Feature #10748: Add support for limiting IPsec VPN access per user group via RADIUS - pfSense - pfSense bugtracker

Feature #10748

Add support for limiting IPsec VPN access per user group via RADIUS

Added by Yury Zaytsev about 1 month ago. Updated 29 days ago.

Status:

Pull Request Review

Priority:

Normal

Assignee:

Category:

IPsec

Target version:

2.5.0

Start date:

07/10/2020

Due date:

% Done:

Estimated time:

Description

Hello,

We've set up an IPsec VPN for road warriors with RADIUS auth, but, unfortunately, it seems that there is currently no way to limit which users have VPN access via groups (class attribute) in the WebGUI. Apparently, it is already supported by strongSwan, see here:

https://wiki.strongswan.org/projects/strongswan/wiki/EAPRadius#Group-selection

I think that the configuration should look like this, but I don't know how to enter it in the GUI:

strongswan.conf

charon {
  plugins {
    eap-radius {
      class_group = yes
      ...
    }
  }
}

ipsec.conf

conn test
  rightgroups = "VPNUsers"

Additional RADIUS Attributes (REPLY-ITEM) needed can already be entered using the FreeRADIUS settings page:

Class := "admins; VPNUsers"

This already works to set group memberships e.g. for WebGUI authentication, but sadly not yet for VPN.

Thanks!

History

#1 Updated by Viktor Gurov about 1 month ago

Target version set to 2.5.0

https://github.com/pfsense/pfsense/pull/4396

#2 Updated by Yury Zaytsev about 1 month ago

Relates to #935, which was apparently already requested 10 years ago, and implemented 5 years ago, but then got lost during refactoring / redesign :)

P.S. I can't edit my original submission, but if anyone is up to updating docs, I'm afraid that I've made a typo and there shouldn't be spaces between classes - not sure it actually breaks anything though...

Class := "admins;VPNUsers"

#3 Updated by Jim Pingle 29 days ago

Status changed from New to Pull Request Review

Also available in: Atom PDF

Project

General

Profile

pfSense

Issues