UCS and opnSense - Radius/DHCP/VPN rights

UCS - Univention Corporate Server
#1

Hello

I have UCS (Univention Corporate Server) running with User Management.
I also run a opnSense FW.

first,
i manage Radius and DHCP on my opnSense, would it be wise to move this function to the UCS itself?
It is possible to hold them on both place like a master and Backup system? if yes how?

Then
i have also the VPN on my opnSense, how to manage the userrights for VPN over UCS and giving the Information to the opnSense, how to add the Certificate back to the user. Goal would be a login into the VPN and get the cert.

How did you solved this challange?

have a nice day
vinc

#2

Hi @vinc,

Iam actually looking for a way to setup up my environment like you have.

Currently Iam running DHCP, local DNS and Radius on UCS. Opnsense (or in my case PfSense) is used for VPN, DNS and ReverseProxying UCS services to the internet.

In order to have in case of an emergency with UCS a working network infrastructure with DHCP, DNS and Radius still available I want to move those to Opnsense.

  1. DNS: Thats easy, opnsense offers the possibility to redirect the whole local domain to another server. So *.intern.domain.com points to the UCS DNS which is present anyway.
  2. DHCP: UCS manages the client devices with ldap objects and links also predefined mac addresses to certain DHCP leases etc. Is there any way to synchronize the DHCP leases of UCS with Opnsense ?
  3. Radius: I guess the only possiblity is to completely move that to Opnsense … right ?
  4. VPN: Managing the user rights can be done my configuring the LDAP connected correctly on Opnsense. However transferring the user certificate is not possible. Therefore Iam using as OpenVPN authentication a static key togtether with ldap username/pw combination.

Cheers

#3

DHCP: UCS manages the client devices with ldap objects and links also predefined mac addresses to certain DHCP leases etc. Is there any way to synchronize the DHCP leases of UCS with Opnsense ?

BTW: would be great, because there is no UCS view of the DHCP leases…

#4

@lw3234 so you think it is better to have it on the opnSense side?

DHCP you could define two range - one are giving out by xSense the other part bei UCS, but yes (@item) UCS is poor in giving the needet overview.

lw3234 how do you manage the user in ucs and your xSense for the VPN access?

#5

I like the idea to have a stable network environment where under all circumstances I can relay on getting a network connection (DHCP, Radius) and having basic DNS resolution available.
I consider UCS more as an application server than for infrastructure purposes though it obviously can do this just fine. That’s why Iam trying to change those services to xSense.

Regarding VPN access you simply configure either an LDAP or Radius connection on the xSense and select a given group or attribute to identify the allowed users. In my case I have a LDAP group called “VPN Users” in UCS which is enabled to connect.

Mastodon