OPNsense Forum

English Forums => General Discussion => Topic started by: shan on October 05, 2017, 04:54:59 pm

Title: How to configure OPNSense with Windows AD
Post by: shan on October 05, 2017, 04:54:59 pm

My Requirement
I work in a company and we have about 50 employees. Right now we are using IPCOP firewall proxy and there is no Microsoft AD setup.
The MAC addresses of the user PCs are added to the IPCOP and only allowed MAC addresses can access the internet.
The problem with current setup is that there is no way to monitor the bandwidth each user has consumed. There are 2, 3 people consuming too much bandwidth and before the end of the month we reach the bandwidth cap.
As a solution to this problem I thought of Implementing Windows AD along with OPNsense.
Basically what I want to do is to route the internet connection through Firewall proxy (transparent proxy) and setup the windows AD to authenticate the users.

What I have done so far
In order to test things first I have setup virtual box with OPNSense, Windows AD and 02 windows 07 VMs.

OPNSense:
em0: WAN (NAT) (DHCP)
em1: LAN (Host Only Network) 192.168.10.254
DHCP Server Turned off

Windows AD
LAN: (Host Only Network) 192.168.10.10
DHCP Server Turned on
DNS Server turned on

Windows 7-1
LAN (Host Only network) 192.168.10.50

Windows 7-2
LAN (Host Only network) 192.168.10.51

My windows AD side setup is done and I even got it connected to OPNSense.  (System: Access: Servers)
Now I want to configure OPNSense side but I have no very clear idea how to do it. I need help from you guys on how to do that.
Thanks in advance.

Title: Re: How to configure OPNSense with Windows AD
Post by: franco on October 09, 2017, 11:28:23 pm

If there is bandwidth requirement with some business logic in the background plus internet access control your best bet is a captive portal for access authenticating to a RADIUS server with enabled accounting so you get your RADIUS to accumulate stats and block users if they reach their own or overall quota.


Cheers,
Franco

Title: Re: How to configure OPNSense with Windows AD
Post by: MasterXBKC on October 14, 2017, 11:31:00 pm

+1 to franks suggestion, dont try to do this with AD, it will likely end in disaster.  This is coming from a 15 year veteran of an MSP.  At best i seem to recall a tool at some point that could sync RADIUS with AD but i havent seen or heard of it in a number of years.