Latest Radius server on Synology NAS no longer working with PFSense

Reply to Latest Radius server on Synology NAS no longer working with PFSense on Fri, 04 Nov 2022 18:10:32 GMT

stephenw10 — Fri, 04 Nov 2022 18:10:32 GMT

Ooof! Nice catch.

Reply to Latest Radius server on Synology NAS no longer working with PFSense on Fri, 04 Nov 2022 11:43:44 GMT

MarcO42 — Fri, 04 Nov 2022 11:43:44 GMT

Ok, found the problem. Synology is now sending the Groupe name in CamelCase.
In the past the Groupe name was lowercase and the check in PFSense is case sensitive.

Cheers
Marco

Reply to Latest Radius server on Synology NAS no longer working with PFSense on Thu, 03 Nov 2022 15:48:48 GMT

MarcO42 — Thu, 03 Nov 2022 15:48:48 GMT

Ok, just found that there is a function in: /src/etc/inc/auth.inc
that called
function radius_get_groups($attributes) witch handled the attributes.
Here is the code:

function radius_get_groups($attributes) {
	$groups = array();
	if (!empty($attributes) && is_array($attributes) && (!empty($attributes['class']) || !empty($attributes['class_int']))) {
		/* Some RADIUS servers return multiple class attributes, so check them all. */
		$groups = array();
		if (!empty($attributes['class']) && is_array($attributes['class'])) {
			foreach ($attributes['class'] as $class) {
				$groups = array_unique(array_merge($groups, explode(";", $class)));
			}
		}

		foreach ($groups as & $grp) {
			$grp = trim($grp);
			if (strtolower(substr($grp, 0, 3)) == "ou=") {
				$grp = substr($grp, 3);
			}
		}
	}
	return $groups;
}

I would like to debug this one and log all attributes like this

foreach ($attributes as $att) {
	log_auth(sprintf(gettext('Attribute: '), $att));
}

But this shows me only this:

Nov 3 16:35:45 router php-fpm[5433]: /diag_authentication.php: Attribute:
Nov 3 16:35:45 router php-fpm[5433]: /diag_authentication.php: Attribute:
Nov 3 16:35:45 router php-fpm[5433]: /diag_authentication.php: Attribute:
Nov 3 16:35:45 router php-fpm[5433]: /diag_authentication.php: Attribute:
Nov 3 16:35:45 router php-fpm[5433]: /diag_authentication.php: Attribute:
Nov 3 16:35:45 router php-fpm[5433]: /diag_authentication.php: Attribute:

So maybe someone can help me with this, please?

Btw. I'm sure that there are attributes:

Cheers
Marco

Reply to Latest Radius server on Synology NAS no longer working with PFSense on Wed, 02 Nov 2022 16:10:19 GMT

MarcO42 — Wed, 02 Nov 2022 16:10:19 GMT

Ok, I can see that the class attribute is there...like in wireshark....but do you have any idea how I can figure out why PFSense don't show them when I try to test it with
Diagnostics -> Authentication
There I only see that
User xxx authenticated successfully. This user is a member of groups:

and the group resonse is empty.
Somthing must fail on PFSense side...but nothing is in the logs.

Reply to Latest Radius server on Synology NAS no longer working with PFSense on Wed, 02 Nov 2022 15:24:38 GMT

NogBadTheBad — Wed, 02 Nov 2022 15:24:38 GMT

@marco42 said in Latest Radius server on Synology NAS no longer working with PFSense:

@nogbadthebad said in Latest Radius server on Synology NAS no longer working with PFSense:

radsniff

this is not available on Synology NAS :(

Try changing to the following directory and running it there:-

/var/packages/RadiusServer/target/bin

Its there when I installed Radius on my DS1821+ running DSM 7.1.1-42962 Update 2.

