Re: [pfSense] Can anyone please tell me the step by step to integrate Freeradiuse to authenticate users from Window Active directory?
Which means its simply not possible to use Free-radius on Pf-sense in a windows AD environment. Right? Reason I wanted to use Pf-sense Captive portal is that its way too cooler than windows IIS Radius! On 26 April 2012 09:35, Brian Henson marin...@gmail.com wrote: You could use Windows Internet Authorization server to provide the users/groups. It is a radius server and could do what your wanting to do. On Wed, Apr 25, 2012 at 11:54 PM, steel max steelmax11...@gmail.comwrote: Can anyone please tell me the step by step to integrate Freeradiuse to authenticate users from Window Active directory? I have Successfully Setup: 1- Captive portal FreeRadius. 2- Local PFsesnce Users can Login authenticate from Captive-portal. *BUT I really want is to Authenticate AD users!!!* *Also WAN to Pfsense come my corporate VLAN10 I would like to make the out going LAN to be in same VLAN!* *So in short How can I do these: Captive Portal Authenticate against My Windows Domain AD LAN to be as same VLAN as WAN...?* Thank in advance, Please Help me on this! [image: Smiley] ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] 2.01 / 2.1 - Email alerting on unsuccessful login ?
Hello all, Is there a mean to configure an alerting mechanism (email for instance) on unsuccessful login at the web admin interface? Same for unsuccessful login through OpenVPN? I can scan the logs, some proactive warning would be useful though. Did I miss an existing functionality? Thanks, — Olivier Mascia ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Can anyone please tell me the step by step to integrate Freeradiuse to authenticate users from Window Active directory?
On Thu, Apr 26, 2012 at 3:12 AM, Abdullah Nihan abd@gmail.com wrote: Which means its simply not possible to use Free-radius on Pf-sense in a windows AD environment. Right? Reason I wanted to use Pf-sense Captive portal is that its way too cooler than windows IIS Radius! You can use Windows RADIUS server with captive portal. Has nothing to do with IIS. If you want to authenticate CP to AD, do it that way. Whether you can integrate FreeRADIUS with AD, I don't know, but I wouldn't even think about doing so. Unnecessary complexity and additional setup time if it's even feasible. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.01 / 2.1 - Email alerting on unsuccessful login ?
OSSEC can do just this sort of log scraping and can email you as an action. On Thu, Apr 26, 2012 at 3:52 AM, Olivier Mascia o...@tipgroup.com wrote: Hello all, Is there a mean to configure an alerting mechanism (email for instance) on unsuccessful login at the web admin interface? Same for unsuccessful login through OpenVPN? I can scan the logs, some proactive warning would be useful though. Did I miss an existing functionality? Thanks, — Olivier Mascia ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Quick Thanks from a Happy user
Date: Wed, 25 Apr 2012 14:49:14 +0300 From: NorthPole morfeas3...@gmail.com To: pfSense support and discussion list@lists.pfsense.org Subject: Re: [pfSense] Quick Thanks from a Happy user Message-ID: CA+wR77o_jGyMi3F9u-xooHXeWXazdVa1SgcFY3m3=Sq=fzk...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 Hi This is a very interesting application and congratulations on making it! If you can It would be very interesting if you could provide details in the following. - Mail notifications for important events (new user signed up, weekly RRD stats, reboots, ...) Various solutions: We have a custom portal page where every new user (system) is redirected to. From there a couple of shell scripts get the IP, Hostname and Mac-Address together with the values that the user entered on the portal page (name, email, ack'ed the terms of usage, organization he/she belongs to). At the end of this process a shell script sends out an email to a group of admins with these details. For the weekly RRD stats (we are just interested in the traffic graphs) we use the package 'mailreport'. Startup/reboot notifications are send via a simple cronjob with the time '@reboot'. For all of this we have installed some perl libs to simplify the email handling. Ideally this should be done in a PHP extension / pfSense package, but I didn't go that far yet. - 'Jail' for misbehaving systems and a HTTP redirecting to let them know Misbehaving systems could be simply slowed-down to a minimum by the bandwidth limits of the Captive Portal (e.g. just 1 Kbit/s for up- and download). But this way the user wouldn't know that his system is blocked. In case we want them to know what happened, we redirect them through