External User Authentication Examples¶

There are countless ways to configure the user manager to connect to an external RADIUS or LDAP server, but there are some common methods that can be helpful to use as a guide. The following are all tested/working examples, but the server setup will likely vary from the example.

RADIUS Server Example¶

This example was made against FreeRADIUS but doing the same for Windows Server would be identical. See Authenticating from Active Directory using RADIUS/NPS for info on setting up a Windows Server for RADIUS.

This assumes the RADIUS server has already been configured to accept queries from this firewall as a client with a shared secret.

Descriptive Name:: ExCoRADIUS
Type:: Radius
Hostname or IP Address:: 192.2.0.5
Shared Secret:: secretsecret
Services Offered:: Authentication and Accounting
Authentication Port:: 1812
Accounting Port:: 1813
Authentication Timeout:: 10

OpenLDAP Example¶

In this example, the firewall is connecting back to an OpenLDAP server for the company.

Descriptive Name:: ExCoLDAP
Type:: LDAP
Hostname or IP Address:: ldap.example.com
Port:: 636
Transport:: SSL - Encrypted
Peer Certificate Authority:: ExCo CA
Protocol Version:: 3
Search Scope:: Entire Subtree , dc=pfsense,dc=org
Authentication Containers:: CN=pfsgroup;ou=people,dc=pfsense,dc=org
Bind Credentials:: Anonymous binds Checked
Initial Template:: OpenLDAP
User Naming Attribute:: cn
Group Naming Attribute:: cn
Group Member Attribute:: memberUid
RFC2307 Groups:: Checked
Group Object Class:: posixGroup
UTF8 Encode:: Checked
Username Alterations:: Unchecked

Active Directory LDAP Example¶

In this example, the firewall connects to an Active Directory structure in order to authenticate users for a VPN. The results are restricted to the VPNUsers group. Omit the Extended Query to accept any user.

Descriptive Name:: ExCoADVPN
Type:: LDAP
Hostname or IP Address:: 192.0.2.230
Port:: 389
Transport:: TCP - Standard
Protocol Version:: 3
Search Scope:: Entire Subtree , DC=domain,DC=local
Authentication Containers:: CN=Users,DC=domain,DC=local
Extended Query:: memberOf=CN=VPNUsers,CN=Users,DC=example,DC=com
Bind Credentials:: Anonymous binds Unchecked
User DN:: CN=binduser,CN=Users,DC=domain,DC=local
Password:: secretsecret
Initial Template:: Microsoft AD
User Naming Attribute:: samAccountName
Group Naming Attribute:: cn
Group Member Attribute:: memberOf

This example uses plain TCP, but if the Certificate Authority for the AD structure is imported under the Certificate Manager, the connection can also use SSL as well by selecting that option and choosing the appropriate CA from the Peer Certificate Authority drop down, and setting the Hostname to the match the server certificate.