hello list, using a 2.2.6-RELEASE am able to redirect auth requests from openvpn users to FreeRADIUS (3.0.15) and allow access based on dc-group-membership.
after that I want also administrative accesses (HTTPS mainly, but even SSH is welcome) be directed to (same) RADIUS server and, again based on group membership, allow or deny access. while the FreeRADIUS portion is working (the debug shows sending of an "Access-Accepted" message back to pfSense) have both verified that pfSense receives the well formed message (via diagnostic --> packet capture), but users just get such a message on their browsers No page assigned to this user! Click here to logout. giving administrative permissions to ALL users (just to check) does not resolve so have followed/integrated instructions in https://community.spiceworks.com/how_to/128944-pfsense-admin-logins-via-radius-using-active-directory-accounts to arrange for a new group definition in pfSense (let's say NET-ADMINS). but result has not changed, even after addiction of "Group-Name = NET-ADMINS" into RADIUS reply, so new search lead to https://github.com/pfsense/pfsense/pull/1552 and consequent config updates in FreeRADIUS (some kind of "update reply on successful auth" pushing "NET-ADMINS" into the new AVP pfSense-Group-Name) but something wrong is still there, the (snipped) dump shows 10.6.20.39.53389 > 10.20.48.21.1812: [udp sum ok] RADIUS, length: 101 Access Request (1), id: 0xbb, Authenticator: 92b7857d5fa54bf9b8ab5b47c1f94035 ..... 10.20.48.21.1812 > 10.6.20.39.53389: [udp sum ok] RADIUS, length: 44 Access Accept (2), id: 0xbb, Authenticator: 00824ba1fe818db938de5fcda08b2830 Service Type Attribute (6), length: 6, Value: Login 0x0000: 0000 0001 Vendor Specific Attribute (26), length: 18, Value: Vendor: Unknown (15000) Vendor Attribute: 1, Length: 10, Value: NET-ADMINS 0x0000: 0000 3a98 010c 4e45 542d 4144 4d49 4e53 as the 15000 ID is not recognized as known even if dictionary.pfsense contains VENDOR pfSense 15000 and, later ATTRIBUTE pfSense-Group-Name 1 string now, supposing am able to modify reply-message from RADIUS to pfSense: what kind of AVP need I pass back to pfSense? it's there any pfSense documentation about required AVPs? why pfSense send requests with a NAS-IP-Address == 0.0.0.0 (that has been observed even in production environment) best regards Alessandro Spinella _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
