pfSense

Hello,

We've set up an IPsec VPN for road warriors with RADIUS auth, but, unfortunately, it seems that there is currently no way to limit which users have VPN access via groups (class attribute) in the WebGUI. Apparently, it is already supported by strongSwan, see here:

https://wiki.strongswan.org/projects/strongswan/wiki/EAPRadius#Group-selection

I think that the configuration should look like this, but I don't know how to enter it in the GUI:

strongswan.conf

charon {
  plugins {
    eap-radius {
      class_group = yes
      ...
    }
  }
}

ipsec.conf

conn test
  rightgroups = "VPNUsers" 

Additional RADIUS Attributes (REPLY-ITEM) needed can already be entered using the FreeRADIUS settings page:

Class := "admins; VPNUsers" 

This already works to set group memberships e.g. for WebGUI authentication, but sadly not yet for VPN.

Thanks!