Create a new LDAP Binder named 'pfsense' from the 'LDAP Binders' page. Copy the binder password and save it for later.
Check your pfSense version
You do not need to enter Certificate Authority Information for pfSense 2.4.2 and above.
Next you need to add the Foxpass Certificate Authority to pfSense. Obtain the CA via openssl on linux / osx via:
openssl s_client -connect ldap.foxpass.com:636 -showcerts
Copy the text starting at the first "BEGIN CERTIFICATE" to the last "END CERTIFICATE" and paste it in the ‘Certificate data’ field.
Next fill out info on the 'Authentication Servers' page.
Base DN: taken from your foxpass.com dashboard page
Peer certificate authority: This is the CA that was created in the step above
Bind credentials: Same as the ones created for the 'pfsense' LDAP binder in Foxpass
Username Alterations: Uncheck this box
Now you need to mirror your Foxpass LDAP groups in pfSense. Make sure that the groups are set to 'Posix enabled.' In this example there is a group to allow vpn access and a second group to allow admin access to the device.
Within pfsense, create the matching groups and assign the desired permissions according the the documentation. 'Scope' must be set to 'Remote'
Within System / User Manager / Setting change the 'Authentication Server' to be 'Foxpass' and click 'Save & Test.' As shown in the image the bind test will fail, but this is a pfsense ldap implementation issue and does not reflect a problem with your setup. On the Foxpass 'LDAP Logs' you can check to see if the bind worked correctly.
To test what groups a user is a member of go to Diagnostics / Authentication. This handy interface is great for troubleshooting.
Before setting up ldap authentication, it's best to have a working VPN tunnel tested against a system account.
Updated about 2 years ago