Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
IPSec Remote Access via LDAP Groups Authentication
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPSec Remote Access via LDAP Groups Authentication (Read 2256 times)
insecure
Newbie
Posts: 8
Karma: 0
IPSec Remote Access via LDAP Groups Authentication
«
on:
April 25, 2020, 10:58:06 am »
Hello together,
I have a question. Is it possible to configure IPSec Profiles and authenticate the Profiles via LDAP Groups? I would love to have for example a Profile Marketing. The Users are in the LDAP Group Marketing and should have ip permissons to Server A. A second Profile Finance with Users in the LDAP Group Finance should have ip permissions to Server B. I got LDAP and IPSec with local authentication working, but howto use LDAP Groups in this context?
I would be very happy if somebody could help me.
Best reguards
Marc
«
Last Edit: April 25, 2020, 10:59:54 am by insecure
»
Logged
hbc
Hero Member
Posts: 501
Karma: 47
Re: IPSec Remote Access via LDAP Groups Authentication
«
Reply #1 on:
April 25, 2020, 10:17:10 pm »
Beside the ldap group authentication, how do you create these different access profiles? Would be interesting to know how to solve this in gui.
I use radius for group assignment and different virtual IP pools to create group depending access profiles, but for this I have to use manual config files
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
rainerle
Full Member
Posts: 151
Karma: 9
Re: IPSec Remote Access via LDAP Groups Authentication
«
Reply #2 on:
April 30, 2020, 10:57:19 pm »
As far as I understand this can currently not be done.
Even using StrongSwans own LDAP authentication does not seem to have group filtering support.
https://www.strongswan.org/testing/testresults/ikev2/crl-ldap/index.html
What you desire can be achieved by using Radius and an include file based configuration. See here:
https://forum.opnsense.org/index.php?topic=12147.0
If your LDAP server is an Active Directory you can just enable the NPS Profile on your domain controller.
If your LDAP server is something else you could use the Freeradius plugin on the opnsense.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
IPSec Remote Access via LDAP Groups Authentication