pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162016-04-07T02:47:51ZpfSense bugtracker
Redmine pfSense - Bug #6088 (Resolved): RADIUS WebUI - Deny Config Write is not honored https://redmine.pfsense.org/issues/60882016-04-07T02:47:51ZPhillip Hernandez
<p>After authenticating with a user that has been put into a group with "Deny Config Write" it is not enforced. If you create a local user in that same group it is enforced as expected.</p> pfSense - Bug #6086 (Resolved): RADIUS WebUI login does not work with attribute class (25) when t...https://redmine.pfsense.org/issues/60862016-04-07T02:20:21ZPhillip Hernandez
<p>After doing several packet capture and reviewing RFC 4372. It seems to be a normal operation to include the class 25 attrib in a response back to the client. This causes 2 of the same type of attribs in the same response. Since this a part of the radius standard to include a class AVP. I suggest that this be changed to filter-id since it is already a string, can be used in this specific use case, and abides by the RFC.</p>
<p>Code that would need to be changed.</p>
<p>/etc/inc/auth.inc<br />/*<br /> $attributes must contain a "filter_id" key containing the groups and local<br /> groups must exist to match.<br />*/<br />function radius_get_groups($attributes) {<br /> $groups = array();<br /> if (!empty($attributes) && is_array($attributes) && !empty($attributes['filter_id'])) {<br /> $groups = explode(";", $attributes['filter_id']);<br /> foreach ($groups as & $grp) {<br /> $grp = trim($grp);<br /> if (strtolower(substr($grp, 0, 3)) == "ou=") {<br /> $grp = substr($grp, 3);<br /> }<br /> }<br /> }<br /> return $groups;<br />}</p>