External User Authentication Examples¶
There are countless ways to configure the user manager to connect to an external RADIUS or LDAP server, but there are some common methods that can be helpful to use as a guide. The following are all tested/working examples, but the server setup will likely vary from the example.
See also
RADIUS Server Example¶
This example was made against FreeRADIUS but doing the same for Windows Server would be identical. See Authenticating from Active Directory using RADIUS/NPS for info on setting up a Windows Server for RADIUS.
This assumes the RADIUS server has already been configured to accept queries from this firewall as a client with a shared secret.
- Descriptive Name
ExCoRADIUS
- Type
Radius
- Hostname or IP Address
192.2.0.5
- Shared Secret
secretsecret
- Services Offered
Authentication and Accounting
- Authentication Port
1812
- Accounting Port
1813
- Authentication Timeout
10
OpenLDAP Example¶
In this example, the firewall is connecting back to an OpenLDAP server for the company.
- Descriptive Name
ExCoLDAP
- Type
LDAP
- Hostname or IP Address
ldap.example.com
- Port
636
- Transport
SSL - Encrypted
- Peer Certificate Authority
ExCo CA
- Protocol Version
3
- Search Scope
Entire Subtree ,
dc=pfsense,dc=org
- Authentication Containers
CN=pfsgroup;ou=people,dc=pfsense,dc=org
- Bind Credentials
Anonymous binds Checked
- Initial Template
OpenLDAP
- User Naming Attribute
cn
- Group Naming Attribute
cn
- Group Member Attribute
memberUid
- RFC2307 Groups
Checked
- Group Object Class
posixGroup
- UTF8 Encode
Checked
- Username Alterations
Unchecked
Active Directory LDAP Example¶
In this example, the firewall connects to an Active Directory structure in order to authenticate users for a VPN. The results are restricted to the VPNUsers group. Omit the Extended Query to accept any user.
- Descriptive Name
ExCoADVPN
- Type
LDAP
- Hostname or IP Address
192.0.2.230
- Port
389
- Transport
TCP - Standard
- Protocol Version
3
- Search Scope
Entire Subtree ,
DC=domain,DC=local
- Authentication Containers
CN=Users,DC=domain,DC=local
- Extended Query
memberOf=CN=VPNUsers,CN=Users,DC=example,DC=com
- Bind Credentials
Anonymous binds Unchecked
- User DN
CN=binduser,CN=Users,DC=domain,DC=local
- Password
secretsecret
- Initial Template
Microsoft AD
- User Naming Attribute
samAccountName
- Group Naming Attribute
cn
- Group Member Attribute
memberOf
This example uses plain TCP, but if the Certificate Authority for the AD structure is imported under the Certificate Manager, the connection can also use SSL as well by selecting that option and choosing the appropriate CA from the Peer Certificate Authority drop down, and setting the Hostname to the match the server certificate.