Feature #9016
closed
Ability to create vpn user groups
0%
Description
With a variety of other firewall and vpn solutions, the user is given the ability to create groups of users and govern those groups in different ways.
For example, with cisco equipment it is possible to create several groups for vpn users to live in: users, admins and customers. Users can have access to LAN resources, Admins can be granted access to administrative networks and customers can have access to customer-only resources like file sharing tools.
PfSense currently does not support having multiple groups for remote access ipsec vpn users. I have tried creating multiple groups, multiple users, multiple ipsec psk entries, and attempted to create a scenario whereby if a user logs in with a specific psk they are put into a specific ip pool, however no matter what is entered into the psk on the users side, they are dumped into the same ip pool.
In fact, it doesnt matter what a user puts into the psk field at all - even if its just keyboard mashing - they are authenticated and given an ip (this is probably a bug, and almost certainly a security problem).
Updated by Jim Pingle over 6 years ago
- Status changed from New to Rejected
On 2.4.4 with IKEv2/EAP you can use multiple address pools based on the user name to effectively accomplish this. There isn't a "group" concept with IPsec though.
As for the PSK issue, I can't replicate it. On configurations that use/require a PSK it was required and if I submitted the wrong value, the connection was rejected. If you had some combination that did not use a PSK then configuring a PSK on the client wouldn't matter. But if you can replicate a scenario where it breaks as you describe, please submit the complete configuration of the VPN and client as described at https://www.pfsense.org/security/