A.D and users permissions



  • Hi ! I have a question . I have installed PFSense 2.1.5  and use OpenVPN for remote connections of mobile clients. OpenVPN is integrated into A.D. via LDAP so I use it to set there (in the AD ) users. What I want is to set up access permissions to certain networks to specific users ( AD users ) that connect to the vpn , ie allow jgomez can only access the network 192.168.10.0/24 , or amartinez access to a single host on another network , etc. Beyond FW rules to set i need access permissions of users, this can be done ? Client Specific Override is not what i want… i guess!!

    Best regards!!



  • Hi!

    pfSense has no ability to handle user based firewall rules. So Client Specific Overrides would be a way to get what you want:
    http://fastinetserver.wordpress.com/2013/03/09/pfsense-openvpn-static-ip-for-clients/

    If your OpenVPN server use SSL/TLS you can also get it if you set up one server and one CA for each security group.

    If you don't want that set the permission in the A.D.



  • Just for clarification, How do you use "Client Specific Overrides" with AD?  Thought I had read somewhere that you had to use local database for CSO … Is this no longer true?



  • Right pberis!! I can't!! Because is not possible to give permissions to A.D. specific users with  "Client Specific Overrides"!! In Spanish PFSense forum advised me to use Free Radius + AD but I think it's too much for me, i can't do it…  I have not enough time to investigate about it  :'(
    Thank you!!



  • @pberis:

    Just for clarification, How do you use "Client Specific Overrides" with AD?  Thought I had read somewhere that you had to use local database for CSO … Is this no longer true?

    Okay, that was wild guess. I have no experiences with OVPN server in combination with AD. I just use local database, cause we need a fistful users only.

    However, if you use TLS the second recommendation should work. It does a good job for me with local user db.


Log in to reply