External User Authentication Examples

There are countless ways to configure the user manager to connect to an external RADIUS or LDAP server, but there are some common methods that can be helpful to use as a guide. The following are all tested/working examples, but the server setup will likely vary from the example.

RADIUS Server Example

This example was made against FreeRADIUS but doing the same for Windows Server would be identical. See Authenticating from Active Directory using RADIUS/NPS for info on setting up a Windows Server for RADIUS.

This assumes the RADIUS server has already been configured to accept queries from this firewall as a client with a shared secret.

Descriptive Name

ExCoRADIUS

Type

Radius

Hostname or IP Address

192.2.0.5

Shared Secret

secretsecret

Services Offered

Authentication and Accounting

Authentication Port

1812

Accounting Port

1813

Authentication Timeout

10

OpenLDAP Example

In this example, the firewall is connecting back to an OpenLDAP server for the company.

Descriptive Name

ExCoLDAP

Type

LDAP

Hostname or IP Address

ldap.example.com

Port

636

Transport

SSL - Encrypted

Peer Certificate Authority

ExCo CA

Protocol Version

3

Search Scope

Entire Subtree , dc=pfsense,dc=org

Authentication Containers

CN=pfsgroup;ou=people,dc=pfsense,dc=org

Bind Credentials

Anonymous binds Checked

Initial Template

OpenLDAP

User Naming Attribute

cn

Group Naming Attribute

cn

Group Member Attribute

memberUid

RFC2307 Groups

Checked

Group Object Class

posixGroup

UTF8 Encode

Checked

Username Alterations

Unchecked

Active Directory LDAP Example

In this example, the firewall connects to an Active Directory structure in order to authenticate users for a VPN. The results are restricted to the VPNUsers group. Omit the Extended Query to accept any user.

Descriptive Name

ExCoADVPN

Type

LDAP

Hostname or IP Address

192.0.2.230

Port

389

Transport

TCP - Standard

Protocol Version

3

Search Scope

Entire Subtree , DC=domain,DC=local

Authentication Containers

CN=Users,DC=domain,DC=local

Extended Query

memberOf=CN=VPNUsers,CN=Users,DC=example,DC=com

Bind Credentials

Anonymous binds Unchecked

User DN

CN=binduser,CN=Users,DC=domain,DC=local

Password

secretsecret

Initial Template

Microsoft AD

User Naming Attribute

samAccountName

Group Naming Attribute

cn

Group Member Attribute

memberOf

This example uses plain TCP, but if the Certificate Authority for the AD structure is imported under the Certificate Manager, the connection can also use SSL as well by selecting that option and choosing the appropriate CA from the Peer Certificate Authority drop down, and setting the Hostname to the match the server certificate.