Project

General

Profile

Feature #935

User manager RADIUS authentication method

Added by orangepeel beef almost 9 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
User manager
Target version:
Start date:
10/04/2010
Due date:
% Done:

100%

Estimated time:

Description

pfsense 2.0 has the new radius authentication method, but the code has no way to assign privileges to the radius users.

I was able to bypass this with a crude hack:

/etc/priv.inc line 249-272

(snip..)
function getAllowedPages($username) {
        global $config, $_SESSION;

        if (!function_exists("ldap_connect"))
                return;

        $allowed_pages = array();
        $allowed_groups = array();

        $authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
        // obtain ldap groups if we are in ldap mode
        if ($authcfg['type'] == "ldap") {
                $allowed_groups = @ldap_get_groups($username, $authcfg);
        } else if ($authcfg['type'] == "radius") {
                $allowed_groups = array('RadiusAuthenticated');
        } else {
                // search for a local user by name
                $local_user = getUserEntry($username);
                getPrivPages($local_user, $allowed_pages);

                // obtain local groups if we have a local user
                if ($local_user)
                        $allowed_groups = local_user_get_groups($local_user);
        }
(snip...)

/etc/auth.inc line 1084-1110

function getUserGroups($username, $authcfg) {
        global $config;

        $allowed_groups = array();

        switch($authcfg['type']) {
        case 'ldap':
                $allowed_groups = @ldap_get_groups($username, $authcfg);
                break;
        case 'radius':
                $allowed_groups = array('RadiusAuthenticated');
                break;
        default:
                $user = getUserEntry($username);
                $allowed_groups = @local_user_get_groups($user, true);
                break;
        }

        $member_groups = array();
        if (is_array($config['system']['group'])) {
                foreach ($config['system']['group'] as $group)
                        if (in_array($group['name'], $allowed_groups))
                                $member_groups[] = $group['name'];
        }

        return $member_groups;
}

and then creating a group called RadiusAuthenticated and assigning privileges to that group.

Associated revisions

Revision 709c2f99 (diff)
Added by Jim Pingle almost 4 years ago

Fix GUI auth from RADIUS to grab group names from the Class attribute. Implements #935

The RADIUS server must populate the Class attribute with a string, semicolon-separated, of user groups. Similar to LDAP, local groups must exist with matching names, and privileges are determined by the local matching groups.

Revision c4a9f99a (diff)
Added by Jim Pingle almost 4 years ago

Fix GUI auth from RADIUS to grab group names from the Class attribute. Implements #935

The RADIUS server must populate the Class attribute with a string, semicolon-separated, of user groups. Similar to LDAP, local groups must exist with matching names, and privileges are determined by the local matching groups.

History

#1 Updated by Chris Buechler almost 9 years ago

  • Category set to User manager
  • Target version set to 2.0
  • Affected Version set to 2.0

#2 Updated by Ermal Lu├ži almost 9 years ago

  • Status changed from New to Feedback

You can create the same user locally and assign it to groups that should work iirc.
Never tested though.

#3 Updated by Chris Buechler over 8 years ago

  • Tracker changed from Bug to Feature
  • Subject changed from Radius Authentication method to User manager RADIUS authentication method
  • Status changed from Feedback to New
  • Target version changed from 2.0 to Future

#4 Updated by Chris Buechler over 8 years ago

needs refinement in the future

#5 Updated by Jim Pingle almost 4 years ago

At the moment we don't appear to attempt to determine the group from RADIUS to support this. Looks like maybe we could use the "Class" reply attribute which should contain a string in the format "OU=Groupname" or at least "Groupname". It may not be too difficult to grab, though it would need to be populated by the RADIUS server.

#6 Updated by Jim Pingle almost 4 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#8 Updated by Jim Pingle almost 4 years ago

  • Assignee set to Jim Pingle
  • Target version changed from Future to 2.2.5
  • Affected Architecture set to All

Turned out to be a relatively minor/safe change. Unlike LDAP, RADIUS would fail to grab the groups if a second query was attempted.

To take advantage of this the RADIUS server must return the groups back in the Class attribute (25). This is supported easily by FreeRADIUS and Windows (NPS with some adjustments). Multiple groups may be specified if they are separated by a semicolon, and the groups can be specified by name directly or prefixed with "ou=" to be compatible with some Cisco and Cisco-like recommendations.

As with LDAP the groups must exist locally and privileges are specified on the local groups.

#9 Updated by Jim Pingle almost 4 years ago

  • Status changed from Feedback to Resolved

This works everywhere I've tried it, even on the bootstrap branch.

#10 Updated by Paul Evans almost 4 years ago

Jim P wrote:

This works everywhere I've tried it, even on the bootstrap branch.

I can confirm that it works in the GUI authentication under Diagnostics. I also tried it to assign permissions for VPN IPSec Xauth Dialin. Whilst it authenticates the user OK, it doesn't pick up the permissions set for the Group under User Manager of the same name as the one in the Class attribute of the user in Radius and therefore drops the IPSec tunnel

#11 Updated by Jim Pingle almost 4 years ago

That sounds more like a bug with the IPsec auth permission code -- can you open that as a separate ticket rather than adding it on here?

#12 Updated by Elliot Smith over 3 years ago

Jim P wrote:

Turned out to be a relatively minor/safe change. Unlike LDAP, RADIUS would fail to grab the groups if a second query was attempted.

To take advantage of this the RADIUS server must return the groups back in the Class attribute (25). This is supported easily by FreeRADIUS and Windows (NPS with some adjustments). Multiple groups may be specified if they are separated by a semicolon, and the groups can be specified by name directly or prefixed with "ou=" to be compatible with some Cisco and Cisco-like recommendations.

As with LDAP the groups must exist locally and privileges are specified on the local groups.

Can you Please specify what adjustments are needs for Windows NPS? I updated to 2.2.5 and users cannot logon to the web UI to manage the firewall anymore.

#13 Updated by Jim Pingle over 3 years ago

I don't have that setup handy any more but IIRC it was something about making NPS send the Class as a string and not as binary -- start a thread on the forum to discuss rather than here.

Also available in: Atom PDF