC for remote users so that they can connect via iphone or a vpn client.  We are using active directory authentication (2008 R2) and so far everything is working pretty good however we wanted to improve security on it and found something we cannot resolve.  Not sure if its meant to be this way, a misconfig or a bug.

      Our active directory is setup something like this:
      -Local.host (Domain)
        -Users (OU)
          -Dept1 (sub OU)
              -Group (Security)
              -User1
              -User2
              -User3
          -Dept2 (sub OU)
              -Group (Security)
              -User4
              -User5
          -Dept3 (sub OU)
              -Group (Security)
              -User6
        -VPN Users (OU)
          -VPNusers (Security)
              -User7
              -User8

      We are using PFSense 2.1 and within the user manager, we have setup out AD server.

      Base DN: DC=local,DC=host
      Auth Containers:  OU=Users,DC=local,DC=host

      When its setup like above, users can get into the VPN without issue.  However, we don’t want everybody within the company to have VPN access so we’d like to limit this.  Our idea was to setup a new OU named VPN Users as seen above.  With this we made a security group called ‘VPNusers’ and added the necessary active directory user accounts to the group that need VPN access.

      Within PFSense I make a group called VPNusers and give it corresponding vpn permissions.  I then test authentication as is with user7 and it works and states he’s part of the VPNusers group…Great.  I test the VPN and it works.  I then test with lets say user2 and PFSense says its authenticates however he not part of any group but the ironic part is that if I test the account using a vpn client, it still let him in.

      I looked at my config and though I needed to change my AD containers for the VPN OU so I changed it to this:

      Base DN: DC=local,DC=host
      Auth Containers:  OU=VPN Users,DC=local,DC=host

      Now when I test authentication for any user, it always fails.  It seems I cannot authenticate if the user is in a group within an OU.  The only time authentication succeeds if it I specify the exact OU that the user is in.

      My primary question would be is there any way to use windows authentication and at the same time tell the system who has rights to login and who should be denied access?

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • R
        Rubicon last edited by

        Nobody?  Trying to figure out if its a config issue or just suppose to be this way.  Any ideas would be helpful.

        Thanks.  8)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post