Bug #5652
openRadius IETF Class Group Assignment - Incorrect Standard
0%
Description
When trying to use the Radius IETF Class(25) attribute to assign pfsense groups for webui administration several industry standard policy servers such as Cisco ISE, Aruba Clearpass, and Windows NPS will convert the string to an octect in accordance with RFC 2865 https://tools.ietf.org/html/rfc2865#section-5.25
Therefore admins becomes 0x61646d696e73
In some implementations of Radius, such as Windows NPS this can be modified to send as string resolving the issue. However in other implementations such as Aruba Clearpass and Cisco ISE the Radius Dictionary is fixed to the vendor ID code (0 for IETF) and modifying the behavior is a global action. Therefore it would break devices who use the Class attribute according to the RFC.
An alternative to a straight bug fix may be one of the following:
1) PFsense could allow the user to specify radius attribute mapping. Citrix takes this approach but it tends to confuse users new to Radius.
2) PFsense could implement group assignment via a more traditional Cisco-AV:Pair mapping. Vendor ID 9 attribute 1.