Bug #13548
closed
FreeRadius does not pay attention to local groups
0%
Description
Freeradius should be aware of which groups a freeradius defined user is assigned to in the local groups to the system. This can be useful for my related issue https://redmine.pfsense.org/issues/13547
Updated by Jim Pingle about 2 years ago
- Status changed from New to Rejected
FreeRADIUS is an add-on package and its usage may not be for authenticating items on the firewall itself. It shouldn't be locked into using groups defined in pfSense.
Updated by Mikael * about 2 years ago
Sorry, I may been unclear on the actual issue Jim. I'm referring to this piece of code for getUserGroups : https://github.com/pfsense/pfsense/blob/5dbc71189c34ca845dc4451ca0bf5934f30bf59a/src/etc/inc/auth.inc#L1961
if RADIUS is the authentication type (which it is because I'm using FreeRadius as a plugin for authentication backend to pfSense on which the systems allows me to-do) it tries to get groups from the radius server (which makes sense) but there are no groups defined so it returns an empty response. See authentication diagnose: https://github.com/pfsense/pfsense/blob/8f2f85c3d79f70dbde4332930ff81dd56c767e25/src/usr/local/www/diag_authentication.php#L52
I think that when using FreeRadius as an authentication backend local to the system it should also pay attention to groups defined locally to the system and return it. The reason behind this logic is that I can create a local group and assign the proper web-gui permission and then assign a local user to the group. When I authenticate to the web-gui using freeradius as authentication backend it will match the client username to the local username which inherits permissions from the group assigned to the local user - this already happens today.
Updated by Jim Pingle about 2 years ago
Then you are configuring it wrong. If you set the Class reply attribute with groups on a user in FreeRADIUS then the GUI sees them fine and can match them up. If you need help with that, post on the forum.