Authentication Concerns for VPN
-
Hi,
I have finally got my LDAP authentication working,
Managing users seems hell lot more easier, but now i have a bunch of Questions:
1. Does Authentication using Active Directory have any security concerns?
2. Is it possible to change / create special group in AD which would help to segregate the users able to authenticate through pfsense and those that dont? ( not everyone in the AD Users List is supposed to be able to remote dial into work)
3. I have 2 site and now that both are able to get their users from AD, is it possible create a client config which would work in fail-over situation?
All suggestions and Ideas are appreciated.
thanks!
-
bump
-
@hongkonger:
1. Does Authentication using Active Directory have any security concerns?
If you use Administrator for your bind user, or if you do NOT use SSL for LDAP, then there could be concerns.
@hongkonger:
2. Is it possible to change / create special group in AD which would help to segregate the users able to authenticate through pfsense and those that dont? ( not everyone in the AD Users List is supposed to be able to remote dial into work)
That depends on your AD structure. In some cases you can do that by specifying the authentication container properly, in other cases you need to use the Extended Query box to filter using memberOf (see the doc wiki article on LDAP troubleshooting)
@hongkonger:
3. I have 2 site and now that both are able to get their users from AD, is it possible create a client config which would work in fail-over situation?
Add another "remote x.x.x.x yyyy" line to the client config (or specify it in the advanced options in the export package before downloading the client.
-
Thanks for the Help Jimp.
Point 1 and 3 Soled.
now i am gonna work on no.2 …
will revert back once i have it working.
regards