Project

General

Profile

Actions

Feature #935

closed

User manager RADIUS authentication method

Added by orangepeel beef almost 11 years ago. Updated almost 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
User Manager / Privileges
Target version:
Start date:
10/04/2010
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

pfsense 2.0 has the new radius authentication method, but the code has no way to assign privileges to the radius users.

I was able to bypass this with a crude hack:

/etc/priv.inc line 249-272

(snip..)
function getAllowedPages($username) {
        global $config, $_SESSION;

        if (!function_exists("ldap_connect"))
                return;

        $allowed_pages = array();
        $allowed_groups = array();

        $authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
        // obtain ldap groups if we are in ldap mode
        if ($authcfg['type'] == "ldap") {
                $allowed_groups = @ldap_get_groups($username, $authcfg);
        } else if ($authcfg['type'] == "radius") {
                $allowed_groups = array('RadiusAuthenticated');
        } else {
                // search for a local user by name
                $local_user = getUserEntry($username);
                getPrivPages($local_user, $allowed_pages);

                // obtain local groups if we have a local user
                if ($local_user)
                        $allowed_groups = local_user_get_groups($local_user);
        }
(snip...)

/etc/auth.inc line 1084-1110

function getUserGroups($username, $authcfg) {
        global $config;

        $allowed_groups = array();

        switch($authcfg['type']) {
        case 'ldap':
                $allowed_groups = @ldap_get_groups($username, $authcfg);
                break;
        case 'radius':
                $allowed_groups = array('RadiusAuthenticated');
                break;
        default:
                $user = getUserEntry($username);
                $allowed_groups = @local_user_get_groups($user, true);
                break;
        }

        $member_groups = array();
        if (is_array($config['system']['group'])) {
                foreach ($config['system']['group'] as $group)
                        if (in_array($group['name'], $allowed_groups))
                                $member_groups[] = $group['name'];
        }

        return $member_groups;
}

and then creating a group called RadiusAuthenticated and assigning privileges to that group.

Actions #1

Updated by Chris Buechler almost 11 years ago

  • Category set to User Manager / Privileges
  • Target version set to 2.0
  • Affected Version set to 2.0
Actions #2

Updated by Ermal Luçi almost 11 years ago

  • Status changed from New to Feedback

You can create the same user locally and assign it to groups that should work iirc.
Never tested though.

Actions #3

Updated by Chris Buechler over 10 years ago

  • Tracker changed from Bug to Feature
  • Subject changed from Radius Authentication method to User manager RADIUS authentication method
  • Status changed from Feedback to New
  • Target version changed from 2.0 to Future
Actions #4

Updated by Chris Buechler over 10 years ago

needs refinement in the future

Actions #5

Updated by Jim Pingle about 6 years ago

At the moment we don't appear to attempt to determine the group from RADIUS to support this. Looks like maybe we could use the "Class" reply attribute which should contain a string in the format "OU=Groupname" or at least "Groupname". It may not be too difficult to grab, though it would need to be populated by the RADIUS server.

Actions #6

Updated by Jim Pingle about 6 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #7

Updated by Jim Pingle about 6 years ago

Actions #8

Updated by Jim Pingle about 6 years ago

  • Assignee set to Jim Pingle
  • Target version changed from Future to 2.2.5
  • Affected Architecture All added
  • Affected Architecture deleted ()

Turned out to be a relatively minor/safe change. Unlike LDAP, RADIUS would fail to grab the groups if a second query was attempted.

To take advantage of this the RADIUS server must return the groups back in the Class attribute (25). This is supported easily by FreeRADIUS and Windows (NPS with some adjustments). Multiple groups may be specified if they are separated by a semicolon, and the groups can be specified by name directly or prefixed with "ou=" to be compatible with some Cisco and Cisco-like recommendations.

As with LDAP the groups must exist locally and privileges are specified on the local groups.

Actions #9

Updated by Jim Pingle about 6 years ago

  • Status changed from Feedback to Resolved

This works everywhere I've tried it, even on the bootstrap branch.

Actions #10

Updated by Paul Evans about 6 years ago

Jim P wrote:

This works everywhere I've tried it, even on the bootstrap branch.

I can confirm that it works in the GUI authentication under Diagnostics. I also tried it to assign permissions for VPN IPSec Xauth Dialin. Whilst it authenticates the user OK, it doesn't pick up the permissions set for the Group under User Manager of the same name as the one in the Class attribute of the user in Radius and therefore drops the IPSec tunnel

Actions #11

Updated by Jim Pingle about 6 years ago

That sounds more like a bug with the IPsec auth permission code -- can you open that as a separate ticket rather than adding it on here?

Actions #12

Updated by Elliot Smith almost 6 years ago

Jim P wrote:

Turned out to be a relatively minor/safe change. Unlike LDAP, RADIUS would fail to grab the groups if a second query was attempted.

To take advantage of this the RADIUS server must return the groups back in the Class attribute (25). This is supported easily by FreeRADIUS and Windows (NPS with some adjustments). Multiple groups may be specified if they are separated by a semicolon, and the groups can be specified by name directly or prefixed with "ou=" to be compatible with some Cisco and Cisco-like recommendations.

As with LDAP the groups must exist locally and privileges are specified on the local groups.

Can you Please specify what adjustments are needs for Windows NPS? I updated to 2.2.5 and users cannot logon to the web UI to manage the firewall anymore.

Actions #13

Updated by Jim Pingle almost 6 years ago

I don't have that setup handy any more but IIRC it was something about making NPS send the Class as a string and not as binary -- start a thread on the forum to discuss rather than here.

Actions

Also available in: Atom PDF