Pfsense + squid/squidguard for captive portal with LDAP auth [title edited]

omrom

Hello, (sorry for the bad english first !)

I turn to the forum as i've been looking in a lot of place but still am in trouble.

I set up pfsense in transparent mode, and it's working fine so far. I then just need to separate my filtering needs by using the active directory tree as the users are domain members (basically i have 2 groups)

So far, i can't figure out which part i have to fill out in the pfsense GUI.

What parts need to be filled out, all of them ? Sorry to bother you with trivial stuff but well, i'm starting to waste too much time on this part. :(

• Services / Proxy Filter / General settings & Group ACLs
• Services / Proxy Server / Authentication
• System / User Manager / Servers tab

Thanks for the read, and best regards !

chris4916

"transparent proxy" and "user" do not fit together.
If you want to implement profiling (meaning segregate per user) if I understand well, then you do have to switch to explicit proxy.

Browser will never accept HTTP 407 when using transparent proxy.  :P

omrom

Hi, sorry but i don't really "get" the answer…  :-[  Is it a true limitation that could happen on special situations ?

So far, i've worked out that the - proxy server setting is not be used in association with transparent mode (i know, rtfm right ?).

In System / Usr mgr / servers tab, i've managed to browse through the AD, but i'm not sure how useful it is in the end....

chris4916

What was perhaps not clear with my previous reply is that you can NOT, by design, set up both transparent proxy AND user authentication.
This is a limitation that will ALWAYS occur.

If you do need profiling (which requires authentication) but don't want to configure proxy on each and every device, then you should implement WPAD  ;) but get rid of this transparent proxy setting. Furthermore, transparent proxy will not handle HTTPS  :P

omrom

okay okay !!  ;D

so transparent is a no-no with this stuff, that will go in my report  :p Actually i've been reading on the WPAD stuff.. It will be usual 'manual proxy input" for the time being. :)

On the "profiling" part, i'm having trouble with error troubleshooting: i've worked on my winxp vm and srv2003 vm and i got the winxp vm to authentify in the srv03 domain,

in pfsense, the proxy filter / Groups acl / i got 2 groups that i use for filtering with these options:

ldapusersearch ldap://ip:port/DC=XXXXXX?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=KIDS,OU=KIDS,OU=Users,OU=Admin,DC=XXXXXX))

Where in the logs or pfsense can i troubleshoot the active directory profiling ? It doesn't work but the syntax seems ok, so the frustation is high.  ;)

############ question 2 #############

Also, the logic behind ACLs starts to confuse me after days exploring this, just to make sure:

• will group acls always be taken first before common acl ? The .conf file, to me, confirms this but just wanna be sure, as the "Order" list in the Group ACL just isn't clear to me, what is its point ? (bad english i can feel it)^^

Thankies :)

chris4916

@omrom:

Where in the logs or pfsense can i troubleshoot the active directory profiling ? It doesn't work but the syntax seems ok, so the frustation is high.  ;)

You should perhaps start with AD, looking at LDAP log in AD

Also, the logic behind ACLs starts to confuse me after days exploring this, just to make sure:

• will group acls always be taken first before common acl ? The .conf file, to me, confirms this but just wanna be sure, as the "Order" list in the Group ACL just isn't clear to me, what is its point ? (bad english i can feel it)^^

"Access list rules are checked in the order they are written"

This said, as I'm  not using Squid on pfSense, I don't know how what you may set through pfSense GUI is transposed into access list rule, in term of sequence.

sowen

Always an option.

http://sourceforge.net/projects/squidtrust/files/SquidtrustIII/

(works great on pfSense.)

omrom

Just asking, but the ldap debugging patch here says 2.1 only : https://doc.pfsense.org/index.php/LDAP_Troubleshooting.

Anyone knows if it's gonna work on v2.2.2 or should i not waste time on trying it anyway ?

marcelloc

It will work if you use Captive portal integration on squid for pfSense 2.1. On 2.2 the pbi libs location are messing up the integration.

omrom

ok thanks.

Ok so i'm running into a wall here.

I used tcpdump to log the packets, but i don't see anything going to the AD , when squidguard should (with ldapusersearch option..).
A bit of research on this just pointed me towards this: http://serverfault.com/questions/538123/squidguard-ldap-active-directory-not-working, which indicates squidguard should be compiled –with-ldap=yes option.

Since i installed squidguard using pfsense package manager (1.4_7 pkg v.1.9.14), please tell me it should be ok with this version ?  :'(

Otherwise, when exactly is squidguard sending data the AD ? (when logging on to the session, browsing the web ?). I filter ports 389 and 3268 with tcddump and only see data sent through 389 by pfsense... Squidguard seems to send nothing :(

marcelloc

squidguard will only send data to active directory if squid is able to pass the users authenticated. If squid does not authenticate users using active proxy(not transparent mode), squidguard can't check anything.

omrom

All right, thanks !

So we've changed the project goal : pfsense filtering the lan trafic to the wan using a captive portal that authenticates against the Active directory.

