Project

General

Profile

Actions

Feature #14787

open

Feature request - Freeradius post-auth custom options

Added by Marcelo Cury 5 months ago.

Status:
New
Priority:
Very Low
Assignee:
-
Category:
FreeRADIUS
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

I would like to check if it is possible to add a custom options field for post-auth in Freeradius package.
This would open so many possibilities; https://freeradius.org/radiusd/man/unlang.html

I'm currently using unlang policies with freeradius package in Ubuntu, and with it I'm able to allow users to connect or not, based on their AD group.
  • If the user is member of the AD wifi_users group, ok to connect to wifi enterprise.
  • If the user is member of the AD openvpn group, ok to can connect to openvpn.
  • If the user is member of the AD pfsense_admins group, they can manage pfsense.
  • If the user is member of the AD pfsense_monitors group, they can access some options in pfsense GUI.

and so on...

Granularity like this would be very welcome to the pfsense's freeradius package.

Policies would be included after Post-Auth-Type Challenge as per below example in a file inside sites-enabled folder.

Example:

...
    #  Filter access challenges.
    #
    Post-Auth-Type Challenge {
#        remove_reply_message_if_eap
#        attr_filter.access_challenge.post-auth
    }

#start pfsense GUI
         if (LDAP-Group == "pfsense_admins" && NAS-Identifier == "webConfigurator-pfsense.home.arpa") {
         update  {
                 reply:Class := "pfsense_admins" 
         }
                noop
    }
         elsif (LDAP-Group == "pfsense_monitors" && NAS-Identifier == "webConfigurator-pfsense.home.arpa") {
         update  {
                 reply:Class := "pfsense_monitors" 
         }
                noop
    }
        else {
                reject
        }
}
...

I would also like to suggest an option to create new sites in sites-enabled/ folder, to speed up things using a file for each NAS client, very welcome for larger deployments.

No data to display

Actions

Also available in: Atom PDF