a Squid config with the package squidGuard to a dedicated page for this system. This page then indicates what happened and why. As this is the only white-listed page in this particular SquidGuard category, the user (with this system) can't go anywhere else. - Reports with last time systems were connected (usefull for cleanup RADIUS users) With the options 'Reauthenticate connected users every minute' of the Captive Portal, the freeRADIUS logs contain detailed information about how and when systems connected. Again a couple of shell scripts dig through this data and provide some useful stats. With the build-in freeRADIUS and our ~100 systems/day we have hit a limit, so that we had to deactivate the ongoing RADIUS accounting information for now. It seems like we have to move to a dedicated freeRADIUS installation in order to bypass this. But the idea will remain the same. It might also be that the freeRADIUS 2 package is providing some of these features. - Support for external monitoring solutions of internal network devices We have dedicated nTop and Zabbix systems running outside of the pfSense box (for us pfSense is the inner firewall between our server subnet and all client subnets). But many network devices are inside of the client subnets, so depending on the devices (printer, access point, switch, server), what we want to monitor, and which access Zabbix needs to the devices, we have created a bunch of firewall rules and port forwards to selectively allow access. Maybe the zabbix-proxy package helps to make this simpilier, but we haven't looked so deep. - Default (low) speed group for unknown users through Captive portal bandwidth restriction Whenever a user/system is going through the self-signup process (see above), we assign the system with low bandwidth limits. This way someone can connect, but can't consume much of our scarce bandwidth. As we receive an email whenever this happened, we can then check if the system should have more/faster access to the network and 'promote' it through assigner higher bandwidth limits within freeRADIUS. did you use an external non custom application for these and if yes which? I could see that some of our features eventually make its way into a clean pfSense package, but we haven't had the time and skills to investigate deeper here. So there are a couple of manual installation and config tasks required, before this all works together. I'm open for any suggestions if or how this could be made more usable. Cheers, christian ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Compex WLM54SAGP23 (Atheros 5413), ALIX 2D3 pfSense 2?
Hi. I'm choosing a miniPCI wireless card from www.msdist.co.uk to go in an ALIX 2D3. The only cards there that appear to be supported by FreeBSD 8.1 are the Wistron DCMA81 (Atheros AR5213A), Wistron CM9-GP (Atheros AR5213A) and the Compex WLM54SAGP23 (Atheros 5413). I'd just like to check if people have successfully used the Compex WLM54SAGP23 (Atheros 5413) in a wireless access point (host AP) setup with pfSense 2.0.1? Thanks -- Pete Boyd thegoldenear.org openplanit.co.uk ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Quick Thanks from a Happy user
You have an interesting command line scripts aproach if I understand correctly. The only improvement I see is that you could substitute most of the shell scripts with php ones updating the external radius server and database with most of the info you need and send the emails and maybe even skip the administrator intervention for every user. But this is a matter of tools preference. Thx for the info. Cheers, On Thu, Apr 26, 2012 at 10:23 PM, Christian Neumann cneum...@pih.org wrote: Date: Wed, 25 Apr 2012 14:49:14 +0300 From: NorthPole morfeas3...@gmail.com To: pfSense support and discussion list@lists.pfsense.org Subject: Re: [pfSense] Quick Thanks from a Happy user Message-ID: CA+wR77o_jGyMi3F9u-xooHXeWXazdVa1SgcFY3m3=Sq=fzk...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 Hi This is a very interesting application and congratulations on making it! If you can It would be very interesting if you could provide details in the following. - Mail notifications for important events (new user signed up, weekly RRD stats, reboots, ...) Various solutions: We have a custom portal page where every new user (system) is redirected to. From there a couple of shell scripts get the IP, Hostname and Mac-Address together with the values that the user entered on the portal page (name, email, ack'ed the terms of usage, organization he/she belongs to). At the end of this process a shell script sends out an email to a group of admins with these details. For the weekly RRD stats (we are just interested in the traffic graphs) we