User authentication and radius group attribute

scotia · Jul 11, 2017, 12:58 PM

Hi,

I am running FreeRadius with a MySQL backend and am trying to configure pfSense GUI authentication. When I test the authentication it works fine, but the resulting display shows no group membership. I have added the admins group to my MySQL usergroup database but I believe Radius is not returning the right attribute.

What Radius attribute does pfSense expect to list the user group list?

Thanks,
Scott

jimp · Jul 11, 2017, 1:52 PM

It expects a semicolon-separated list to be returned in the "Class" reply attribute.

Like this:

Class := "admins;VPNUsers"

scotia · Jul 12, 2017, 2:41 PM

Many thanks for that. Problem solved.

I did hunt around for an answer and couldn't find one - is this documented? If not, can I update something to help others?

Regards,
Scott

jimp · Jul 12, 2017, 2:42 PM

It's in a few places. The book, a few of the release notes around when the release was added… I think it's in the freeradius docs somewhere.

scotia · Jul 13, 2017, 1:26 AM

I must have old books. Neither my Packt FreeRadius book (2011) or pfSense -TDG (2009) mentions the Class attribute. I'll check the release notes - perhaps the feature was added after those books were published.

Do regular users have write access to the Wiki? I'm happy to create a page.

Thanks,
Scott

jimp · Jul 13, 2017, 1:54 AM

Correct. It was after both of those books. It is in the current book you can get via pfSense Gold.