Releases: MobileID-Strong-Authentication/mid-radius-rig
Release v1.5.0
Change Log
- CR-1020 (BREAKING-CHANGE) Add storage for Redis connection credentials
- CR-1019 Optimise the use of AppSettings without Redis for productive environments
Configuration changes
Redis connection string must be defined. Example on a .yml file:
- Schnittstellen__KeyValueStorage__Storage=Redis
- Schnittstellen__KeyValueStorage__ConnectionString=redis:6379,password=${MY_PWD},ssl=True,abortConnect=False
Docker Image
https://hub.docker.com/r/mobileidch/mid-radius-rig
Release v1.4.2
Consider version 1.5.0 if you need a geofencing system using configuration file mode.
Change Log
New features:
- CR-1011 Class attribute in Access-Accept
(BREAKING-CHANGE) For simplicity/consistency of the solution, the UserGroupSearchFilter is removed from the FortigateBehaviour section and moved to the LDAP config level. This filter can then be used for both Fortigate, Class, and MFA-Matching (Change Request 1016) - instead of maintaining three separate queries or reading the memberOf attribute.
- CR-1012 New parameters for UserSearchFilter
(BREAKING-CHANGE): The deprecated placeholder {0} is removed. After this change, only {username} can be used as a placeholder for the username.
- CR-1013 User Account Control attribute
Improved security control of user authentication in a specific scenario.
- CR-1014 Without LDAP Admin User (Service User)
- CR-1015 Accounting Webhook
Allows to forward the accounting traffic to another system.
- CR-1016 MemberOf attribute for MFA method
Use of groups to define the MFA method is available.
- CR-1017 MFA Method "None"
Allows to temporarily turn off MFA.
- CR-1018 Use NAS-Identifier as ID for state handling
AP_ID doesn't need to be unique in customer configs.
Bug fixes:
- Bug 22239 - Priorisierung MFA-Methoden bei Mapping über Group nicht korrekt
- Bug 22108 - JSON serialization of System.Net.IPAddress fails
- Bug 22107 - UserAccountControl attribute case sensitivity
- Bug 21797 - Specific Redis keys lead to errors when reading
New Configuration section
If you have no REDIS, add the following configuration to your env file:
(Be careful about the line order and updated parameters; take, for example, the sample file.)
...
CustomerConfigs__0__AccountingWebhook__Url=<your-webhook-url>
CustomerConfigs__0__AccountingWebhook__HttpMethod=POST
...
CustomerConfigs__0__MfaMethods__0=SIM
CustomerConfigs__0__MfaMethods__1=APP
CustomerConfigs__0__MfaMethods__2=OTP
CustomerConfigs__0__MfaMethods__3=NONE
...
CustomerConfigs__0__Ldap__UseClientCredentialsForConnection=false
...
CustomerConfigs__0__Ldap__CheckUserAccountControl=false
...
CustomerConfigs__0__Ldap__UserSearchFilter=(&(objectclass=inetOrgPerson)(uid={username}{domain}))
...
CustomerConfigs__0__Ldap__UserGroupSearchFilter=(&(objectClass=groupOfNames)(member={userdn}))
...
CustomerConfigs__0__Ldap__MfaMethod__MappingType=Attribute
CustomerConfigs__0__Ldap__MfaMethod__AttributeName=mfa_type
CustomerConfigs__0__Ldap__MfaMethod__Mappings__Sim=LDAP_SIM_VALUE
CustomerConfigs__0__Ldap__MfaMethod__Mappings__App=LDAP_APP_VALUE
CustomerConfigs__0__Ldap__MfaMethod__Mappings__Otp=LDAP_OTP_VALUE
CustomerConfigs__0__Ldap__MfaMethod__Mappings__None=LDAP_NONE_VALUE
...
CustomerConfigs__0__Ldap__ClassMatching__ClassMappings__0__GroupDn=cn=readers,ou=users,dc=example,dc=org
CustomerConfigs__0__Ldap__ClassMatching__ClassMappings__0__ClassName=Group Policy A
CustomerConfigs__0__Ldap__ClassMatching__ClassMappings__1__GroupDn=cn=readers,ou=users,dc=example,dc=org
CustomerConfigs__0__Ldap__ClassMatching__ClassMappings__1__ClassName=Group Policy B
...
Else, if you have a REDIS database, add the following JSON configuration inside your customer config:
(Be careful about the line order and updated parameters; take, for example, the sample file.)
...
"AccountingWebhook": {
"Url": "http://nginx:8080?apikey=abc1234",
"HttpMethod": "POST"
},
...
