To integrate AD users to specific rule groups

Discussion:

Isamar Maia

2011-07-30 11:15:08 UTC

Hi Folks,

Is there any way with PfSense to integrate AD authenticated users with rules
groups.

I mean, we wish to:

1) Integrate the Captive portal functionality to authenticate users to the
Windows AD server
2) Attach specific users to specific firewall and squid filtering rules.
Like: HR departament users
can access only HR related sites,etc.

Is that currently possible ?

--
Isamar Maia
Cel. VIVO SSA: (55) 71-9146-8575
Cel. TIM SSA: (55) 71-9185-5264
Fixo: (55) 71-4062-8688
$BF|K\(B: +81-(0)3-4550-1212
Skype ID: isamar.maia

Chris Clark

2011-07-30 13:10:48 UTC

Permalink

Isamar,
The captive portal in m0n0wall/pfSense isn$B!G(Bt capable of direct LDAP queries, unless something has changed recently. However, it is capable of RADIUS authentication. Since you have an Active Directory environment, it$B!G(Bs a trivial matter to setup IAS (2003) or NPS (2008) to handle RADIUS requests on one of your domain controllers.

I$B!G(Bm not aware of a method to accomplish item two.

Chris

From: Isamar Maia [mailto:isamar-***@public.gmane.org]
Sent: Saturday, July 30, 2011 7:15 AM
To: support-***@public.gmane.org
Subject: [pfSense Support] To integrate AD users to specific rule groups

Hi Folks,

Is there any way with PfSense to integrate AD authenticated users with rules groups.

I mean, we wish to:

1) Integrate the Captive portal functionality to authenticate users to the Windows AD server
2) Attach specific users to specific firewall and squid filtering rules. Like: HR departament users
can access only HR related sites,etc.

Is that currently possible ?

--
Isamar Maia
Cel. VIVO SSA: (55) 71-9146-8575
Cel. TIM SSA: (55) 71-9185-5264
Fixo: (55) 71-4062-8688
$BF|K\(B: +81-(0)3-4550-1212
Skype ID: isamar.maia

Isamar Maia

2011-07-30 13:17:06 UTC

Permalink

Ok. Great. Thanks for the tip, dude.

Anyone knows an workaround for the item 2 ?

Thanks,

Isamar

Isamar,****
The captive portal in m0n0wall/pfSense isn$B!G(Bt capable of direct LDAP
queries, unless something has changed recently. However, it is capable of
RADIUS authentication. Since you have an Active Directory environment, it$B!G(Bs
a trivial matter to setup IAS (2003) or NPS (2008) to handle RADIUS requests
on one of your domain controllers.****
** **
I$B!G(Bm not aware of a method to accomplish item two.****
** **
Chris****
** **
*Sent:* Saturday, July 30, 2011 7:15 AM
*Subject:* [pfSense Support] To integrate AD users to specific rule groups
****
** **
Hi Folks,
Is there any way with PfSense to integrate AD authenticated users with rules groups.
1) Integrate the Captive portal functionality to authenticate users to the
Windows AD server
2) Attach specific users to specific firewall and squid filtering rules.
Like: HR departament users
can access only HR related sites,etc.
Is that currently possible ?
--
Isamar Maia
Cel. VIVO SSA: (55) 71-9146-8575
Cel. TIM SSA: (55) 71-9185-5264
Fixo: (55) 71-4062-8688
$BF|K\(B: +81-(0)3-4550-1212
Skype ID: isamar.maia ****

--
Isamar Maia
Cel. VIVO SSA: (55) 71-9146-8575
Cel. TIM SSA: (55) 71-9185-5264
Fixo: (55) 71-4062-8688
$BF|K\(B: +81-(0)3-4550-1212
Skype ID: isamar.maia

Vaughn L. Reid III

2011-07-31 01:45:06 UTC

Permalink

Post by Isamar Maia
Ok. Great. Thanks for the tip, dude.
Anyone knows an workaround for the item 2 ?
Thanks,
Isamar
Isamar,
The captive portal in m0n0wall/pfSense isn$B!G(Bt capable of direct
LDAP queries, unless something has changed recently. However, it
is capable of RADIUS authentication. Since you have an Active
Directory environment, it$B!G(Bs a trivial matter to setup IAS (2003)
or NPS (2008) to handle RADIUS requests on one of your domain
controllers.
I$B!G(Bm not aware of a method to accomplish item two.
Chris
*Sent:* Saturday, July 30, 2011 7:15 AM
*Subject:* [pfSense Support] To integrate AD users to specific rule groups
Hi Folks,
Is there any way with PfSense to integrate AD authenticated users
with rules groups.
1) Integrate the Captive portal functionality to authenticate
users to the Windows AD server
2) Attach specific users to specific firewall and squid filtering
rules. Like: HR departament users
can access only HR related sites,etc.
Is that currently possible ?
--
Isamar Maia
Cel. VIVO SSA: (55) 71-9146-8575
Cel. TIM SSA: (55) 71-9185-5264
Fixo: (55) 71-4062-8688
$BF|K\(B: +81-(0)3-4550-1212
Skype ID: isamar.maia
--
Isamar Maia
Cel. VIVO SSA: (55) 71-9146-8575
Cel. TIM SSA: (55) 71-9185-5264
Fixo: (55) 71-4062-8688
$BF|K\(B: +81-(0)3-4550-1212
Skype ID: isamar.maia

The Squid Package for PFSense looks like it will authenticate to a local
database, Radius, LDAP, or NT Domain. There are also some ACL
capabilities in the SquidGuard package. I'm not aware of any way to
configure firewall rules on PFSense that communicate with an
authentication back-end.

