Block AD users to connect through OpenVPN

mzambretti · Sep 1, 2015, 11:17 AM

Good morning.
I have a client-to-site connections for users who working outside main office authenticating in our Active Directory server.
My question is: is possible to block inside office users to connect from their house in pfsense?
I can't block user in AD because he uses his user to working during the day. But the same user is connecting from his house to keep working at night.
Is it possible?
Or how are the best practice you guys are using?
Thanks a lot.

doktornotor · Sep 1, 2015, 11:39 AM

How's this related to pfSense? Google "Logon Hours", perhaps? Plus, if you do NOT want them to connect via OpenVPN, why are you setting them up there at all?

mzambretti · Sep 1, 2015, 11:47 AM

This guy working on IT support and have access to client installation package!
Is related to pfsense because we use pfsense with openvpn.

johnpoz · Sep 1, 2015, 12:39 PM

huh? So your saying they have to use openvpn during the day but not during night?

If you don't want users using openvpn, then don't give them an account in openvpn..

Not understanding.. you give your users access to openvpn.. But don't want them working after hours? Normally companies would be happy that users are working on their own time.. Confused..

mzambretti · Sep 1, 2015, 2:31 PM

I'll try to be more clear possible…

I have pfSense + OpenVPN + Authentication with Active Directory. This situation is ok!

Sales users = They need to access the office from outside, independent of hour or day. This situation is ok!

IT Support user = He doesn't need to use VPN neither inside or outside office, but, how he has access to OpenVPN installation package, he did copy and installed the package in his own notebook and he is connecting from his house. This situation isn't ok!

I would like to block his access from connect from outside but I don't know how!
I can disable his user from Active Directory but this way he couldn't work and do the login in the office.

doktornotor · Sep 1, 2015, 2:41 PM

Uh… So, why don't you remove him from the group allowed for OpenVPN? (On a side note - IT support doesn't need VPN? Hmmm... sounds like you are doing something wrong.)

johnpoz · Sep 1, 2015, 3:07 PM

^ exactly are you pointing openvpn ad integration to domain users or something? Why would you not point to a group in AD that have AD access. If not in this group - then no openvpn even if they have it.

But I agree why would IT support not need vpn?? These are the people that normally would MOST need it!!!

mzambretti · Sep 1, 2015, 3:16 PM

They don't need vpn because they don't working outside office's network!
I don't know how to manage permission by group or user too! Today, every user from Active Directory can authenticate yourselves with OpenVPN installed on their notebook.
Because of this I'm asking for your help, I'm not familiarized with pfSense and neither I'm security analyst, did you guys understand me?
Thanks

doktornotor · Sep 1, 2015, 3:26 PM

Amazingly, reading the docs helps…

https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory#On_the_Active_Directory_domain_controller