Project

General

Profile

Actions

Feature #10843

open

Allow user manager settings to specify multiple authentication servers

Added by Orion Poplawski almost 4 years ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
08/19/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

We would really like to have redundancy with our LDAP authentication for the pfSense web interface, but this appears to be impossible at the moment.


Related issues

Has duplicate Feature #12682: RADIUS authentication fallback for pfSense GUIDuplicate

Actions
Actions #1

Updated by Jim Pingle almost 4 years ago

  • Category set to Authentication
Actions #2

Updated by Jim Pingle over 2 years ago

  • Has duplicate Feature #12682: RADIUS authentication fallback for pfSense GUI added
Actions #3

Updated by Jim Pingle over 2 years ago

  • Subject changed from RFE: Allow user manager settings to specify multiple authentication servers to Allow user manager settings to specify multiple authentication servers
Actions #4

Updated by Denis Grilli about 1 year ago

Just here to push this up. This feature would be very useful on enterprise environments.

Actions #5

Updated by Ryan Whitlock 7 months ago

Denis Grilli wrote in #note-4:

Just here to push this up. This feature would be very useful on enterprise environments.

I concur! Please make this a higher priority.

Actions #6

Updated by Chris Linstruth 4 months ago

This feature should also include the ability to define specific failover behavior if the configured authentication servers are either unreachable or return auth failures.

Actions #7

Updated by Jim Pingle 4 months ago

I've been thinking about this a bit lately since we've added something similar in the upcoming TNSR release.

Like there, we could have a way to define "server groups" and then rather than offering a list of all auth servers, we offer the groups where users can now select servers. Inside each group you could only list the servers you want to use and the order in which they should be queried.

And then for example GUI/system auth you'd pick it by group, same with OpenVPN server auth, IPsec user auth, etc.

Chris Linstruth wrote in #note-6:

This feature should also include the ability to define specific failover behavior if the configured authentication servers are either unreachable or return auth failures.

For local auth this could happen naturally if the auth server groups had individual entries for each server plus "Local" and then you could set a group to only include remote servers and not the local auth, which would then be excluded.

But beyond that it would also be helpful to have a choice between "use the next server on any failure" vs "use the next server only if the first is unreachable" so users can consider an auth failure a failure at any point.

Actions

Also available in: Atom PDF