pfSense User Management - Local, LDAP, and RADIUS

User Manager (System > User Manager) is the centralized account management system in pfSense. It is used to create local users, define groups with specific privileges, and configure connections to external authentication servers. User accounts serve not only for web GUI access but also for VPN service authentication, Captive Portal, and SSH console access to the firewall.

Administrator Account

During pfSense installation, an admin account is created with full privileges across all system functions. This account cannot be deleted and always retains its complete privilege set.

Admin Account Security Recommendations

Recommendation	Description
Change the default password	The first action after installation should be changing the admin password
Use a strong password	Minimum 12 characters including letters, numbers, and special characters
Create named accounts	Use individual accounts for day-to-day administration
Restrict GUI access	Configure firewall rules to limit web interface access by IP address

Warning:
Sharing the admin account among multiple administrators makes action auditing difficult. Create individual named accounts for each administrator.

Creating Local Users

The local user database is stored in the pfSense configuration (config.xml) and does not depend on external authentication servers.

User Creation Procedure

Navigate to System > User Manager, tab Users
Click Add to create a new user
Fill in the parameters:

Parameter	Description
Disabled	Disable the account without deleting it
Username	Username (Latin letters, numbers, hyphens, periods)
Password	Account password
Full name	Full user name for identification
Expiration date	Date for automatic account deactivation
Custom Settings	Individual interface preferences (theme, language)
Group membership	Group associations
Certificate	User certificate binding
Authorized keys	SSH keys for console access authentication
IPsec Pre-Shared Key	Pre-shared key for IPsec VPN

Click Save

Account Expiration Date

The Expiration date field allows automatic account deactivation after a specified period. This is useful for:

Temporary contractor accounts
Time-limited accounts (interns, auditors)
Compliance with security policies requiring periodic access revalidation

After expiration, the user will be unable to authenticate with any pfSense service that uses the local database.

Groups and Privileges

Groups aggregate users with identical access rights. Privileges are assigned at the group level and inherited by all members. Additional privileges can be assigned individually to specific users.

Built-in admins Group

pfSense includes a built-in admins group with the WebCfg - All pages privilege assigned. All users in this group receive full web interface access. The admin account is automatically included in this group.

Creating a Group

Navigate to System > User Manager, tab Groups
Click Add
Fill in the parameters:

Parameter	Description
Group name	Group name (Latin letters, numbers)
Scope	Local (for local groups) or Remote (for LDAP/RADIUS groups)
Description	Description of the group purpose
Group membership	Users belonging to the group

Click Save
Open the group for editing
In the Assigned Privileges section, click Add
Select the required privileges
Click Save

Common Privilege Schemes

Role	Privileges	Purpose
Full administrator	WebCfg - All pages	Complete access to all web interface pages
Monitoring operator	WebCfg - Dashboard, WebCfg - Status: *	View system status without modification capability
VPN administrator	WebCfg - OpenVPN: , WebCfg - IPsec:	VPN connection management
Firewall administrator	WebCfg - Firewall: , WebCfg - Diagnostics:	Firewall rule management and diagnostics
VPN user	User - VPN: IPsec/OpenVPN	VPN connection access only

Principle of Least Privilege

When assigning privileges, adhere to the following guidelines:

Each user receives only the privileges necessary for their tasks
Privileges are assigned through groups rather than individually (except in special cases)
Conduct regular privilege audits and remove unused assignments
Document the justification for each privilege assignment

Authentication Servers

pfSense supports integration with external authentication servers for centralized account management.

LDAP and Active Directory

LDAP integration allows authenticating users through a corporate Active Directory or OpenLDAP directory.

LDAP Server Configuration

Navigate to System > User Manager, tab Authentication Servers
Click Add
Fill in the parameters:

Parameter	Value	Description
Descriptive name	Corporate-AD	Identification name
Type	LDAP	Server type
Hostname or IP	dc.example.com	Domain controller address
Port	389 (LDAP) / 636 (LDAPS)	Connection port
Transport	TCP - Standard / SSL/TLS	Transport protocol
Peer Certificate Authority	AD-CA	CA for server certificate verification (with LDAPS)
Protocol version	3	LDAP protocol version
Search scope	Entire Subtree	Search scope
Base DN	DC=example,DC=com	Base DN for searches
Authentication containers	OU=Users,DC=example,DC=com	Containers for user searches
Bind credentials	CN=ldap-reader,OU=Service,DC=example,DC=com	Search account (bind DN)
User naming attribute	samAccountName	User naming attribute (AD)
Group naming attribute	cn	Group naming attribute
Group member attribute	memberOf	Group membership attribute

Click Save

Bind Account Requirements

pfSense requires a service account (bind account) with read permissions to search the directory. Requirements for this account:

Minimal privileges - read-only access to user and group attributes
Password should not expire (or ensure timely rotation in pfSense)
Account must not be locked by AD security policies

Warning:
Do not use a domain administrator as the bind account. Compromise of this account would grant an attacker excessive privileges in the domain.

RADIUS

RADIUS integration provides authentication through a centralized RADIUS server (FreeRADIUS, Microsoft NPS, Cisco ISE, etc.).