use the package 'mailreport'. Startup/reboot notifications are send via a simple cronjob with the time '@reboot'. For all of this we have installed some perl libs to simplify the email handling. Ideally this should be done in a PHP extension / pfSense package, but I didn't go that far yet. - 'Jail' for misbehaving systems and a HTTP redirecting to let them know Misbehaving systems could be simply slowed-down to a minimum by the bandwidth limits of the Captive Portal (e.g. just 1 Kbit/s for up- and download). But this way the user wouldn't know that his system is blocked. In case we want them to know what happened, we redirect them through a Squid config with the package squidGuard to a dedicated page for this system. This page then indicates what happened and why. As this is the only white-listed page in this particular SquidGuard category, the user (with this system) can't go anywhere else. - Reports with last time systems were connected (usefull for cleanup RADIUS users) With the options 'Reauthenticate connected users every minute' of the Captive Portal, the freeRADIUS logs contain detailed information about how and when systems connected. Again a couple of shell scripts dig through this data and provide some useful stats. With the build-in freeRADIUS and our ~100 systems/day we have hit a limit, so that we had to deactivate the ongoing RADIUS accounting information for now. It seems like we have to move to a dedicated freeRADIUS installation in order to bypass this. But the idea will remain the same. It might also be that the freeRADIUS 2 package is providing some of these features. - Support for external monitoring solutions of internal network devices We have dedicated nTop and Zabbix systems running outside of the pfSense box (for us pfSense is the inner firewall between our server subnet and all client subnets). But many network devices are inside of the client subnets, so depending on the devices (printer, access point, switch, server), what we want to monitor, and which access Zabbix needs to the devices, we have created a bunch of firewall rules and port forwards to selectively allow access. Maybe the zabbix-proxy package helps to make this simpilier, but we haven't looked so deep. - Default (low) speed group for unknown users through Captive portal bandwidth restriction Whenever a user/system is going through the self-signup process (see above), we assign the system with low bandwidth limits. This way someone can connect, but can't consume much of our scarce bandwidth. As we receive an email whenever this happened, we can then check if the system should have more/faster access to the network and 'promote' it through assigner higher bandwidth limits within freeRADIUS. did you use an external non custom application for these and if yes which? I could see that some of our features eventually make its way into a clean pfSense package, but we haven't had the time and skills to investigate deeper here. So there are a couple of manual installation and config tasks required, before this all works together. I'm open for any suggestions if or how this could be made more usable. Cheers, christian ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] [pfsense] dansguardian
I've installed squid and dansguardian in the hopes to get some filtering going, I even followed instructions highlighted below, however; my syslog keep showing dansguardian: Error connecting to proxy , I would appreciate it if anyone has any pointers for me. http://forum.pfsense.org/index.php?topic=42664.0 Sam ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [pfsense] dansguardian
I've been part of the pfsense lists for months but have never really spoken up about anything. I tried to implement dansguardian in v2.0.1 but failed aswell. Has anyone found a reliable best practice or guide for this? James From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of k_o_l Sent: April-26-12 2:51 PM To: list@lists.pfsense.org Subject: [pfSense] [pfsense] dansguardian I've installed squid and dansguardian in the hopes to get some filtering going, I even followed instructions highlighted below, however; my syslog keep showing dansguardian: Error connecting to proxy , I would appreciate it if anyone has any pointers for me. http://forum.pfsense.org/index.php?topic=42664.0 Sam ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [pfsense] dansguardian
