Solved: Setting up Cisco ISE to work with pFsense

ejerviss · ‎09-21-2021

We are trying to setup MFA on our pfsense firewalls for the webGUI for management. We would like to use a radius setup with ISE to gain access using MFA. I am able to see my authentications pass in ISE but on pFsense I don't have a user group to associate with. It states I need a local account with group privilege's but I don't have without creating a local user.

Does anyone have experience with this?

martin.fischer · ‎09-23-2021

Hi @ejerviss

If I remember correctly you don't need a local user but you need to reference the local group in the RADIUS response on ISE with the class attribute. E.g. if you want to give the user admin rights and your local group is called admins then return RADIUS:Class equals admins

Best regards

View solution in original post

martin.fischer · ‎09-23-2021

Hi @ejerviss

If I remember correctly you don't need a local user but you need to reference the local group in the RADIUS response on ISE with the class attribute. E.g. if you want to give the user admin rights and your local group is called admins then return RADIUS:Class equals admins

Best regards

ejerviss · ‎09-27-2021

Hi @martin.fischer,

Thank you for your post, yes this option worked for me! I am now able to log in with no issues.

I also have webGUI login working with DUO MFA. I can only do PAP as my authentication type. Is that the only option? I tried MS-CHAPv2 but that didn't work. Wondering if there is another setting I need to find.

Thank you!