Radius Filter-ID/Group-ID is needed, does a solution or workaround exists?
110 views
Skip to first unread message
privacyidea
Jul 29, 2016, 3:46:55 AM7/29/16
to privacyidea
Hello there,
we are using in our environment 2x fortigate's 1000C with different ssl vpn portal. To grant user access to these specific portals we have filter-ID's set in our RSA-Server which grant the user access to the right vpn portal and deny access to other portals.
Is it possible to have these filter-ids set in privacyidea somehow? For users or groups?
If not, could you implement this if possible?
Best regards,
Thomas
cornelius.koelbel
Jul 29, 2016, 7:34:09 AM7/29/16
to privacyidea
Which filter IDs?
It could be possible to set additional RADIUS key Value pairs in the radius response.
Kind regards
Cornelius
Cornelius Kölbel
+49 151 2960 1417
-------- Ursprüngliche Nachricht --------
Von: privacyidea <priva...@googlegroups.com>
Datum: 29.07.16 09:46 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com>
Betreff: [privacyidea] Radius Filter-ID/Group-ID is needed, does a solution or workaround exists?
--
Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.
For professional services and consultancy regarding two factor authentication please visit
https://netknights.it/en/leistungen/one-time-services/
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/
---
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/2d6106ac-effd-4c8c-a489-cf1ff40c2d2c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.
For professional services and consultancy regarding two factor authentication please visit
https://netknights.it/en/leistungen/one-time-services/
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/
---
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/2d6106ac-effd-4c8c-a489-cf1ff40c2d2c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
privacyidea
Jul 29, 2016, 8:10:57 AM7/29/16
to privacyidea, priva...@googlegroups.com
We are using on our SecureID Server different Profiles for vpn portals.
So each profile/user for the specific portal has a different Filter-ID, so a general setting in the radius wouldn't be an option.
The firewall expect a true or false from the radius-server if the user matches the specific filter-id or not, if not the login is getting rejected if yes it passes and the user can access the specific vpn portal.
It would be neat to configure the radius plugin via the GUI and set additional this filter-id on each configured user.
Best Regards,
Thomas
Cornelius Kölbel
Jul 31, 2016, 2:34:16 AM7/31/16
to priva...@googlegroups.com
Hello Thomas,
the privacyIDEA API can return additional details on a successful
authentication. E.g. it returns the serial number of the token, the user
used to authenticate. It could also return the resolvername, realm or
some arbitrary value.
The freeRADIUS plugin can use these values to return it as an AVP.
If I understand the RFC correctly, the filter-ID is also a value
returned in ACCESS-ACCEPT packages.
Here the serial number in case of success is returned:
https://github.com/privacyidea/FreeRADIUS/blob/f6fa2ac72b77a82c7d232f96128524b3b192461c/privacyidea_radius.pm#L343
This should not be that a bid deal if you are willing to
1. together define the "key", "identifiers" and workflows and
2. financially support this additional development.
Kind regards
Cornelius
--
Cornelius Kölbel
corneliu...@netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
the privacyIDEA API can return additional details on a successful
authentication. E.g. it returns the serial number of the token, the user
used to authenticate. It could also return the resolvername, realm or
some arbitrary value.
The freeRADIUS plugin can use these values to return it as an AVP.
If I understand the RFC correctly, the filter-ID is also a value
returned in ACCESS-ACCEPT packages.
Here the serial number in case of success is returned:
https://github.com/privacyidea/FreeRADIUS/blob/f6fa2ac72b77a82c7d232f96128524b3b192461c/privacyidea_radius.pm#L343
This should not be that a bid deal if you are willing to
1. together define the "key", "identifiers" and workflows and
2. financially support this additional development.
Kind regards
Cornelius
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/42dbc34e-e46d-431b-b4ed-b96ea80b3af6%40googlegroups.com.
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
NetKnights GmbH
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Reply all
Reply to author
Forward
0 new messages