User Management

The User Manager is located at System > User Manager. From there users, groups, servers may be managed, and settings that govern the behavior of the User Manager may be changed.

Privileges

Managing privileges for users and groups is done similarly, so both will be covered here rather than duplicating the effort. Whether a user or group is managed, the entry must be created and saved first before privileges can be added to the account or group. To add privileges, when editing the existing user or group, click fa-plus Add in the Assigned Privileges or Effective Privileges section.

A list of all available privileges is presented. Privileges may be added one at a time by selecting a single entry, or by multi-select using ctrl-click. If other privileges are already present on the user or group, they are hidden from this list so they cannot be added twice. To search for a specific privilege by name, enter the search term in the Filter box and click fa-filter Filter.

Selecting a privilege will show a short description of its purpose in the information block area under the permission list and action buttons. Most of the privileges are self-explanatory based on their names, but a few notable permissions are:

WebCfg - All Pages:
 Lets the user access any page in the GUI
WebCfg - Dashboard (all):
 Lets the user access the dashboard page and all of its associated functions (widgets, graphs, etc.)
WebCfg - System:
 User Password Manager Page: If the user has access to only this page, they can login to the GUI to set their own password but do nothing else.
User - VPN - IPsec xauth Dialin:
 Allows the user to connect and authenticate for IPsec xauth
User - Config - Deny Config Write:
 Does not allow the user to make changes to the firewall config (config.xml). Note that this does not prevent the user from taking other actions that do not involve writing to the config.
User - System - Shell account access:
 Gives the user the ability to login over ssh, though the user will not have root-level access so functionality is limited. A package for sudo is available to enhance this feature.

After login, the firewall will attempt to display the dashboard. If the user does not have access to the dashboard, they will be forwarded to the first page in their privilege list which they have permission to access.

Menus on the firewall only contain entries for which privileges exist on a user account. For example, if the only Diagnostics page that a user has access to is Diagnostics > Ping then no other items will be displayed in the Diagnostics menu.

Adding/Editing Users

The Users tab under System > User Manager is where individual users are managed. To add a new user, click fa-plus Add, to edit an existing user, click fa-pencil.

Before permissions may be added to a user, it must first be created, so the first step is always to add the user and save. If multiple users need the same permissions, it is easier to add a group and then add users to the group.

To add a user, click fa-plus Add and the new user screen will appear.

Disabled:This checkbox controls whether this user will be active. If this account should be deactivated, check this box.
Username:Sets the login name for the user. This field is required, must be 16 characters or less and may only contain letters, numbers, and a period, hyphen, or underscore.
Password:and Confirmation are also required. Passwords are stored in the pfSense configuration as hashes. Ensure the two fields match to confirm the password.
Full Name:Optional field which can be used to enter a longer name or a description for a user account.
Expiration Date:
 May also be defined if desired to deactivate the user automatically when that date has been reached. The date must be entered in MM/DD/YYYY format.
Group Memberships:
 If groups have already been defined, this control may be used to add the user as a member. To add a group for this user, find it in the Not Member Of column, select it, and click fa-angle-double-right to move it to the Member Of column. To remove a user from the group, select it from the Member Of column and click fa-angle-double-left to move it to the Not Member Of column.
Effective Privileges:
 Appears when editing an existing user, not when adding a user. See Privileges for information on managing privileges. If the user is part of a group, the group’s permissions are shown in this list but those permissions cannot be edited, however additional permissions may be added.
Certificate:Behavior of this section changes depending on whether a user is being added or edited. When adding a user, to create a certificate check Click to create a user certificate to show the form to create a certificate. Fill in the Descriptive name, choose a Certificate Authority, select a Key Length, and enter a Lifetime. For more information on these parameters, see Create an Internal Certificate. If editing a user, this section of the page instead becomes a list of user certificates. From here, click fa-plus Add to add a certificate to the user. The settings on that page are identical to Create an Internal Certificate except even more of the data is pre- filled with the username. If the certificate already exists, select Choose an Existing Certificate and then pick an Existing Certificate from the list.
Authorized keys:
 SSH public keys may be entered for shell or other SSH access. To add a key, paste or enter in the key data.
IPsec Pre-Shared Key:
 Used for a non-xauth Pre-Shared Key mobile IPsec setup. If an IPsec Pre-Shared Key is entered here, the username is used as the identifier. The PSK is also displayed under VPN > IPsec on the Pre- Shared Keys tab. If mobile IPsec will only be used with xauth, this field may be left blank.