Reply to Latest Radius server on Synology NAS no longer working with PFSense on Wed, 02 Nov 2022 15:08:05 GMT

MarcO42 — Wed, 02 Nov 2022 15:08:05 GMT

@nogbadthebad said in Latest Radius server on Synology NAS no longer working with PFSense:

radsniff

this is not available on Synology NAS :(

Reply to Latest Radius server on Synology NAS no longer working with PFSense on Wed, 02 Nov 2022 14:58:34 GMT

MarcO42 — Wed, 02 Nov 2022 14:58:34 GMT

Hi Andy,
many thx. I can try this.
Please don't missunderstand me. I managed it to work in the past and my class string look like:
Domain Users;Users_R;Domain Admins;Denied RODC Password Replication Group;Users_RW;PfSenseGroup

and I had added PfSenseGroup to PFSense.
After the last update of my Synology I can see that same class string in the radius response but the PFSense show that the asuthentication works but don't show goups.
Strange thing is that I didn't see any parsing error or any other authentacing error in the logs of the PFSense.
Cheers
Marco

Reply to Latest Radius server on Synology NAS no longer working with PFSense on Wed, 02 Nov 2022 14:38:45 GMT

NogBadTheBad — Wed, 02 Nov 2022 14:38:45 GMT

I have Additional RADIUS Attributes (REPLY-ITEM) set to:-

Class := "admins",|Service-Type := "Administrative-User"

Class := "admins" is used for pfSense and Service-Type := "Administrative-User" is used for my Linksys switches, I'm using freeRadius on my pfsense box.

The odd thing is pfSense wouldn't have worked previously if the Class missing, maybe Sinology have mangled the data being returned to pfSense.

Reply to Latest Radius server on Synology NAS no longer working with PFSense on Wed, 02 Nov 2022 14:17:17 GMT

NogBadTheBad — Wed, 02 Nov 2022 14:17:17 GMT

@marco42 Does the radsniff command exist in your nas ?

~~If it does invoke run radsniff -x and try and connect to your pfsense box it might give you some clues to why its failing.~~

Just installed the package and radsniff is in the /var/packages/RadiusServer/target/bin directory.

andy@nas:/var/packages/RadiusServer/target/bin$ ./radsniff -help
Usage: radsniff [options][stats options] -- [pcap files]
options:
-a List all interfaces available for capture.
-c Number of packets to capture.
-C Enable UDP checksum validation.
-d Set dictionary directory.
-d Set configuration directory (defaults to /var/packages/RadiusServer/target/etc/raddb).
-D Set main dictionary directory (defaults to /var/packages/RadiusServer/target/share/freeradius).
-e [,] Only log requests with these event flags.
Event may be one of the following:
- received - a request or response.
- norsp - seen for a request.
- rtx - of a request that we've seen before.
- noreq - could be matched with the response.
- reused - ID too soon.
- error - decoding the packet.
-f PCAP filter (default is 'udp port or or 3799')
-h This help message.
-i Capture packets from interface (defaults to all if supported).
-I Read packets from file (overrides input of -F).
-l [,] Output packet sig and a list of attributes.
-L [,] Detect retransmissions using these attributes to link requests.
-m Don't put interface(s) into promiscuous mode.
-p Filter packets by port (default is 1812).
-P Daemonize and write out .
-q Print less debugging information.
-r RADIUS attribute request filter.
-R RADIUS attribute response filter.
-s RADIUS secret.
-S Write PCAP data to stdout.
-v Show program version information.
-w Write output packets to file.
-x Print more debugging information.
stats options:
-W Periodically write out statistics every seconds.
-T How many milliseconds before the request is counted as lost (defaults to 5200).

Andy@nas:/var/packages/RadiusServer/target/bin$ ./radsniff -a
1.eth0
2.ovs_eth0
3.docker0
4.eth1
5.ovs_eth1
6.docker6d4825c
7.lo
8.any
9.eth2
10.ovs_eth2
11.eth3
12.ovs_eth3
13.nflog
14.nfqueue
15.dbus-system
16.dbus-session
17.sit0
18.ovs-system

You'll need to su to run it.