Feature #13786
open
ldap intergration for firewall rules
0%
Description
Seeing as there are LDAP connectors in the software already for authentication, would it be possible to leverage that for firewall rules?
Creating a permit/deny rule based on source 'LDAP\User1". This feature alone would be "nextgen" for pf.
On other vendors, this does require an agent being installed on an AD server to get that updated directory list to map IP addr to username. But i think that would only be helpful for reporting/analytics. If we need to just validate the username and thats it, then i think this is possible. Other packages such as Squid can be leveraged if reporting is needed to see what sites were visited and when.
Updated by Marcos M over 1 year ago
Normally this type of setup is implemented with something like IPsec/OpenVPN using RADIUS authentication, at which point the rules can be dynamically generated and applied based on the user. I haven't seen this used without VPN, but maybe it's possible. See: https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/client-parameters-radius.html
Updated by Mike Moore over 1 year ago
This isn’t for OpenVPN. This is for firewall rules controlling movement day from LAN to DMZ.
Source is an AD user not an IP address
Updated by Christian McDonald over 1 year ago
Mike Moore wrote in #note-2:
This isn’t for OpenVPN. This is for firewall rules controlling movement day from LAN to DMZ.
Source is an AD user not an IP address
There has to be an association between the AD user and an IP address. Running a service on each domain controller that listens for logon events and transmits this information back to some central repository for curation is a pretty typical solution to this problem. Another is running agent software on each domain-joined machine that basically performs the same task.
pfSense would otherwise have no insight into the relationship between AD users and their IP.
Updated by Mike Moore about 1 year ago
So there is no way in the future to create a LAN rule stating
Src: AD/mmoore
Dst: 1.1.1.1
Prot: ICMP
So in the src field i am specificing an account in AD not an IP address.
Updated by Kris Phillips about 1 year ago
Mike Moore wrote in #note-4:
So there is no way in the future to create a LAN rule stating
Src: AD/mmoore
Dst: 1.1.1.1
Prot: ICMPSo in the src field i am specificing an account in AD not an IP address.
Mike,
Correct. There is no functionality at this time to tie an AD user to a firewall rule. This would require a significant amount of development work to implement, if it ever is, but thank you for your feature request. We will keep this on the backburner for a future project if it presents itself.