PFSense via LDAP or Radius to UCS

#1

Hi@all,

I want to use the OpenVPN server on the PFSense
Simple configuration: RoadWarrior -> WAN -> LAN

In PFSense I have the possibility to get the users via LDAP or radius from another server. UCS offers both. What is the easiest to set up?

The LDAP-Connector has many options I have never used before:

grafik
grafik

Wo bekomme ich die Parameter für eine UCS-Anbindung her?

Beste Grüße
sven

User authentication from external system to USC-LDAP. memberOf
#2

Hi Sven

I initially planned on using RADIUS-provided client parameters with OpenVPN but for the moment I’m not due to the following issues discussed in pfSense pull request #4026.

RADIUS actually works, however LDAP is what you get out of the box with UCS without additional services. Though, if you do 802.1x or a secure WiFi network, you might already use the RADIUS feature.

Here are some hints after comparing it against my system:

  • Hostname: (the FQDN must be resolvable by your pfSense, i.e. ucs-master.example.org)
  • Port: 7389 (specific to UCS)
  • Transport: TCP - STARTTLS
    • Check that both pfSense and UCS should have NTP time servers configured, can be a source of issues with (START)TLS.
  • Peer Certificate Authority:
    • Get the UCS root CA certificate via the UCS Web UI,
    • Import it using System > Cert. Manager > CAs,
    • Then you can select it here in the Dropdown menu.
  • Protocol version: 3 (default)
  • Search scope: Entire Subtree (unless you don’t have any OUs AFAIK)
  • Base DN: Can be identified using ‘ucr get ldap/base’, i.e. dc=example,dc=org)
  • Auth containers: Important in large directories (if the connection works after saving it first, use “Select a container”
  • Bind anonymous: Disable it.
  • Bind credentials: Create an unprivileged user in UCS, obtains its DN using i.e. univention-ldapsearch -LL uid= (i.e. uid=svc.fwauth,cn=users,dc=example,dc=org), enter the password
  • User attribute: uid
  • Group attribute: cn
  • Group membership attribute: memberOf (requires said overlay)
  • Group Object Class: posixGroup

This seems to work pretty well here.

  • Test LDAP using Diagnostics > Authentication
  • If you wan’t you can also grant Admin privileges to the pfSense UI (not SSH) in System > User Manager > Groups
    • Create a group in pfSense with the same name as in UCS (Domain Admins for example). Then you can in the User Manager in Settings you can switch from Local Database to your LDAP backend.
  • Note about certificates: Whenever you renew the UCS root CA, you will have to re-import the renewed UCS root CA certificate into pfSense, otherwise LDAP with STARTTLS will fail.

Keep in mind that this won’t be able to fail-over to a UCS backup or slave DC as is. I haven’t yet played with adding more than one authentication backend.

Good luck!

2 Likes
#3

Did you complete this task?
If you complete it, can you write down, the way you configure it?
Thanks!

#4

No, I have not yet had the time to implement this. So far I have created the VPN users on the pfSense.

#5

Works fine for me, beside that memberOf is not working. I have implemented it and it works in other apps (like kanboard, freepbx) but when I start the test it just states:

grafik

I have tried to test with several parameters (using univentionGroup instead of posixGroup, checking RFC2307 ldap style) but it is not listing groups. But anyways I see no use case for working with groups, just need that to decide if the user is allowed to use openvpn.

#6

I know it’s been a long time, but just for posterity…
Did you ever try to use “uniqueMember” instead of “memberOf”?

Mastodon