Hello together,
I have a question. Is it possible to configure IPSec Profiles and authenticate the Profiles via LDAP Groups? I would love to have for example a Profile Marketing. The Users are in the LDAP Group Marketing and should have ip permissons to Server A. A second Profile Finance with Users in the LDAP Group Finance should have ip permissions to Server B. I got LDAP and IPSec with local authentication working, but howto use LDAP Groups in this context?
I would be very happy if somebody could help me.
Best reguards
Marc
Beside the ldap group authentication, how do you create these different access profiles? Would be interesting to know how to solve this in gui.
I use radius for group assignment and different virtual IP pools to create group depending access profiles, but for this I have to use manual config files
As far as I understand this can currently not be done.
Even using StrongSwans own LDAP authentication does not seem to have group filtering support.
https://www.strongswan.org/testing/testresults/ikev2/crl-ldap/index.html
What you desire can be achieved by using Radius and an include file based configuration. See here:
https://forum.opnsense.org/index.php?topic=12147.0
If your LDAP server is an Active Directory you can just enable the NPS Profile on your domain controller.
If your LDAP server is something else you could use the Freeradius plugin on the opnsense.