After saving the user, click fa-pencil on the user’s row to edit the entry if necessary.

Adding/Editing Groups

Groups are a great way to manage sets of permissions to give users so that they do not need to be maintained individually on every user account. For example, a group could be used for IPsec xauth users, or a group that can access the firewall’s dashboard, a group of firewall administrators, or many other possible scenarios using any combination of privileges.

As with users, a group must first be created before privileges can be added. After saving the group, edit the group to add privileges.

Groups are managed under System > User Manager on the Groups tab. To add a new group from this screen, click fa-plus Add. To edit an existing group, click fa-pencil next to its entry in the list.

..note:: When working with LDAP and RADIUS, local groups must exist to match the
groups the users are members of on the server. For example, if an LDAP group named “firewall_admins” exists then pfSense must also contain a group named identically, “firewall_admins”, with the desired privileges. Remote groups with long names or names containing spaces or other special characters must be configured for a Remote Scope.

Start the process of adding a group by clicking fa-plus Add and the screen to add a new group will appear.

Group name:This setting has the same restrictions as a username: It must be 16 characters or less and may only contain letters, numbers, and a period, hyphen, or underscore. This can feel somewhat limited when working with groups from LDAP, for example, but usually it’s easier to create or rename an appropriately-named group on the authentication server instead of attempting to make the firewall group match.
Scope:Can be set Local for groups on the firewall itself (such as those for use in the shell), or Remote to relax the group name restrictions and to prevent the group name from being exposed to the base operating system. For example, Remote scope group names may be longer, and may contain spaces.
Description:Optional free-form text for reference and to better identify the purpose of the group in case the Group name is not sufficient.
Group Memberships:
 This set of controls defies which existing users will be members of the new group. Firewall users are listed in the Not Members column by default. To add a user to this group, find it in the Not Members column, select it, and click fa-angle-double-right to move it to the Members column. To remove a user from the group, select it from the Members column and click fa-angle-double-left to move it to the Not Members column.
Assigned Privileges:
 Appears only when editing an existing group. This section allows adding privileges to the group. See Privileges earlier in this for information on managing privileges.

Settings

The Settings tab in the User Manager controls two things: How long a login session is valid, and where the GUI logins will prefer to be authenticated.

Session Timeout:
 This field specifies how long a GUI login session will last when idle. This value is specified in minutes, and the default is four hours (240 minutes). A value of 0 may be entered to disable session expiration, making the login sessions valid forever. A shorter timeout is better, though make it long enough that an active administrator would not be logged out unintentionally while making changes.

Warning

Allowing a session to stay valid when idle for long periods of time is insecure. If an administrator leaves a terminal unattended with a browser window open and logged in, someone or something else could take advantage of the open session.

Authentication Server:
 This selector chooses the primary authentication source for users logging into the GUI. This can be a RADIUS or LDAP server, or the default Local Database . If the RADIUS or LDAP server is unreachable for some reason, the authentication will fall back to Local Database even if another method is chosen.

When using a RADIUS or LDAP server, the users and/or group memberships must still be defined in the firewall in order to properly allocate permissions, as there is not yet a method to obtain permissions dynamically from an authentication server.

For group membership to work properly, pfSense must be able to recognize the groups as presented by the authentication server. This requires two things:

  1. The local groups must exist with identical names.
  2. pfSense must be able to locate or receive a list of groups from the authentication server.

See Authentication Servers for details specific to each type of authentication server.