Any chance you could tell me if i understood correctly what needs to be done ?  :-\

** on captive portal setup, setup radius auth with the client ip as 127.0.0.1 and install the freeradius package on pfsense.

** on freeradius package setup:
1/ setup the interfaces tab with 127.0.0.1 as Interface IP Address

2/ ldap tab : enable ldap support and go through all the configuration

** on proxy server (squid) setup : use LDAP for authentification (not radius)

** on proxy filter (squidguard) setup: fill LDAP options and then the grouplist, etc….

Is that correct ? Or do i also need to add the AD server in the client tab of freeradius package, which would also need to add a radius client on the active directory in network policy roles.

chris4916

I just don't understand why adding captive portal in the picture will solve problem you face  :o
Goal description in your last post looks like a mix of goal and solution so I'm puzzled  :-[

If goal is to filter URL content (i.e. SquidGuard) with some profiling (i.e. per user or group), then you will need to enable explicit proxy (i.e. not transparent).
Stacking additional components like captive portal  can obviously be done but it adds nothing to content filtering (even if you can, at captive portal level, authorize or deny URL) IMHO

omrom

Hello !

Well the goal is simply to filter web trafic with minimum fuss, so we'd rather not have to configure the web browser to add proxy setting, thus the captive portal choice  (if transparent can't work…). Also the portal screen is much clearer than the proxy login window.

I also know that proxy login could end up being "transparent" using SSO : https://forum.pfsense.org/index.php?topic=58700.120 but reading the thread, i know it's gonna add a lot of time trying to make it work :) so let's save it for later.

Back to captive portal, so far, i got the LDAP authentication working with proxy logon, and AD group profiling also works.

When i switch to captive portal, there is no ldap setting, just radius, and after trying to install the freeradius package and setting it up, i got a freeradius error when trying to log on the captive portal with a AD user, so that's why i was asking if the "procedure" was correct.

Best regards,

ps: i know that there is a section on captive portal in the forum, so i don't really know if i should create a new thread…

chris4916

@omrom:

Well the goal is simply to filter web trafic with minimum fuss, so we'd rather not have to configure the web browser to add proxy setting, thus the captive portal choice  (if transparent can't work…). Also the portal screen is much clearer than the proxy login window.

Clearer (keeping in mind my above comments)

I also know that proxy login could end up being "transparent" using SSO : https://forum.pfsense.org/index.php?topic=58700.120 but reading the thread, i know it's gonna add a lot of time trying to make it work :) so let's save it for later.

To me this is misleading  :-\ you mix up transparent (from proxy standpoint) which means that browser is not aware that there is at least one proxy between browser and web server with automatic authentication which aims at automatically providing credential when browser receives HTTP 407 (which means explicit proxy).
Please keep in mind that there is NO authentication is proxy works in transparent mode. This doesn't exist, as far as I understand.

Back to captive portal, so far, i got the LDAP authentication working with proxy logon, and AD group profiling also works.

I'm totally puzzled with this  :o I even do'nt understand what "proxy logon" means. Proxy authentication supposes that your browser received HTTP 407 authentication request, which is not, as far as I understand, the way captive portal works.

Could you please elaborate a bit on this?

omrom

Hi,

I think there's just a misanderstanding on my words.  :D

• I put transparent in quotes ("transparent") to mean that once SSO works, the user doesn't see the proxy log on window, so for him it's automatic and he doesn't have to suffer through logging in everytime he opens up a browser.

• For proxy logon, well it's the log on window in proxy mode, captive portal being disabled.
  So i know that in proxy mode, squid and squidguard now manage to work with the Active Directory.

After that, i enable the captive portal, and i have to revert the brower config to standard (by disabling the proxy settings).

This is where i'm puzzled on making captive work with the AD, since captive portal options only propose radius setting (as well as local users, vouchers, no auth).

Thanks for reading and keeping up with me !  ;D

chris4916

@omrom:

• I put transparent in quotes ("transparent") to mean that once SSO works, the user doesn't see the proxy log on window, so for him it's automatic and he doesn't have to suffer through logging in everytime he opens up a browser.

Clearer

• For proxy logon, well it's the log on window in proxy mode, captive portal being disabled.
  So i know that in proxy mode, squid and squidguard now manage to work with the Active Directory.

Cool, so this works  ;)

After that, i enable the captive portal, and i have to revert the brower config to standard (by disabling the proxy settings).

:o :o  why?  :o :o
If you disable use of proxy at browser level, you will not use it. Why such idea (unless goal is to use only portal, in such case, let's discuss this captive portal stuff in the right section and forget about proxy  ;)

This is where i'm puzzled on making captive work with the AD, since captive portal options only propose radius setting (as well as local users, vouchers, no auth).

The idea is to use Radius at captive portal level and to configure this Radius server to rely on AD for what concerns account management.

chris4916

@omrom:

Hi,

I think there's just a misanderstanding on my words.  :D

As told in my PM, we can also discuss this in French if it helps (PM) and then revert back here once solved to provide feedback to community.