Fix GUI auth from RADIUS to grab group names from the Class attribute. Implements #935

The RADIUS server must populate the Class attribute with a string, semicolon-separated, of user groups. Similar to LDAP, local groups must exist with matching names, and privileges are determined by the local matching groups.
author: jim-p <jimp@pfsense.org> 2015-08-12 12:07:15 -0400
committer: jim-p <jimp@pfsense.org> 2015-08-12 12:10:46 -0400
commit: 709c2f99f1bf99022ee8ba670cfd8025e2c71592 (patch)
tree: fde3ebe661cc80e526944be6dbebd2fe051b1c24 /etc
parent: 24850bca184ba103fad984da638fe7252071d1af (diff)
download: pfsense-709c2f99f1bf99022ee8ba670cfd8025e2c71592.zip
pfsense-709c2f99f1bf99022ee8ba670cfd8025e2c71592.tar.gz
4 files changed, 31 insertions, 7 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index e216289..44a90d8 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -1236,6 +1236,24 @@ function radius_backed($username, $passwd, $authcfg, &$attributes = array()) {
 	return $ret;
 }
 
+/*
+	$attributes must contain a "class" key containing the groups and local
+	groups must exist to match.
+*/
+function radius_get_groups($attributes) {
+	$groups = array();
+	if (!empty($attributes) && is_array($attributes) && !empty($attributes['class'])) {
+		$groups = explode(";", $attributes['class']);
+		foreach ($groups as & $grp) {
+			$grp = strtolower(trim($grp));
+			if (substr($grp, 0, 3) == "ou=") {
+				$grp = substr($grp, 3);
+			}
+		}
+	}
+	return $groups;
+}
+
 function get_user_expiration_date($username) {
 	$user = getUserEntry($username);
 	if ($user['expires']) 
@@ -1289,7 +1307,7 @@ function auth_get_authserver_list() {
 	return $list;
 }
 
-function getUserGroups($username, $authcfg) {
+function getUserGroups($username, $authcfg, &$attributes = array()) {
 	global $config;
 
 	$allowed_groups = array();
@@ -1299,6 +1317,7 @@ function getUserGroups($username, $authcfg) {
 		$allowed_groups = @ldap_get_groups($username, $authcfg);
 		break;
 	case 'radius':
+		$allowed_groups = @radius_get_groups($attributes);
 		break;
 	default:
 		$user = getUserEntry($username);
@@ -1363,14 +1382,16 @@ function session_auth() {
 		return false;
 
 	/* Validate incoming login request */
+	$attributes = array();
 	if (isset($_POST['login']) && !empty($_POST['usernamefld']) && !empty($_POST['passwordfld'])) {
 		$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
-		if (authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg) || 
-		    authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) {
+		if (authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg, $attributes) ||
+			authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) {
 			// Generate a new id to avoid session fixation
 			session_regenerate_id();
 			$_SESSION['Logged_In'] = "True";
 			$_SESSION['Username'] = $_POST['usernamefld'];
+			$_SESSION['user_radius_attributes'] = $attributes;
 			$_SESSION['last_access'] = time();
 			$_SESSION['protocol'] = $config['system']['webgui']['protocol'];
 			if(! isset($config['system']['webgui']['quietlogin'])) {
diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc
index 0999452..2ca4aa5 100644
--- a/etc/inc/authgui.inc
+++ b/etc/inc/authgui.inc
@@ -53,7 +53,7 @@ if (!session_auth()) {
  * We give them access only to the appropriate pages based on
  * the user or group privileges.
  */
-$allowedpages = getAllowedPages($_SESSION['Username']);
+$allowedpages = getAllowedPages($_SESSION['Username'], $_SESSION['user_radius_attributes']);
 
 /*
  * redirect to first allowed page if requesting a wrong url
diff --git a/etc/inc/priv.inc b/etc/inc/priv.inc
index c6b244f..e6fa96f 100644
--- a/etc/inc/priv.inc
+++ b/etc/inc/priv.inc
@@ -240,7 +240,7 @@ function getPrivPages(& $entry, & $allowed_pages) {
 	}
 }
 
-function getAllowedPages($username) {
+function getAllowedPages($username, &$attributes = array()) {
 	global $config, $_SESSION;
 
 	if (!function_exists("ldap_connect"))
@@ -251,8 +251,11 @@ function getAllowedPages($username) {
 	
 	$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
 	// obtain ldap groups if we are in ldap mode
-	if ($authcfg['type'] == "ldap")
+	if ($authcfg['type'] == "ldap") {
 		$allowed_groups = @ldap_get_groups($username, $authcfg);
+	} elseif ($authcfg['type'] == "radius") {
+		$allowed_groups = @radius_get_groups($attributes);
+	}
 
 	if (!$allowed_groups) {
 		// search for a local user by name
diff --git a/etc/inc/radius.inc b/etc/inc/radius.inc
index bb8bf6c..2b4d472 100644
--- a/etc/inc/radius.inc
+++ b/etc/inc/radius.inc
@@ -484,7 +484,7 @@ class Auth_RADIUS extends PEAR {
                 break;
 
             case RADIUS_CLASS:
-                $this->attributes['class'] = radius_cvt_int($data);
+                $this->attributes['class'] = radius_cvt_string($data);
                 break;
 
             case RADIUS_FRAMED_PROTOCOL:
author	jim-p <jimp@pfsense.org>	2015-08-12 12:07:15 -0400
committer	jim-p <jimp@pfsense.org>	2015-08-12 12:10:46 -0400
commit	709c2f99f1bf99022ee8ba670cfd8025e2c71592 (patch)
tree	fde3ebe661cc80e526944be6dbebd2fe051b1c24 /etc
parent	24850bca184ba103fad984da638fe7252071d1af (diff)
download	pfsense-709c2f99f1bf99022ee8ba670cfd8025e2c71592.zip pfsense-709c2f99f1bf99022ee8ba670cfd8025e2c71592.tar.gz