A.D and users permissions
-
Hi ! I have a question . I have installed PFSense 2.1.5 and use OpenVPN for remote connections of mobile clients. OpenVPN is integrated into A.D. via LDAP so I use it to set there (in the AD ) users. What I want is to set up access permissions to certain networks to specific users ( AD users ) that connect to the vpn , ie allow jgomez can only access the network 192.168.10.0/24 , or amartinez access to a single host on another network , etc. Beyond FW rules to set i need access permissions of users, this can be done ? Client Specific Override is not what i want… i guess!!
Best regards!!
-
Hi!
pfSense has no ability to handle user based firewall rules. So Client Specific Overrides would be a way to get what you want:
http://fastinetserver.wordpress.com/2013/03/09/pfsense-openvpn-static-ip-for-clients/If your OpenVPN server use SSL/TLS you can also get it if you set up one server and one CA for each security group.
If you don't want that set the permission in the A.D.
-
Just for clarification, How do you use "Client Specific Overrides" with AD? Thought I had read somewhere that you had to use local database for CSO … Is this no longer true?
-
Right pberis!! I can't!! Because is not possible to give permissions to A.D. specific users with "Client Specific Overrides"!! In Spanish PFSense forum advised me to use Free Radius + AD but I think it's too much for me, i can't do it… I have not enough time to investigate about it :'(
Thank you!! -
Just for clarification, How do you use "Client Specific Overrides" with AD? Thought I had read somewhere that you had to use local database for CSO … Is this no longer true?
Okay, that was wild guess. I have no experiences with OVPN server in combination with AD. I just use local database, cause we need a fistful users only.
However, if you use TLS the second recommendation should work. It does a good job for me with local user db.