Active Directory - SSO

Started by BeanAnimal, September 28, 2018, 01:37:42 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 28, 2018, 01:37:42 AM
As I mentioned in another thread, I am evaluating this platform as a replacement for my business customers.

My initial research shows that the only AD-sync that can be done is manually... While pfSense and most other enterprise platforms offer an AD sync option.

I saw a thread here with conversation between and end user and maybe Franco, where the value of an automatic or real-time sync was questioned...

Quite simply put - I do not know any SMB, mid or enterprise admin that wants to manually sync a firewall to AD every time a users is added or a security group or OU is changed.. let alone every time a user changes their AD credentials. That is insane!  Unless I am missing something, that is the case here.

In most business networks, AD is used and AD credentials are reset regularly, most often by end users. If this firewall is used as the VPN concentrator, then user's will be constantly locked out until a resync is done or user's are manually added to the firewall....

Honest question (no disrespect meant to anybody). Is this an honest business product, or a fancy home firewall/router targeted at tech savvy bit twiddlers tired of DD-WRT or mad at pfSense for selling out?


August 22, 2020, 04:27:11 PM #1
Quote from: BeanAnimal on September 28, 2018, 01:37:42 AM
My initial research shows that the only AD-sync that can be done is manually... While pfSense and most other enterprise platforms offer an AD sync option.

In most business networks, AD is used and AD credentials are reset regularly, most often by end users. If this firewall is used as the VPN concentrator, then user's will be constantly locked out until a resync is done or user's are manually added to the firewall....

Previously, there was indeed such a problem associated with both the Active Directory product itself and the server part, but the solution can be an additional protection in the form of two-factor authentication using one-time passwords using the adfs method. This method also works on adfs server which can act as a guarantor of such protection. Then you do not have to do manual synchronization and remove locks because all users will be securely logged in and have the same adfs sso support in the system. For this reason, I advise you to consider this analogy.
August 22, 2020, 06:12:37 PM #2
The sync is only for creating the user locally, password is not stored on OPN, so a Change will work transparently.
August 23, 2020, 09:08:12 AM #3
Quote from: BeanAnimal on September 28, 2018, 01:37:42 AM
Quite simply put - I do not know any SMB, mid or enterprise admin that wants to manually sync a firewall to AD every time a users is added or a security group or OU is changed.. let alone every time a user changes their AD credentials. That is insane!  Unless I am missing something, that is the case here.

In most business networks, AD is used and AD credentials are reset regularly, most often by end users. If this firewall is used as the VPN concentrator, then user's will be constantly locked out until a resync is done or user's are manually added to the firewall....
No ISO worth their salt would allow you to connect directly to AD from a security device. The protocol to use is RADIUS and OPNsense supports it for authentication. https://docs.opnsense.org/manual/how-tos/user-radius.html

Bart...
Print
Go Up Pages1
User actions