RADIUS Server Configuration

Navigate to System > User Manager, tab Authentication Servers
Click Add
Fill in the parameters:

Parameter	Value	Description
Descriptive name	Corporate-RADIUS	Identification name
Type	RADIUS	Server type
Hostname or IP	radius.example.com	RADIUS server address
Shared Secret	************	Shared secret for server communication
Services offered	Authentication and Accounting	Provided services
Authentication port	1812	Authentication port
Accounting port	1813	Accounting port
Authentication Timeout	5	Response timeout (seconds)
RADIUS NAS IP Attribute	LAN IP	pfSense IP address for RADIUS server identification

Click Save

RADIUS Group Mapping

To assign privileges to users authenticated via RADIUS, create local groups with the Remote scope and configure the RADIUS server to return an attribute containing the group name. The group name in the RADIUS attribute must exactly match the local group name in pfSense.

Testing Authentication

After configuring an authentication server, verify the connection:

Navigate to Diagnostics > Authentication
Select the authentication server
Enter a username and password
Click Test

The result displays the authentication status and the list of groups the user belongs to. If authentication fails, check the following:

Server network reachability (ping, traceroute)
Bind credential correctness (for LDAP)
Shared secret correctness (for RADIUS)
Base DN and Authentication containers accuracy (for LDAP)

Default Authentication Source

To change the authentication source used for web interface login:

Navigate to System > User Manager, tab Settings
In the Authentication Server field, select the desired server
Click Save

Warning:
When switching to an external authentication server, ensure the local admin account remains functional. If the external server becomes unavailable, it will be the only way to access the system.

Console and SSH Access

SSH Access

pfSense supports SSH access for command-line administration.

Enable SSH: System > Advanced, tab Admin Access, section Secure Shell
Check Enable Secure Shell
Specify the SSH port (default 22)
Select the authentication method:

Method	Description
Password	Password authentication (less secure)
Public Key Only	SSH key only (recommended)
Both	Password and key

For SSH key authentication, add the public key to the Authorized keys field of the user account.

Shell Access

By default, users with SSH access receive the pfSense console menu. To grant full shell access (tcsh):

Assign the User - System: Shell account access privilege to the user
This provides full FreeBSD command-line capabilities

Warning:
Shell access provides unrestricted system modification capabilities, including direct configuration editing. Grant it only to trusted administrators.

Sudo Access

pfSense supports sudo through the sudo package:

Install the sudo package via System > Package Manager
Configure sudo rules under System > sudo
Define which commands are available for each user or group

Multi-Factor Authentication

pfSense supports multi-factor authentication (MFA) through integration with RADIUS servers that support TOTP/HOTP (for example, FreeRADIUS with Google Authenticator module or privacyIDEA).

MFA Workflow

The user enters their username and password in the pfSense login form
pfSense forwards the credentials to the RADIUS server
The RADIUS server verifies the password and validates the OTP (or accepts the OTP concatenated with the password)
On successful verification, RADIUS returns Access-Accept

TOTP Integration

To implement TOTP (Time-based One-Time Password):

Configure a RADIUS server with TOTP support
Add the RADIUS server to pfSense as described above
Configure users on the RADIUS server with TOTP secret binding
Users enter their password concatenated with the OTP code (the format depends on RADIUS configuration)

Troubleshooting

Cannot Log In to the Web Interface

Possible causes and resolutions:

Cause	Resolution
Forgotten admin password	Reset the password via console (option 3 in the menu)
External authentication server unavailable	Log in with the local admin account
Account is locked	Check the expiration date and account status
Browser rejects the certificate	Check the certificate settings

LDAP Bind Failure

Check LDAP server reachability: Diagnostics > Ping or Diagnostics > Test Port
Verify the bind DN format (for AD: CN=user,OU=container,DC=domain,DC=com)
Check whether the service account is locked by AD policies
When using LDAPS, verify that the CA certificate is imported into pfSense
Use Diagnostics > Authentication for testing

LDAP/RADIUS Groups Not Mapping to Privileges

Create a local group with Remote scope
Verify that the local group name exactly matches the directory group name
For LDAP: check the Group member attribute setting (memberOf for AD)
For RADIUS: verify that the RADIUS server returns a group name attribute
Use Diagnostics > Authentication to check the user group list

VPN User Cannot Connect

Verify the account is not disabled or expired
Check that the account has VPN access privileges
For certificate-based authentication, verify certificate-to-user binding
Check VPN logs under Status > System Logs

Migration Notes

When migrating pfSense configuration between devices, the local user database transfers automatically as part of config.xml. Keep in mind:

All local users, groups, and privileges are preserved in the configuration backup
External authentication server settings (LDAP, RADIUS) are transferred, but connectivity should be verified after migration
User SSH keys are stored in the configuration
User certificates are transferred with the main configuration

Related Sections

Certificate Management - creating client certificates for VPN authentication
VPN - OpenVPN - configuring VPN with user authentication
Firewall Rules - restricting web interface access by IP address

Last updated on 7, April 2026