Wondering if there is anyone who can help on pfsense and pomerium

Posted by sniffingsock@reddit | sysadmin | View on Reddit | 7 comments

I'm working on a project at the moment which is very much in the testing stage. I want to authenticate users via oauth before allowing them any network access. To do this I'm utilising pfsense captive portal which then redirects to a pomerium ec2 instance over wan which prompts the user to provide the azure ad details and then logs them in. The issue I've got is a catch 22, I cannot for the life of me figure out how to pass the message back to the pfsense that users are now authenticated via pomerium and oauth and allow network access, the users are still in an unauthenticated state after signing into pomerium, has anyone had to deal with something similar and figured it out? I know you can use ldap to achieve the same thing through pfsense and it is natively supported, however getting money for a proper solution through entra id ds is a nightmare, hence why I've gone down this route. Thanks for any support.

7 Comments

[-]

SevaraB@reddit

If it’s Azure AD instead of on-prem AD, why go through Pomerium at all? Azure alone not giving you enough options to limit login attempts from non-corp devices?

sniffingsock@reddit (OP)

So this is to secure our external sites as we are a public facing business and have 70+ external courses which at the moment has no way to prevent a user from plugging in a laptop to an ethernet port and grabbing access to our wider infrastructure. My plan is to have the pfsense in our AWS and have our junipers route traffic to that first for authentication before allowing a user access to anything is there a way this can be done just through our azure tenant? I have seen that pfsense and azure ad ds are a way to force users to authenticate via ldap which is probably my next option, just waiting for funding off of the higher ups.

Let's take a step back and rephrase what you're trying to do- you're trying to implement NAC (network access control), which generally means you need a RADIUS server. Now RADIUS servers don't normally speak OAuth- like you said, they normally speak LDAP (or preferably LDAPS). You have three options to get around this: 1. Sign up with a "Cloud RADIUS" service that's specifically designed to speak OAuth (JumpCloud, Portnox, SecureW2, etc). 2. Set up an "LDAP bridge" (using something like Keycloak) that can translate between LDAP requests from the RADIUS server and OAuth requests against Azure AD. 3. Set up a RADIUS server *and* an LDAP server, and then set up an LDAP connector to synchronize the LDAP server with Azure AD.

Option 3 sounds like the plan, have the ldap server done via azure ds, and freeradius running on the pfsense itself. Thanks for your info mate some good knowledge in there.

Wondering if there is anyone who can help on pfsense and pomerium

Reply to Post

7 Comments

SevaraB@reddit

sniffingsock@reddit (OP)

SevaraB@reddit

sniffingsock@reddit (OP)

exekewtable@reddit

jhxetc@reddit

stufforstuff@reddit