Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 Radius groups problem (FreeRADIUS)

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 462 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      teverett
      last edited by

      I'm trying to return the list of user groups for a user using FreeRADIUS as documented here:

      https://docs.netgate.com/pfsense/en/latest/usermanager/radius.html#radius-groups

      I've configured the ldap module and the default site. Using this in the default site, I can return the list of groups as a COMMA delimited list.

      post-auth {
    update reply {
        Class = "%{control:LDAP-Group[*]}"
    }

      This results in this reply from FreeRADIUS

      Class: "imap, vpn"

      Or I can use this config

      foreach &control:LDAP-Group {
       update reply {
           Class += "%{Foreach-Variable-0}"
       }
   }

      Which returns:

      Class: imap
Class: vpn

      Has anyone figured out the correct commands to return a SEMICOLON delimited list, like this:

      Class: imap;vpn
      1 Reply Last reply Reply Quote 0
      • T
        teverett
        last edited by

        As a follow-up, here is how I got it working.

        I am using OpenLDAP and FreeRADIUS on FreeBSD 14. I'm not documenting here how to get LDAP authentication working with FreeRADIUS, I'm presuming that is already done. Additionally, my LDAP schema has all users under the name

        ou=people, ou=domain, ou=com

        and groups in

        ou=groups, ou=domain, ou=com

        I do not have memberof enabled. I'm using MSCHAPv2 authentication in pfsense's RADIUS configuration.

        In /usr/local/etc/raddb/mods-enabled/ldap use these settings in the "group" section

        base_dn = "${..base_dn}"
filter = '(objectClass=posixGroup)'
scope = 'sub'
name_attribute = cn
membership_filter = "(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})"
cacheable_name = 'yes'

        In /usr/local/etc/raddb/sites-available/default add this in the "post-auth" section

            update reply {
         Class += "%{exec:/bin/sh /usr/local/etc/raddb/ldap_fix.sh %{control:LDAP-Group[*]}}"
    }

        The exec module is used. Ensure that in /usr/local/etc/raddb/mods-available/exec, "wait" is set to "yes"

        wait = yes

        Finally, I used tr to convert the comma-delimited list of groups in "%{control:LDAP-Group[*]}" to semi-colon delimited. The file /usr/local/etc/raddb/ldap_fix.sh looks like this

        #!/bin/sh  

#
# turn comma-delimited list of groups into semi-colon delimited list of groups
#

echo "${1}"  | tr "," ";"

        Using the pfsense authentication tester (Diagnostics > Authentication ) I can now see the list of groups users are a member of. Note that the groups need to also be present in pfsense (System > User Manager).

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.