pfsense with freeipa

Integrating a pfSense firewall with FreeIPA

1. Ensure that the primary DNS server in pfSense is set to the FreeIPA instance

2. Add the necessary A record to FreeIPA, using the IP address of the LAN port of pfSense

   Identity -> Hosts, “Add” button
   Enter the necessary information

3. Add FreeIPA as a CA for pfSense

System -> Certificates -> Authorities, “Add” button

        Descriptive name: *WHATEVER*
        Method: Import an existing Certificate Authority
        Trust Store: *Enabled*  
        Randomize Serial: *Enabled*  
        Certificate data: *Paste the certificate from the FreeIPA CA* 
        "Save" button  

4. Add FreeIPA as an LDAP server for pfSense

System -> User Manger -> Authentication Servers, “Add” button

        Descriptive name: *WHATEVER*  
        Type: LDAP  
        Hostname or IP address: *IP address or hostname of FreeIPA instance*  
        Port value: 389 if using Standard TCP, 636 if using TLS  
        Transport: *See Port value*  
        Peer Certificate Authority: *Select FreeIPA CA*  
        Protocol version: 3  
        Server Timeout: 25  
        Search scope:  
            Level - Entire Subtree  
            Base DN - dc=foobar,dc=com  
        Authentication containers: cn=users,cn=accounts,dc=foobar,dc=com  
        Extended query: *Enabled*  
        Query: memberOf=cn=*pfsense group created in FreeIPA*,
    cn=groups,cn=accounts,dc=foobar,dc=com  
        Bind credentials: uid=*LDAP RO user*, cn=users,cn=accounts,dc=foobar,dc=com /
    *Password for LDAP RO user*  
        User naming attribute: uid  
        Group naming attribute: cn  
        Group member attribute: memberOf  
        RFC 2307 Groups: *NOT Enabled*  
        Group Object Class: posixGroup  
        Shell Authentication Group DN: cn=*pfsense group created in FreeIPA*,
    cn=groups,cn=accounts,dc=foobar,dc=com  
        UTF8 Encode: *NOT Enabled*  
        Username Alterations: *NOT Enabled*  
        Allow unauthenticated bind: *NOT Enabled*

Set the created authentication server as a way to login to the web GUI and the shell

System -> User Manager -> Settings

        Authentication Server: *Authentication Server created above*
        Shell Authentication: *Enabled* 
        "Save & Test" button

5. Add the ACME package to pfSense

System -> Package Manager -> Available Packages, “Install” button, “Confirm” button

As of writing, pfSense does not allow a custom ACME server by default. The ACME file located at /usr/local/pkg/acme/acme.inc must be modified to accommodate this. Note that it is advisable to copy the unmodified acme.inc file before modifying this file. From the pfSense shell:

	[2.7.2-RELEASE][admin@foobar.com]/root: vim /usr/local/pkg/acme/acme.inc

Find the section for the “dummy” acme server that is commented out, by searching for “dummy”, and modify it to the correct values:

        $a_acmeserver['freeipa'] = [
            'name' => "Custom FreeIPA server",
            'url'=> 'https://ipa.foobar.com/acme/directory'
        ];

Note that the “/acme/directory” folders must be added to the end of the FQDN of the FreeIPA server. Save the file.

Navigate to the web GUI of pfSense:

Services -> Acme Certificates -> Account keys, “Add” button.

        Name: *WHATEVER*
        Description: *WHATEVER*
        ACME Server: Custom FreeIPA server
        E-Mail Address: *DOESN'T MATTER, INTERNAL ACME SERVER*
        "Create new account key" button
        "Register ACME account key" button - a check indicates it is successful, 
    and the x indicates it has failed
        "Save" button if successful
        Services -> Acme Certificates -> General Settings
        Cron Entry: *Enabled*
        Write Certificates: *Enabled*

Services -> Acme Certificates -> Certificates, “Add” button

        Name: *WHATEVER*
        Description: *WHATEVER*
        Status: Active
        Acme Account: *NAME OF ACME ACCOUNT CREATED ABOVE*
        Private Key: *WHATEVER, 2048-bit RSA is the minimum for pfSense*
        OCSP Must Staple: *NOT Enabled*
        Preferred Chain: *Leave Empty*
        Domain SAN list:
            Mode: Enabled
            Domainname: pfsense.foobar.com
            Method: DNS-Manual
        DNS-Sleep: *NOT NEEDED*
        Actions list:
            "Add" button
            Mode: Enabled
            Command: /etc/rc.restart_webgui
            Method: Shell Command
        Certificate renewal after: 90
        "Save" button

Note that the following steps must be performed manually to renew the SSL certificate, as this is a custom ACME solution. Services -> Acme Certificates -> Certificates, “Issue” button

Take note of the output stating:

        ...
        [Wed Oct 2 10:30:19 MDT 2024] Add the following TXT record:
        [Wed Oct 2 10:30:19 MDT 2024] Domain: '_acme-challenge.pfsense.foobar.com'
        [Wed Oct 2 10:30:19 MDT 2024] TXT value: '*A BUNCH OF RANDOM NUMBERS AND LETTERS*'
        ...

This will be the TXT record input into FreeIPA. In the FreeIPA web GUI:

Network Services -> DNS dropdown, DNS Zones -> Click the Zone name for the domain name associated with pfSense -> “Add” button

        Record name: _acme-challenge.pfsense
        Record Type: TXT
        Text Data: *TXT value from above*
        "Add" button

Back in the pfSense GUI:

Services -> Acme Certificates -> Certificates, “Renew” button

Set the certificate generated as the webConfigurator certificate:

System -> Advanced -> Admin Access

        SSL/TLS Certificate: *NAME OF CERTIFICATE*
        "Save" button