Actions
Feature #14787
open
Feature request - Freeradius post-auth custom options
Status:
New
Priority:
Very Low
Assignee:
-
Category:
FreeRADIUS
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Description
I would like to check if it is possible to add a custom options field for post-auth in Freeradius package.
This would open so many possibilities; https://freeradius.org/radiusd/man/unlang.html
- If the user is member of the AD wifi_users group, ok to connect to wifi enterprise.
- If the user is member of the AD openvpn group, ok to can connect to openvpn.
- If the user is member of the AD pfsense_admins group, they can manage pfsense.
- If the user is member of the AD pfsense_monitors group, they can access some options in pfsense GUI.
and so on...
Granularity like this would be very welcome to the pfsense's freeradius package.
Policies would be included after Post-Auth-Type Challenge as per below example in a file inside sites-enabled folder.
Example:
...
# Filter access challenges.
#
Post-Auth-Type Challenge {
# remove_reply_message_if_eap
# attr_filter.access_challenge.post-auth
}
#start pfsense GUI
if (LDAP-Group == "pfsense_admins" && NAS-Identifier == "webConfigurator-pfsense.home.arpa") {
update {
reply:Class := "pfsense_admins"
}
noop
}
elsif (LDAP-Group == "pfsense_monitors" && NAS-Identifier == "webConfigurator-pfsense.home.arpa") {
update {
reply:Class := "pfsense_monitors"
}
noop
}
else {
reject
}
}
...
I would also like to suggest an option to create new sites in sites-enabled/ folder, to speed up things using a file for each NAS client, very welcome for larger deployments.
No data to display
Actions