Project

General

Profile

Actions

Bug #13548

closed

FreeRadius does not pay attention to local groups

Added by Mikael * about 2 months ago. Updated about 2 months ago.

Status:
Rejected
Priority:
Low
Assignee:
-
Category:
FreeRADIUS
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

Freeradius should be aware of which groups a freeradius defined user is assigned to in the local groups to the system. This can be useful for my related issue https://redmine.pfsense.org/issues/13547

Actions #1

Updated by Jim Pingle about 2 months ago

  • Status changed from New to Rejected

FreeRADIUS is an add-on package and its usage may not be for authenticating items on the firewall itself. It shouldn't be locked into using groups defined in pfSense.

Actions #2

Updated by Mikael * about 2 months ago

Sorry, I may been unclear on the actual issue Jim. I'm referring to this piece of code for getUserGroups : https://github.com/pfsense/pfsense/blob/5dbc71189c34ca845dc4451ca0bf5934f30bf59a/src/etc/inc/auth.inc#L1961
if RADIUS is the authentication type (which it is because I'm using FreeRadius as a plugin for authentication backend to pfSense on which the systems allows me to-do) it tries to get groups from the radius server (which makes sense) but there are no groups defined so it returns an empty response. See authentication diagnose: https://github.com/pfsense/pfsense/blob/8f2f85c3d79f70dbde4332930ff81dd56c767e25/src/usr/local/www/diag_authentication.php#L52

I think that when using FreeRadius as an authentication backend local to the system it should also pay attention to groups defined locally to the system and return it. The reason behind this logic is that I can create a local group and assign the proper web-gui permission and then assign a local user to the group. When I authenticate to the web-gui using freeradius as authentication backend it will match the client username to the local username which inherits permissions from the group assigned to the local user - this already happens today.

Actions #3

Updated by Jim Pingle about 2 months ago

Then you are configuring it wrong. If you set the Class reply attribute with groups on a user in FreeRADIUS then the GUI sees them fine and can match them up. If you need help with that, post on the forum.

Actions #4

Updated by Mikael * about 2 months ago

Got it thanks so much for clarification.

Actions

Also available in: Atom PDF