Radius Filter-ID/Group-ID is needed, does a solution or workaround exists?
110 views
Skip to first unread message
privacyidea
unread,
Jul 29, 2016, 3:46:55 AM7/29/16
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to privacyidea
Hello there,
we are using in our environment 2x fortigate's 1000C with different ssl vpn portal. To grant user access to these specific portals we have filter-ID's set in our RSA-Server which grant the user access to the right vpn portal and deny access to other portals.
Is it possible to have these filter-ids set in privacyidea somehow? For users or groups?
If not, could you implement this if possible?
Best regards,
Thomas
cornelius.koelbel
unread,
Jul 29, 2016, 7:34:09 AM7/29/16
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to privacyidea
Which filter IDs?
It could be possible to set additional RADIUS key Value pairs in the radius response.
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to privacyidea, priva...@googlegroups.com
We are using on our SecureID Server different Profiles for vpn portals.
So each profile/user for the specific portal has a different Filter-ID, so a general setting in the radius wouldn't be an option.
The firewall expect a true or false from the radius-server if the user matches the specific filter-id or not, if not the login is getting rejected if yes it passes and the user can access the specific vpn portal.
It would be neat to configure the radius plugin via the GUI and set additional this filter-id on each configured user.
Best Regards,
Thomas
Cornelius Kölbel
unread,
Jul 31, 2016, 2:34:16 AM7/31/16
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to priva...@googlegroups.com
Hello Thomas,
the privacyIDEA API can return additional details on a successful
authentication. E.g. it returns the serial number of the token, the user
used to authenticate. It could also return the resolvername, realm or
some arbitrary value.
The freeRADIUS plugin can use these values to return it as an AVP.
If I understand the RFC correctly, the filter-ID is also a value
returned in ACCESS-ACCEPT packages.