Create ACL like the classic way using opnsense gui

Started by none, June 08, 2020, 03:38:16 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 08, 2020, 03:38:16 AM
Hi all,

I am setting up a opnsense firewall with squid and LDAP(MS AD) auth. No need to be transparent.

I set a remote blacklist and now I want to use AD users and groups to tell who can and can't use that site. I can't find how on the webui, all I found was this thread:
Code Select
https://forum.opnsense.org/index.php?topic=16171.0.

Is there any other way to solve this? Cause if not I will start editing my custom extra configs to send there. As I need to be user and group (from AD) aware, I assume it must be on post-auth dir.

Thanks,

none
"We will call you Cygnus,
the God of balance you shall be."
June 08, 2020, 08:24:09 AM #1
I think there is a useracl plugin for that.
June 09, 2020, 02:07:53 AM #2
Hi fabian, thanks for the reply. I think you mean:

Services: Web Proxy: Groups and Users

os-web-proxy-useracl (installed)   1.1_1   38.5KiB   Group and user ACL for the web proxy

It doesn't remind me of the old acl lines as there were in the thread link I wrote. My main concerns are be able to write them and to maintain it between upgrades.

thanks,

none
"We will call you Cygnus,
the God of balance you shall be."
August 09, 2020, 04:41:42 PM #3
dear all
this is very important feature, just wondering if this is actually supported or not
we have AD groups defined, can we apply ACL based on each group??
for example: secretaries group defined in AD cannot access Social Net webs
IT Dept group defined in AD can see all
Admins dept group defined in AD cannot see porns
Accounts dept group defined in AD cannot see games and porns
things of this nature I recall existed in pfsense so I think its doable in Opnsense.
----------------------------
Breeding Open Source
M0n0wall -> PfSense -> OpnSense -> Make lots of sense
August 11, 2020, 09:12:16 PM #4
any ideas pls?
----------------------------
Breeding Open Source
M0n0wall -> PfSense -> OpnSense -> Make lots of sense
August 17, 2020, 02:17:09 PM #5
To achieve what you guys want, you'd need to do the following:

1- add your AD\LDAP as authentication method in the firewall (that would be in system->Access->Servers).
2-set the authentication method in proxy setting (Administration->Forward Proxy->Authentication Settings)
3-Download the os-web-proxy-useracl plugin (you can access it in the proxy menu under logs)
4-You can create the group names (accounting,marketing,...etc) in the GUI then manually editing and the ACL as per my guide https://forum.opnsense.org/index.php?topic=16171.0
 
Disclaimer: All advice presented is "AS IS", no warranties.
I'm not part of the opnsense team, just trying to help.
Print
Go Up Pages1
User actions