Yehuda Katz

2011-07-31 02:49:35 UTC

Permalink

Post by Vaughn L. Reid III
The Squid Package for PFSense looks like it will authenticate to a local
database, Radius, LDAP, or NT Domain. There are also some ACL capabilities
in the SquidGuard package. I'm not aware of any way to configure firewall
rules on PFSense that communicate with an authentication back-end.

Squid will usually authenticate as the user logged in to the computer, not
as an arbitrary user.
This works very well in a school or office environment where each user can
be expected to log into Active Directory (and therefore their username will
match in Squid). This does not work so well in a bring-your-own-equipment
situation or where users share a computer/domain login and authenticate with
the captive portal.
We are currently working on a Squid extension that will allow for a web form
to change the filtering level, but unfortunately I do not have a time
frame for when it will be ready.

- Y

Younes EL AMRAOUI

2011-07-31 11:24:45 UTC

Permalink

Hi,

I have do the same thing that you searching for, by using
Samba(nmbd,smbd,winbindd), Squid, Kerberos5, I used NTLM authentification
because it's more secure than the others like NT Domain (plaine text
password cached with Wireshark ;) ), NTLM is not provided with Squid/pfSense
but you can patch Squid to use it( what I have done), A other thing is to
create a precompiled packege of Samba that containse ADS support to connect
to the active directory and install it on your pfSense. I don't see the need
of the Captive Portail because in my case the authentification into the AD
is done by openiong the session of Windows if this session is in the AD, to
searf into internet too ;).

Hope this will help ;)

--
Younes EL AMRAOUI

*Engineering Student at ESIREM.*
*Computer Science Engineering School.*
*
*
*Dijon ,FRANCE .*

Fuchs, Martin

2011-07-31 20:34:52 UTC

Permalink

Hi !
Which version did you build and which patch did you use ?
Sounds interesting ;-)

Regstes,
Martin

von unterwegs gesendet ...

Am 31.07.2011 um 13:26 schrieb "Younes EL AMRAOUI" <ouness-***@public.gmane.org<mailto:ouness-***@public.gmane.org>>:

Hi,

I have do the same thing that you searching for, by using Samba(nmbd,smbd,winbindd), Squid, Kerberos5, I used NTLM authentification because it's more secure than the others like NT Domain (plaine text password cached with Wireshark ;) ), NTLM is not provided with Squid/pfSense but you can patch Squid to use it( what I have done), A other thing is to create a precompiled packege of Samba that containse ADS support to connect to the active directory and install it on your pfSense. I don't see the need of the Captive Portail because in my case the authentification into the AD is done by openiong the session of Windows if this session is in the AD, to searf into internet too ;).

Hope this will help ;)

--
Younes EL AMRAOUI

Engineering Student at ESIREM.
Computer Science Engineering School.

Dijon ,FRANCE .
[X]

Isamar Maia

2011-07-31 20:52:00 UTC

Permalink

Younes,

This solves the authentication part and I have seen that working in a
GNU/Linux environment.

What about connecting the firewall and SquidGuard rules to the authenticated
users ?
Any ideia ?

Isamar

Post by Fuchs, Martin
Hi !
Which version did you build and which patch did you use ?
Sounds interesting ;-)
Regstes,
Martin
von unterwegs gesendet ...
Hi,
I have do the same thing that you searching for, by using
Samba(nmbd,smbd,winbindd), Squid, Kerberos5, I used NTLM authentification
because it's more secure than the others like NT Domain (plaine text
password cached with Wireshark ;) ), NTLM is not provided with Squid/pfSense
but you can patch Squid to use it( what I have done), A other thing is to
create a precompiled packege of Samba that containse ADS support to connect
to the active directory and install it on your pfSense. I don't see the need
of the Captive Portail because in my case the authentification into the AD
is done by openiong the session of Windows if this session is in the AD, to
searf into internet too ;).
Hope this will help ;)
--
Younes EL AMRAOUI
*Engineering Student at ESIREM.*
*Computer Science Engineering School.*
*
*
*Dijon ,FRANCE .*

--
Isamar Maia
Cel. VIVO SSA: (55) 71-9146-8575
Cel. TIM SSA: (55) 71-9185-5264
Fixo: (55) 71-4062-8688
$BF|K\(B: +81-(0)3-4550-1212
Skype ID: isamar.maia

Younes EL AMRAOUI

2011-07-31 22:52:40 UTC

Permalink

Hi
To Martin : I built Samba31 or 32 I don't remember , the thing is to creat a
FreeBSD vertual machine to compile ports you search for the last version of
samba and you try to creat a precompiled package ( make config ; make; make
package (you can see the depends : make package-depends)).
If you want the correct version of Samba send for me an email tomorrow
because I'm at home now.

