IKEv2 Radius groups problem (FreeRADIUS)
-
I'm trying to return the list of user groups for a user using FreeRADIUS as documented here:
https://docs.netgate.com/pfsense/en/latest/usermanager/radius.html#radius-groups
I've configured the ldap module and the default site. Using this in the default site, I can return the list of groups as a COMMA delimited list.
post-auth { update reply { Class = "%{control:LDAP-Group[*]}" }
This results in this reply from FreeRADIUS
Class: "imap, vpn"
Or I can use this config
foreach &control:LDAP-Group { update reply { Class += "%{Foreach-Variable-0}" } }
Which returns:
Class: imap Class: vpn
Has anyone figured out the correct commands to return a SEMICOLON delimited list, like this:
Class: imap;vpn
-
As a follow-up, here is how I got it working.
I am using OpenLDAP and FreeRADIUS on FreeBSD 14. I'm not documenting here how to get LDAP authentication working with FreeRADIUS, I'm presuming that is already done. Additionally, my LDAP schema has all users under the name
ou=people, ou=domain, ou=com
and groups in
ou=groups, ou=domain, ou=com
I do not have memberof enabled. I'm using MSCHAPv2 authentication in pfsense's RADIUS configuration.
In /usr/local/etc/raddb/mods-enabled/ldap use these settings in the "group" section
base_dn = "${..base_dn}" filter = '(objectClass=posixGroup)' scope = 'sub' name_attribute = cn membership_filter = "(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})" cacheable_name = 'yes'
In /usr/local/etc/raddb/sites-available/default add this in the "post-auth" section
update reply { Class += "%{exec:/bin/sh /usr/local/etc/raddb/ldap_fix.sh %{control:LDAP-Group[*]}}" }
The exec module is used. Ensure that in /usr/local/etc/raddb/mods-available/exec, "wait" is set to "yes"
wait = yes
Finally, I used tr to convert the comma-delimited list of groups in "%{control:LDAP-Group[*]}" to semi-colon delimited. The file /usr/local/etc/raddb/ldap_fix.sh looks like this
#!/bin/sh # # turn comma-delimited list of groups into semi-colon delimited list of groups # echo "${1}" | tr "," ";"
Using the pfsense authentication tester (Diagnostics > Authentication ) I can now see the list of groups users are a member of. Note that the groups need to also be present in pfsense (System > User Manager).