Bug #1112
closed
IPsec GUI/backend missing RADIUS support
0%
Description
The User and Group choices for User Authentication in the IPsec Mobile GUI are hardcoded to only show "System" and not RADIUS servers defined under System > User Manager on the Servers tab.
The backend code also doesn't have the needed support to trigger a proper radius config for racoon. We need to write out a radius.conf file like so:
http://www.netbsd.org/docs/network/ipsec/rasvpn.html#radius
Updated by Ermal Luçi about 12 years ago
- Affected Version deleted (
2.0)
Probably this should be handled the same as openvpn through an external script.
Updated by Jim Pingle about 12 years ago
Not sure if racoon supports that... from racoon.conf(5)
The following are valid statements:
auth_source (system | radius | pam | ldap);
Specifies the source for authentication of users through
Xauth. system means to use the Unix user database. This
is the default. radius means to use a RADIUS server. It
works only if racoon(8) was built with libradius support.
Radius configuration is handled by statements in the
radiuscfg section. pam means to use PAM. It works only
if racoon(8) was built with libpam support. ldap means
to use LDAP. It works only if racoon(8) was built with
libldap support. LDAP configuration is handled by state-
ments in the ldapcfg section.
[...]
radiuscfg { statements }
Defines the parameters that will be used to communicate with
radius servers for xauth authentication. If radius is selected
as the xauth authentication or accounting source and no servers
are defined in this section, settings from the system
radius.conf(5) configuration file will be used instead.
The following are valid statements:
auth (hostname | address) [port] sharedsecret;
The host name or ip address, optional port value and
shared secret value of a radius authentication server.
Up to 5 radius authentication servers may be specified
using multiple lines.
acct (hostname | address) [port] sharedsecret;
The host name or ip address, optional port value and
shared secret value of a radius accounting server. Up to
5 radius accounting servers may be specified using multi-
ple lines.
timeout seconds;
The timeout for receiving replies from radius servers.
The default is 3.
retries count;
The maximum number of repeated requests to make before
giving up on a radius server. The default is 3.
[...]
ldapcfg { statements }
Defines the parameters that will be used to communicate with an
ldap server for xauth authentication.
The following are valid statements:
version (2 | 3);
The ldap protocol version used to communicate with the
server. The default is 3.
host (hostname | address);
The host name or ip address of the ldap server. The
default is localhost.
port number;
The port that the ldap server is configured to listen on.
The default is 389.
base distinguished name;
The ldap search base. This option has no default value.
subtree (on | off);
Use the subtree ldap search scope. Otherwise, use the
one level search scope. The default is off.
bind_dn distinguished name;
The user dn used to optionally bind as before performing
ldap search operations. If this option is not specified,
anonymous binds are used.
bind_pw string;
The password used when binding as bind_dn.
attr_user attribute name;
The attribute used to specify a users name in an ldap
directory. For example, if a user dn is
"cn=jdoe,dc=my,dc=net" then the attribute would be "cn".
The default value is cn.
attr_addr attribute name;
attr_mask attribute name;
The attributes used to specify a users network address
and subnet mask in an ldap directory. These values are
forwarded during mode_cfg negotiation when the
conf_source is set to ldap. The default values are
racoon-address and racoon-netmask.
attr_group attribute name;
The attribute used to specify a group name in an ldap
directory. For example, if a group dn is
"cn=users,dc=my,dc=net" then the attribute would be "cn".
The default value is cn.
attr_member attribute name;
The attribute used to specify group membership in an ldap
directory. The default value is member.
Looks like the previous instructions I linked above were for an older racoon that didn't directly support radius/ldap.
I don't see a way to run that auth through a script or it would be much easier, unless we can come up with something like a custom pam module to auth through a script (if that's even possible)
Updated by Ermal Luçi about 12 years ago
Does not seem to hard to add support for external script authentication.
Probably that is the easiest path to follow rather than re-invent the whole work done on OpenVPN.
Updated by Ermal Luçi about 12 years ago
- Status changed from New to Feedback
Patch committed to pfPort of ipsec-tools.
Btw probably it is not needed to compile racoon with LDAP and RADIUS support.
The syntax is:
auth_source external;
extcfg { script /path_to_script }
Updated by Jim Pingle almost 12 years ago
- Status changed from Feedback to New
Setting this back to New only since we still need to code up GUI support for this. The backend part should be OK.
Updated by Jonh Nash over 11 years ago
Good evening,
it's possible to have the script file?
I don't understand where make the change.
thanks a lot.
Jonh
Updated by Jim Pingle over 11 years ago
There is no script yet, which is why this ticket is still open.
Updated by Jonh Nash over 11 years ago
Thanks for response.
Think you that is resolved quickly?
Updated by Jim Pingle over 11 years ago
- Status changed from New to Feedback
Support for RADIUS/LDAP was committed a couple weeks ago and appears to be working fine, though it may yet need some slight adjustments for people upgrading (should probably assume that the old system setting or no setting at all is the same as "Local Database" when using xauth).
Updated by Jonh Nash over 11 years ago
Hi Jim, I confirm that works fine. Great job.
Updated by Jonh Nash over 11 years ago
Hi Jim,
from a few days it stopped working. No longer requests are forwarded to the radius.
thanks
Jonh
Updated by Ermal Luçi about 11 years ago
Can you please be more verbose about what is not working?
Updated by Jonh Nash about 11 years ago
Hi Ermal, I can authenticate the client on radius, but I cannot allocate the ip address and I cannot see the accounting. I think the problem is regarding the radius-attributes. On the latters I haven't found anything in the pfsense forum. Can you help me, please?
Updated by Ermal Luçi about 11 years ago
Oh that part is not yet functional.
It is on my TODO which can be pushed if someone has the need.
But probably from what i see want be for 2.1
Updated by Ermal Luçi about 11 years ago
- Status changed from Feedback to Resolved
Please open a new ticket about that.
Updated by Jonh Nash over 10 years ago
Hello Ermal,
I'll open a ticket regard the IP allocation and accounting problems.
I would like to know if the radius-attributes in your TODO list have been completed on new firmware 2.1-RC1?
I would try it.
Thanks in advance for your help.
Jonh