Mine is up and running, but I have to manually put the dansguardian port in the web browser as a proxy server. I do not have it working for transparent squid As you can see, most of the settings are default. These are the Dansguardian settings. (I hope you can read this). Daemon Listening Settings Enable dansguardian I agree with dansguardian Terms and Conditions. http://dansguardian.org/?page=copyright2 Listen Interface(s) Default: LAN/loopback Select interface(s) that you want to dansguardian listen on. Listen port Default: 8080 The port(s) that DansGuardian listens to. Daemon Options Daemon Options. Default values are in ( ) Min/Max Children Default: 8/120 Sets the minimun and maximum number of processes to spawn to handle the incoming connections. Max value usually 250 depending on OS. On large sites you might want to try 32/180. Min/Max Spare Children Default: 4/32 Sets the minimum and maximun number of processes to be kept ready to handle connections. On large sites you might want to try 8/64. Prefork Children sets the minimum number of processes to spawn when it runs out On large sites you might want to try 10 Max Age Children Default: 500 Sets the maximum age of a child process before it croaks it. This is the number of connections they handle before exiting. On large sites you might want to try 1. Max Ips Default: 0 Sets the maximum number client IP addresses allowed to connect at once. Use this to set a hard limit on the number of users allowed to concurrently browse the web. Set to 0 for no limit, and to disable the IP cache process. Parent proxy Settings Proxy IP Default: 127.0.0.1 Sets ip address for proxy server(usually squid). Proxy Port Default: 3128 Sets port number for proxy serve General Config Settings Auth Plugins This option handle the extraction of client usernames from various sources, such as Proxy-Authorisation headers and ident servers, enabling requests to be handled according to the settings of the user's filter group Scan Options Scan options. Default values are in ( ) Weighted phrase mode IMPORTANT: Note that setting this to 0 turns off all features which extract phrases from page content, including banned exception phrases (not just weighted), search term filtering, and scanning for links to banned URLs. Lower casing options When a document is scanned the uppercase letters are converted to lower case in order to compare them with the phrases. However this can break Big5 and other 16-bit texts. If needed preserve the case. Phrase filter mode Smart, Raw and Meta/Title phrase content filtering options Smart is where the multiple spaces and HTML are removed before phrase filtering Raw is where the raw HTML including meta tags are phrase filtered Meta/Title is where only meta and title tags are phrase filtered (v. quick) CPU usage can be effectively halved by using setting 0 or 1 compared to 2 Url cache number Positive (clean) result caching for URLs Caches good pages so they don't need to be scanned again.It also works with AV plugins. 0 = off (recommended for ISPs with users with disimilar browsing) 1000 = recommended for most user 5000 = suggested max upper limit If you're using an AV plugin then use at least 5000. Url cache age Age before cache are stale and should be ignored in seconds 900 = 15 mins(recommended) 0 = never SSL man in the middle Filtering CA Warning: Invalid argument supplied for foreach() in /usr/local/www/pkg_edit.php on line 560 Select Certificate Authority to use when SSL filtering is enabled on Group options To create a CA on pfsense, go to system - Cert Manager Cert Select Certificate pair to use when SSL filtering is enabled on Group options To create a Certificate on pfsense, go to system - Cert Manager Content Scanner Content Scanners (antivirus) Content Scanners options. Default values are in ( ) freshclam frequency Default:Every day Select how often pfsense will update clamd virus database Content scanner timeout Default is 60 Some of the content scanners support using a timeout value to stop processing (eg AV scanning) the file if it takes too long. If supported this will be used. The default of 60 seconds is probably reasonable. Content scan exceptions If 'on' exception sites, urls, users etc will be scanned. This is probably not desirable behavour as exceptions are supposed to be trusted and will increase load. Correct use of grey lists are a better idea. ICAP URL Enter ICAP URL in icap://icapserver:1344/avscan format Use hostname rather than IP address and Always specify the port Misc settings Misc Options Misc options. Default values are in ( ) In squid from top to bottom I have selected (squid won't paiste for some reason) Proxy Interface: LAN and Loopback Allow users = checked Blank until Enable Logging Enable logging = checked Log store = /var/squid/logs Log rotate = 90 Proxy port = 3128 ICP port = (blank) Visible hostname = localhost Anministrator email =
Re: [pfSense] [pfsense] dansguardian
