Project

General

Profile

Actions

Bug #1112

closed

IPsec GUI/backend missing RADIUS support

Added by Jim Pingle almost 11 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Ermal Luçi
Category:
IPsec
Target version:
Start date:
12/16/2010
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:
All

Description

The User and Group choices for User Authentication in the IPsec Mobile GUI are hardcoded to only show "System" and not RADIUS servers defined under System > User Manager on the Servers tab.

The backend code also doesn't have the needed support to trigger a proper radius config for racoon. We need to write out a radius.conf file like so:
http://www.netbsd.org/docs/network/ipsec/rasvpn.html#radius

Actions #1

Updated by Ermal Luçi almost 11 years ago

  • Target version changed from 2.0 to 2.1
Actions #2

Updated by Ermal Luçi almost 10 years ago

  • Affected Version deleted (2.0)

Probably this should be handled the same as openvpn through an external script.

Actions #3

Updated by Jim Pingle almost 10 years ago

Not sure if racoon supports that... from racoon.conf(5)

             The following are valid statements:
             auth_source (system | radius | pam | ldap);
                     Specifies the source for authentication of users through
                     Xauth.  system means to use the Unix user database.  This
                     is the default.  radius means to use a RADIUS server.  It
                     works only if racoon(8) was built with libradius support.
                     Radius configuration is handled by statements in the
                     radiuscfg section.  pam means to use PAM.  It works only
                     if racoon(8) was built with libpam support.  ldap means
                     to use LDAP.  It works only if racoon(8) was built with
                     libldap support.  LDAP configuration is handled by state-
                     ments in the ldapcfg section.
[...]
     radiuscfg { statements }
             Defines the parameters that will be used to communicate with
             radius servers for xauth authentication.  If radius is selected
             as the xauth authentication or accounting source and no servers
             are defined in this section, settings from the system
             radius.conf(5) configuration file will be used instead.

             The following are valid statements:
             auth (hostname | address) [port] sharedsecret;
                     The host name or ip address, optional port value and
                     shared secret value of a radius authentication server.
                     Up to 5 radius authentication servers may be specified
                     using multiple lines.
             acct (hostname | address) [port] sharedsecret;
                     The host name or ip address, optional port value and
                     shared secret value of a radius accounting server.  Up to
                     5 radius accounting servers may be specified using multi-
                     ple lines.
             timeout seconds;
                     The timeout for receiving replies from radius servers.
                     The default is 3.
             retries count;
                     The maximum number of repeated requests to make before
                     giving up on a radius server.  The default is 3.
[...]
     ldapcfg { statements }
             Defines the parameters that will be used to communicate with an
             ldap server for xauth authentication.

             The following are valid statements:
             version (2 | 3);
                     The ldap protocol version used to communicate with the
                     server.  The default is 3.
             host (hostname | address);
                     The host name or ip address of the ldap server.  The
                     default is localhost.
             port number;
                     The port that the ldap server is configured to listen on.
                     The default is 389.
             base distinguished name;
                     The ldap search base.  This option has no default value.
             subtree (on | off);
                     Use the subtree ldap search scope.  Otherwise, use the
                     one level search scope.  The default is off.
             bind_dn distinguished name;
                     The user dn used to optionally bind as before performing
                     ldap search operations.  If this option is not specified,
                     anonymous binds are used.
             bind_pw string;
                     The password used when binding as bind_dn.
             attr_user attribute name;
                     The attribute used to specify a users name in an ldap
                     directory.  For example, if a user dn is
                     "cn=jdoe,dc=my,dc=net" then the attribute would be "cn".
                     The default value is cn.
             attr_addr attribute name;
             attr_mask attribute name;
                     The attributes used to specify a users network address
                     and subnet mask in an ldap directory.  These values are
                     forwarded during mode_cfg negotiation when the
                     conf_source is set to ldap.  The default values are
                     racoon-address and racoon-netmask.
             attr_group attribute name;
                     The attribute used to specify a group name in an ldap
                     directory.  For example, if a group dn is
                     "cn=users,dc=my,dc=net" then the attribute would be "cn".
                     The default value is cn.
             attr_member attribute name;
                     The attribute used to specify group membership in an ldap
                     directory.  The default value is member.

Looks like the previous instructions I linked above were for an older racoon that didn't directly support radius/ldap.

I don't see a way to run that auth through a script or it would be much easier, unless we can come up with something like a custom pam module to auth through a script (if that's even possible)

Actions #4

Updated by Ermal Luçi almost 10 years ago

Does not seem to hard to add support for external script authentication.
Probably that is the easiest path to follow rather than re-invent the whole work done on OpenVPN.

Actions #5

Updated by Ermal Luçi almost 10 years ago

  • Assignee set to Ermal Luçi
Actions #6

Updated by Ermal Luçi almost 10 years ago

  • Status changed from New to Feedback

Patch committed to pfPort of ipsec-tools.
Btw probably it is not needed to compile racoon with LDAP and RADIUS support.

The syntax is:
auth_source external;

extcfg { script /path_to_script }

Actions #7

Updated by Jim Pingle over 9 years ago

  • Status changed from Feedback to New

Setting this back to New only since we still need to code up GUI support for this. The backend part should be OK.

Actions #8

Updated by Jonh Nash about 9 years ago

Good evening,

it's possible to have the script file?
I don't understand where make the change.

thanks a lot.
Jonh

Actions #9

Updated by Jim Pingle about 9 years ago

There is no script yet, which is why this ticket is still open.

Actions #10

Updated by Jonh Nash about 9 years ago

Thanks for response.

Think you that is resolved quickly?

Actions #11

Updated by Jim Pingle almost 9 years ago

  • Status changed from New to Feedback

Support for RADIUS/LDAP was committed a couple weeks ago and appears to be working fine, though it may yet need some slight adjustments for people upgrading (should probably assume that the old system setting or no setting at all is the same as "Local Database" when using xauth).

Actions #12

Updated by Jonh Nash almost 9 years ago

Hi Jim, I confirm that works fine. Great job.

Actions #13

Updated by Jonh Nash almost 9 years ago

Hi Jim,
from a few days it stopped working. No longer requests are forwarded to the radius.

thanks
Jonh

Actions #14

Updated by Ermal Luçi almost 9 years ago

Can you please be more verbose about what is not working?

Actions #15

Updated by Jonh Nash almost 9 years ago

Hi Ermal, I can authenticate the client on radius, but I cannot allocate the ip address and I cannot see the accounting. I think the problem is regarding the radius-attributes. On the latters I haven't found anything in the pfsense forum. Can you help me, please?

Actions #16

Updated by Ermal Luçi almost 9 years ago

Oh that part is not yet functional.
It is on my TODO which can be pushed if someone has the need.
But probably from what i see want be for 2.1

Actions #17

Updated by Ermal Luçi almost 9 years ago

  • Status changed from Feedback to Resolved

Please open a new ticket about that.

Actions #18

Updated by Jonh Nash over 8 years ago

Hello Ermal,
I'll open a ticket regard the IP allocation and accounting problems.
I would like to know if the radius-attributes in your TODO list have been completed on new firmware 2.1-RC1?
I would try it.

Thanks in advance for your help.
Jonh

Actions

Also available in: Atom PDF