Bug #13548
closed
- Status changed from New to Rejected
FreeRADIUS is an add-on package and its usage may not be for authenticating items on the firewall itself. It shouldn't be locked into using groups defined in pfSense.
Sorry, I may been unclear on the actual issue Jim. I'm referring to this piece of code for getUserGroups : https://github.com/pfsense/pfsense/blob/5dbc71189c34ca845dc4451ca0bf5934f30bf59a/src/etc/inc/auth.inc#L1961
if RADIUS is the authentication type (which it is because I'm using FreeRadius as a plugin for authentication backend to pfSense on which the systems allows me to-do) it tries to get groups from the radius server (which makes sense) but there are no groups defined so it returns an empty response. See authentication diagnose: https://github.com/pfsense/pfsense/blob/8f2f85c3d79f70dbde4332930ff81dd56c767e25/src/usr/local/www/diag_authentication.php#L52
I think that when using FreeRadius as an authentication backend local to the system it should also pay attention to groups defined locally to the system and return it. The reason behind this logic is that I can create a local group and assign the proper web-gui permission and then assign a local user to the group. When I authenticate to the web-gui using freeradius as authentication backend it will match the client username to the local username which inherits permissions from the group assigned to the local user - this already happens today.
Then you are configuring it wrong. If you set the Class reply attribute with groups on a user in FreeRADIUS then the GUI sees them fine and can match them up. If you need help with that, post on the forum.
Got it thanks so much for clarification.
Also available in: Atom
PDF
Updated by 
Updated by