Cart

    Sorry, we could not find any results for your search querry.

    Managing pfSense users through an Active Directory

    pfSense firewalls are widely used for Windows networks: traffic to/from Windows servers goes through the pfSense firewall and thus the Windows Servers in the network cannot be directly attacked by malicious parties.

    Windows networks usually use an Active Directory to determine, among other things, which users and groups have rights to certain resources within a Windows network, for example to shared network folders.

    pfSense has built-in tools to also manage the users you manage your pfSense firewall with via an Active Directory. In this guide we show you how to do that.

    This tutorial requires at minimum a private network that includes a Windows Server configured as an Active Directory Domain Controller and a pfSense firewall.


     

    Step 1

    Connect to your Domain Controller (DC) via Remote Desktop or the VPS console.

    Windows uses the LDAP protocol to communicate with a Domain Controller. This protocol can be abused in (D)DoS attacks. We therefore monitor our network for publicly accessible LDAP servers and block the LDAP port if necessary.

    If you have already secured the LDAP port (UDP) on your DC so that only servers on your private network can connect to it, skip to step 5.


     

    Step 2

    Click the start button and use the search term 'Firewall'. Alternatively, you can also find the firewall in the Server Manager under 'Tools'. In the search results, click 'Windows Firewall with Advanced Security'.

    windows search for firewall


     

    Step 3

    Click 'Inbound Rules'. Most likely you already have two LDAP rules in this overview called 'Active Directory Domain Controller - LDAP' for TCP-In and UDP-In, or you have already created your own LDAP rule.

    Now double click the LDAP rule for UDP traffic.

    windows firewall ldap udp in


     

    Step 4

    First check in the 'General' tab that the option 'Allow the connection' is selected.

    windows firewall ldap udp in general allow

    Then click the 'Scope' tab and then under 'Remote IP address' click 'Add'.

    windows firewall ldap udp in scope remote

    Enter the subnet (your IP range) that you use for your private network (see this manual), for example 192.169.0.0/24 and click 'OK'.

    windows firewall rule add ip address

    Click 'Apply' and 'OK' to apply the changes and close the window.


    Step 5

    We then create the necessary users and groups in the Active Directory.

    Click the Windows Start button, type 'Active Directory Users and Computers' and click the result.

    windows start search active directory users computers


     

    Step 6

    Click the name of your domain and then click 'Users'.

    windows aduc domain users


     

    Step 7

    In the list of users, right-click an empty space and select 'New' > 'User', or use the shortcut icon at the top of the window.

    windows aduc new user


     

    Step 8

    Enter the name 'admin' as the first and user name and click 'Next'. Admin is the username we use for the pfSense web interface.

    windows aduc new user admin


     

    Step 9

    Enter a password and click 'Next'.

    windows aduc new user admin password


     

    Step 10

    Click 'Finish' to close the wizard. Now repeat steps 7 to 10 and create another user, for example with the name 'pfldap'. We use this account for communication with the Active Directory database (in pfSense this is the Bind user).

    windows aduc new user admin finish


     

    Step 11

    Next, we create a new group whose members have administrative rights on the pfSense web interface.

    In the list of users, right-click an empty spot and select 'New' > 'Group', or use the shortcut icon at the top of the window to create a new group.

    windows aduc new group


     

    Step 12

    Give the group a name, for example 'pfsense', and click 'OK'.

    windows aduc new group pfsense


     

    Step 13

    In the ADUC tool, double click the group name 'pfsense' and click the 'Members' tab and then 'Add'.

    windows aduc pfsense members

    Search for the name 'Admin'. You will see a screen with the message that multiple results have been found (Admin and Administrator). Select 'Admin' and click 'OK' twice.

    windows aduc search user admin

    You are now back in the pfsense Properties screen. Click 'Apply' > 'OK' to apply the changes and close the window.


     

    Step 14

    Now log in to the pfSense web interface as admin and click 'System' > 'User Mamager' in the top menu.

    pfsense system user manager


     

    Step 15

    Click the 'Authentication Servers' tab and then 'Add'.

    pfsense authentication servers add


     

    Step 16

    Fill in the form as in the example below and use your own details for the following points:

    • Hostname or IP address: The IP address or subdomain name of your Domain Controller.
       
    • Base DN: The domain name of your Windows domain, as you set it up in step 13 of our Active Directory tutorial. You divide the domain name by placing DC=  in front of each part. For example, for the domain transip.local, this becomes DC=transip,DC=local (no spaces!).
       
    • Authentication Containers: The name of the folder in your active directory where you add users and groups with the suffix CN= (always 'CN=Users') in combination with your Base DN (see previous point), for example CN=Users,DC =transip,DC=local
       
    • Bind credentials: The suffix CN= with the name of the Bind user from step 10 of this guide, along with the Authentication Containers, for example CN=pfldap,CN=Users,DC=transip,DC=local

    pfsense authentications ervers edit


     

    Step 17

    Now click the 'Groups' tab in the User Manager and then click 'Add'.

    pfsense user manager groups add


     

    Step 18

    Enter a group name, for example 'pfsense' or 'pfsense-admins', set the scope to 'remote', give the group a description and make the user 'Admin' a member of this group. Then click 'Save'.

    pfsense user manager edit groups


     

    Step 19

    An important option is missing when creating the group, but can be modified afterwards. Click the pencil next to the name of your new group to edit it.

    pfsense user manager groups action edit


     

    Step 20

    As you can see, no privileges have been assigned to the group yet. Click 'Add' to add a privilege.

    pfsense user manager groups edit add

    Select the option 'WebCfg - All Pages' as a privilege to give members of this group admin rights and click 'Save' at the bottom.

    pfsense user manager groups edit privileges


     

    Step 21

    Time for a quick test: Click 'Diagnostiscs' in the top menu and select the 'Authentication' option.

    pfsense diagnostiscs authentication

    Select the name you used in step 16 as 'Authentication Server' and as username and select the admin username and password you added in your Active Directory in steps 7 to 10 as password. Then click 'Test'. If everything went well, you will see the message in the screenshot below. It is true that you will not see groups of which the user is a member here.

    pfsense diagnostics authentication test


     

    Step 22

    Go back to the User Manager (under System) and this time click 'Settings'. Change the 'Authentication Server' to the server you set up in step 16 and click 'Save'.

    pfsense user manager settings active directory save

    Surprise! You don't have to log in again now, but the next time you log in to the pfSense web interface, use the user Admin and the corresponding password as you have set it in your Active Directory.


     

    This brings us to the end of this tutorial on how to manage pfSense users in an Active Directory.

     

    Need help?

    Receive personal support from our supporters

    Contact us