Firewall rules for open VPN users by LDAP Security Groups.
-
Hi Guys,
We have an Open VPN server setup configured with LDAP. We have got VPN access working with a AD VPN group. How do we get Open VPN working with Multiple AD Groups.
What we are trying to do is restrict one AD Group to only allow RDP over VPN and another group to have free reign over VPN.
Cheers
Vinny -
Someone chime in if I am mistaken, but I do not think PFsense can deploy separate firewall rules based on what AD Group or OU the user auth's from. PFsense is a firewall only and not a UTM with a rack system like other products.
My suggestion, configure a 2nd OpenVPN server that auth's to a separate group/OU and limit the routes from that 2nd server to the resources you want the users to connect to. You could also use firewall rules to log when people are trying to access things they shouldn't, but since there's no route to those other resources, the traffic would never get there anyway.
-
There isn't any mechanism for LDAP to give that info to pfSense.
It does work for OpenVPN logins using RADIUS with the rules passed back in Cisco acl style using an avpair reply attribute (Search around, there are examples on the forum), but LDAP doesn't have a way to do that at this time.
You could set that up in NPS, most likely.