That's funny. It deleted all of the values. I cleaned it up a little and put the correct values in red From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Ryan Rodrigue Sent: Thursday, April 26, 2012 5:24 PM To: 'pfSense support and discussion' Subject: Re: [pfSense] [pfsense] dansguardian Mine is up and running, but I have to manually put the dansguardian port in the web browser as a proxy server. I do not have it working for transparent squid As you can see, most of the settings are default. These are the Dansguardian settings. (I hope you can read this). Daemon Listening Settings Enable dansguardian I agree with dansguardian Terms and Conditions. http://dansguardian.org/?page=copyright2 - Checked Listen Interface(s) LAN/loopback Listen port 8080 Daemon Options. softrestart Min/Max Children 8/120 Min/Max Spare Children 4/32 Prefork Children 8 Max Age Children 500 Max Ips 0 Parent proxy Settings Proxy IP 127.0.0.1 Proxy Port 3128 General Config Settings Auth Plugins Proxy-Basic Scan Options All with on in () Weighted phrase mode Singular = each weighted phrase found only counts once on a page Lower casing options Force lover case Phrase filter mode Use both Url cache number blank Url cache age blank SSL man in the middle Filtering CA none Cert webconfigurator default Content Scanner Content Scanners (antivirus) None freshclam frequency Every day Content scanner timeout 60 Content scan exceptions No Check ICAP URL Blank Misc Options Misc options. None In squid from top to bottom I have selected (squid won't paiste for some reason) Proxy Interface: LAN and Loopback Allow users = checked Blank until Enable Logging Enable logging = checked Log store = /var/squid/logs Log rotate = 90 Proxy port = 3128 ICP port = (blank) Visible hostname = localhost Anministrator email = admin@localhost Language = English X-Forward = no check Disable Via = no check Strip The rest is blank Upstream Proxy is totally blank and I am using no authentication for now. This may not be the best settings. If anyone has any suggestion, please let me know. I always look for ways to do things better. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [pfsense] dansguardian
This is excellent Ryan, how about the nat/firewall rules? From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Ryan Rodrigue Sent: Thursday, April 26, 2012 6:40 PM To: 'pfSense support and discussion' Subject: Re: [pfSense] [pfsense] dansguardian That's funny. It deleted all of the values. I cleaned it up a little and put the correct values in red From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Ryan Rodrigue Sent: Thursday, April 26, 2012 5:24 PM To: 'pfSense support and discussion' Subject: Re: [pfSense] [pfsense] dansguardian Mine is up and running, but I have to manually put the dansguardian port in the web browser as a proxy server. I do not have it working for transparent squid As you can see, most of the settings are default. These are the Dansguardian settings. (I hope you can read this). Daemon Listening Settings Enable dansguardian I agree with dansguardian Terms and Conditions. http://dansguardian.org/?page=copyright2 - Checked Listen Interface(s) LAN/loopback Listen port 8080 Daemon Options. softrestart Min/Max Children 8/120 Min/Max Spare Children 4/32 Prefork Children 8 Max Age Children 500 Max Ips 0 Parent proxy Settings Proxy IP 127.0.0.1 Proxy Port 3128 General Config Settings Auth Plugins Proxy-Basic Scan Options All with on in () Weighted phrase mode Singular = each weighted phrase found only counts once on a page Lower casing options Force lover case Phrase filter mode Use both Url cache number blank Url cache age blank SSL man in the middle Filtering CA none Cert webconfigurator default Content Scanner Content Scanners (antivirus) None freshclam frequency Every day Content scanner timeout 60 Content scan exceptions No Check ICAP URL Blank Misc Options Misc options. None In squid from top to bottom I have selected (squid won't paiste for some reason) Proxy Interface: LAN and Loopback Allow users = checked Blank until Enable Logging Enable logging = checked Log store = /var/squid/logs Log rotate = 90 Proxy port = 3128 ICP port = (blank) Visible hostname = localhost Anministrator email = admin@localhost Language = English X-Forward = no check Disable Via = no check Strip The rest is blank Upstream Proxy is totally blank and I am using no authentication for now. This may not be the best settings. If anyone has any suggestion, please let me know. I always look for ways to do things better. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [pfsense] dansguardian
This is excellent Ryan, how about the nat/firewall rules? Nothing special. Like I said. It really just works. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list