website/integrations/networking/pfsense/index.md
The pfSense project is a free network firewall distribution, based on the FreeBSD operating system with a custom kernel and including third party free software packages for additional functionality.
:::info This is based on authentik 2022.3.3 and pfSense 2.6.0-amd64 :::
The following placeholders are used in this guide:
authentik.company is the FQDN of authentik.pfsense-user is the name of the authentik Service account we'll create.DC=ldap,DC=goauthentik,DC=io is the Base DN of the LDAP Provider (default):::info This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. :::
In authentik, create a service account (under Directory/Users) for pfSense to use as the LDAP Binder and take note of the password generated.
In this example, we'll use pfsense-user as the Service account's username
:::info If you didn't keep the password, you can copy it from Directory/Tokens & App password. :::
In authentik, create a LDAP Provider (under Applications/Providers) with these settings :
DC=ldap,DC=goauthentik,DC=ioself-signedIn authentik, create an application (under Resources/Applications) with these settings :
In authentik, create an outpost (under Applications/Outposts) of type LDAP that uses the LDAP Application you created in Step 3.
:::caution This setup should only be used for testing purposes, because passwords will be sent in clear text to authentik. :::
Add your authentik LDAP server to pfSense by going to your pfSense Web UI and clicking the + Add under System/User Manager/Authentication Servers.
Change the following fields
authentik.companyDC=ldap,DC=goauthentik,DC=ioOU=users,DC=ldap,DC=goauthentik,DC=iocn=pfsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io<pfsense-user password from step 2>memberOfWhen enabling SSL, authentik will send a certificate to pfSense. This certificate has to be signed by a certificate authority trusted by pfSense. In this setup we will create our own certificate authority in pfSense and create a certificate that will be used by authentik.
In pfSense, create a certificate authority under System/Cert. Manager and click the + Add button.
pfSense CApfSense CAIn pfSense, create a server certificate under System/Cert. Manager. Go to the Certificates tab then click the + Add button.
Change the following fields
authentik.company398authentik.companyServer CertificateAll other fields can be left blank.
In pfsense, export the public and the private key of the certificate by going under System/Cert. Manager and then to the Certificate tab.
In authentik, import the public and the private key by going under System/Certificates and then click on create.
In authentik, edit the LDAP provider configuration under Applications/Providers and select the certificate we just imported.
In pfSense, add your authentik LDAP server by going to your pfSense Web UI and clicking the + Add under System/User Manager/Authentication Servers.
Change the following fields
authentik.companypfSense CADC=ldap,DC=goauthentik,DC=ioOU=users,DC=ldap,DC=goauthentik,DC=iocn=pfsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io<pfsense-user password from step 2>In pfSense, you can validate the authentication backend setup by going to Diagnostics/Authentication and then select LDAP authentik as Authentication Server.
You can use the credentials of an authentik user, pfSense will tell you if the connection was successful or not. If it is, congratulations, you can now change the pfSense default authentication backend.
In pfSense, you can change the authentication backend used by the Web UI by going to System/User Manager and then click on Settings tab.
LDAP authentik:::tip
Secure LDAP more by creating a group for your DN Bind users and restricting the Search group of the LDAP Provider to them.
:::