Radius Filter-ID/Group-ID is needed, does a solution or workaround exists?

privacyidea · July 29, 2016, 7:46am

Hello there,

we are using in our environment 2x fortigate’s 1000C with different ssl vpn
portal. To grant user access to these specific portals we have filter-ID’s
set in our RSA-Server which grant the user access to the right vpn portal
and deny access to other portals.

Is it possible to have these filter-ids set in privacyidea somehow? For
users or groups?

If not, could you implement this if possible?

Best regards,
Thomas

privacyidea · July 29, 2016, 12:10pm

We are using on our SecureID Server different Profiles for vpn portals.

So each profile/user for the specific portal has a different Filter-ID, so
a general setting in the radius wouldn’t be an option.

The firewall expect a true or false from the radius-server if the user
matches the specific filter-id or not, if not the login is getting rejected
if yes it passes and the user can access the specific vpn portal.

https://tools.ietf.org/html/rfc4849

It would be neat to configure the radius plugin via the GUI and set
additional this filter-id on each configured user.

Best Regards,
Thomas

cornelinux · July 31, 2016, 6:34am

Hello Thomas,

the privacyIDEA API can return additional details on a successful
authentication. E.g. it returns the serial number of the token, the user
used to authenticate. It could also return the resolvername, realm or
some arbitrary value.

The freeRADIUS plugin can use these values to return it as an AVP.
If I understand the RFC correctly, the filter-ID is also a value
returned in ACCESS-ACCEPT packages.

Here the serial number in case of success is returned:

github.com

privacyidea/FreeRADIUS/blob/f6fa2ac72b77a82c7d232f96128524b3b192461c/privacyidea_radius.pm#L343


      
                  &radiusd::radlog( Info, "privacyIDEA request failed: $status" );
                  $RAD_REPLY{'Reply-Message'} = "privacyIDEA request failed: $status";
                  $g_return = RLM_MODULE_FAIL;
              }
              try {
                  my $decoded = decode_json( $content );
                  my $message = $decoded->{detail}{message};
                  if ( $decoded->{result}{value} ) {
                      &radiusd::radlog( Info, "privacyIDEA access granted" );
                      $RAD_REPLY{'Reply-Message'} = "privacyIDEA access granted";
          	        $RAD_REPLY{'privacyIDEA-Serial'} = $decoded->{detail}{serial};
                      $g_return = RLM_MODULE_OK;
                  }
                  elsif ( $decoded->{result}{status} ) {
                      &radiusd::radlog( Info, "privacyIDEA Result status is true!" );
                      $RAD_REPLY{'Reply-Message'} = $decoded->{detail}{message};
                      if ( $decoded->{detail}{transaction_id} ) {
                          ## we are in challenge response mode:
                          ## 1. split the response in fail, state and challenge
                          ## 2. show the client the challenge and the state
                          ## 3. get the response and

This should not be that a bid deal if you are willing to

together define the “key”, “identifiers” and workflows and
financially support this additional development.

Kind regards
CorneliusAm Freitag, den 29.07.2016, 05:10 -0700 schrieb privacyidea:

We are using on our SecureID Server different Profiles for vpn
portals.

So each profile/user for the specific portal has a different
Filter-ID, so a general setting in the radius wouldn’t be an option.

The firewall expect a true or false from the radius-server if the user
matches the specific filter-id or not, if not the login is getting
rejected if yes it passes and the user can access the specific vpn
portal.

RFC 4849 - RADIUS Filter Rule Attribute

It would be neat to configure the radius plugin via the GUI and set
additional this filter-id on each configured user.

Best Regards,
Thomas

Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/42dbc34e-e46d-431b-b4ed-b96ea80b3af6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Radius Filter-ID/Group-ID is needed, does a solution or workaround exists?

Best Regards, Thomas

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY: privacyIDEA Support Level

Best Regards,
Thomas

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level