To Isamar : I don't know what you by connecting the firewall to users, for
SquidGuard (proxy firewall) yes you can connect his rules to the
authentificated users without any problems.it very sample, first time you
have to see the authentificated users by names in the access.log of Squid
the you go to the next stage and set up your SquidGuard, like this it will
reconize's users (not with ip's but with names).

Hope this help for both of you. Excuse my english, and good luke.

Younes EL AMRAOUI

2011-07-31 22:54:54 UTC

Permalink

yes and for the patch, you put the NTLM auth lines in the Squid.inc just
after this line " ..... allow localhost" and don't forget to comment it, if
no you cannot use NTLM.

Post by Younes EL AMRAOUI
Hi
To Martin : I built Samba31 or 32 I don't remember , the thing is to creat
a FreeBSD vertual machine to compile ports you search for the last version
of samba and you try to creat a precompiled package ( make config ; make;
make package (you can see the depends : make package-depends)).
If you want the correct version of Samba send for me an email tomorrow
because I'm at home now.
To Isamar : I don't know what you by connecting the firewall to users, for
SquidGuard (proxy firewall) yes you can connect his rules to the
authentificated users without any problems.it very sample, first time you
have to see the authentificated users by names in the access.log of Squid
the you go to the next stage and set up your SquidGuard, like this it will
reconize's users (not with ip's but with names).
Hope this help for both of you. Excuse my english, and good luke.

--
Younes EL AMRAOUI

*Engineering Student at ESIREM.*
*Computer Science Engineering School.*
*+33629153757*
*Dijon ,FRANCE .*

Younes EL AMRAOUI

2011-08-01 06:33:58 UTC

Permalink

The version is Samba35

Younes EL AMRAOUI

*Engineering Student at ESIREM.*
*Computer Science Engineering School.*
*
*
*Dijon ,FRANCE .*

Fuchs, Martin

2011-08-01 06:58:41 UTC

Permalink

Hi !

Hmmm, any chance to get this working without installing samba on the firewall-system ?
And which squid-version did you use ? the package-provided or 3.x ?

Regards,

Martin

Von: Younes EL AMRAOUI [mailto:ouness-***@public.gmane.org]
Gesendet: Montag, 1. August 2011 08:34
An: support-***@public.gmane.org
Betreff: Re: [pfSense Support] To integrate AD users to specific rule groups

The version is Samba35
Younes EL AMRAOUI

Engineering Student at ESIREM.
Computer Science Engineering School.

Dijon ,FRANCE .

Younes EL AMRAOUI

2011-08-01 07:11:47 UTC

Permalink

Hi
No you can't make it work without installing samba on pfSense(terminal), you
need to connect to the AD un add your machine to it, to recuperate users.
Squid 2.7.9_4.1 provided with pfSense ( the Squid3 like I sead has a problem
to install it, it seem's that the links are dead).

Younes EL AMRAOUI

*Engineering Student at ESIREM.*
*Computer Science Engineering School.*
*
*
*Dijon ,FRANCE .*

Isamar Maia

2011-08-01 10:19:15 UTC

Permalink

Martin,

There is another SQUID plugin which authenticates thru LDAP directly but
if forces the user input login and password thru the browser every first
access to the web.

NTLM+Samba uses AD login and doesn't force the user input login and pass
again when passing
thru the firewall.

isamar

Hi !****
** **
Hmmm, any chance to get this working without installing samba on the
firewall-system ?****
And which squid-version did you use ? the package-provided or 3.x ?****
** **
Regards,****
** **
Martin****
** **
*Gesendet:* Montag, 1. August 2011 08:34
*Betreff:* Re: [pfSense Support] To integrate AD users to specific rule
groups****
** **
The version is Samba35****
Younes EL AMRAOUI****
****
*Engineering Student at ESIREM.*****
*Computer Science Engineering School.*****
** **
*Dijon ,FRANCE .*****
****
** **

--
Isamar Maia
Cel. VIVO SSA: (55) 71-9146-8575
Cel. TIM SSA: (55) 71-9185-5264
Fixo: (55) 71-4062-8688
$BF|K\(B: +81-(0)3-4550-1212
Skype ID: isamar.maia

Younes EL AMRAOUI

2011-08-01 12:28:14 UTC

Permalink

In Squid (pfSense) you can specify the subnets that don't need
authentification ;)

--
Younes EL AMRAOUI

*Engineering Student at ESIREM.*
*Computer Science Engineering School.*
*
*
*Dijon ,FRANCE .*