"Ldap": {
...
"UseClientCredentialsForConnection": false,
...
"CheckUserAccountControl": false,
...
"UserSearchFilter": "(&(objectclass=inetOrgPerson)(uid={username}{domain}))",
...
"UserGroupSearchFilter": "(&(objectClass=groupOfNames)(member={userdn}))",
...
"MfaMethod": {
"MappingType": "Attribute",
"AttributeName": "mfa_type",
"Mappings": {
"Sim": "SIM",
"App": "APP",
"Otp": "OTP",
"None": "NONE"
}
...
"ClassMatching": {
"ClassMappings": [
{
"GroupDn": "cn=readers,ou=users,dc=example,dc=org",
"ClassName": "Group Policy A"
},
{
"GroupDn": "cn=readers,ou=users,dc=example,dc=org",
"ClassName": "Group Policy B"
}
]
},
...
}
...
"MfaMethods": [
"SIM",
"APP",
"OTP",
"NONE"
],
...
The new parameters are not mandatory, you can ignore them if they are not used.
Example of handover for a running RIG instance with Docker-Compose:
docker-compose stop
docker-compose rm -f
(service redis stop)
docker-compose pull
docker-compose up -d
Docker Image
https://hub.docker.com/r/mobileidch/mid-radius-rig
Release v1.3.4
Change Log
- CR-1010 Allow geofencing based on user's AD group memberOf
- Upgrade to .NET 8.0 with long-term support (LTS) until Nov. 2026
New Configuration section
If you have no REDIS, add the following configuration to your env file:
CustomerConfigs__0__Ldap__Geofencing__Activate=true
CustomerConfigs__0__Ldap__Geofencing__GeofencingSearchBase=dc=mycompany,dc=ch
CustomerConfigs__0__Ldap__Geofencing__UserGeoGroupSearchFilter=(&(objectClass=groupOfNames)(member={userdn})(ou=geo-groups))
CustomerConfigs__0__Ldap__Geofencing__CountriesSearchFilter=(objectClass=country)
CustomerConfigs__0__Ldap__Geofencing__MinimalDeviceConfidence=0.7
CustomerConfigs__0__Ldap__Geofencing__MinimalLocationConfidence=0.7
CustomerConfigs__0__Ldap__Geofencing__FailAuthIfGroupMissing=true
CustomerConfigs__0__Ldap__Geofencing__BlacklistGroupPrefix=blacklist-
CustomerConfigs__0__Ldap__Geofencing__WhitelistGroupPrefix=whitelist-
Else, if you have a REDIS database, add the following JSON configuration inside the LDAP section:
"Ldap": {
...
"Geofencing":{
"Activate":true,
"GeofencingSearchBase":"dc=mycompany,dc=ch",
"UserGeoGroupSearchFilter":"(&(objectClass=groupOfNames)(member={userdn})(ou=geo-groups))",
"CountriesSearchFilter":"(objectClass=country)",
"MinimalDeviceConfidence":0.7,
"MinimalLocationConfidence":0.7,
"FailAuthIfGroupMissing":true,
"BlacklistGroupPrefix":"blacklist-",
"WhitelistGroupPrefix":"whitelist-"
}
...
How to setup AD whitelist (guideline)
To add a new country entry to an LDAP server using the command line, you'll need to create an LDIF (LDAP Data Interchange Format) file that contains the details of the entry you want to add, and then use the ldapadd command to add this entry to your LDAP directory. Here is a step-by-step guide.
First, create an LDIF file with the content of the new country entry. The content of the file should look like this.
add_country.ldif:
dn: c=CH,ou=countries,dc=mycompany,dc=ch
objectClass: country
c: CH
Create the Parent Entry if Necessary: If ou=countries doesn't exist, you'll need to create it first. You can do this by creating another LDIF file with the following content.
add_countries_ou.ldif:
dn: ou=countries,dc=mycompany,dc=ch
objectClass: organizationalUnit
ou: countries
You might also need to create a new organizational unit ou=geo-groups in your LDAP directory, you will need to create an LDIF file for this purpose and then use the ldapadd command to add it to your directory:
create_geo_groups_ou.ldif:
dn: ou=geo-groups,dc=mycompany,dc=ch
objectClass: organizationalUnit
ou: geo-groups
Run the ldapadd command to add this entry to your LDAP directory. You will need the appropriate credentials to authenticate to your LDAP server. The command should look something like this:
ldapadd -H ldap://ldap.mycompany.ch:389 -D "cn=admin,dc=mycompany,dc=ch" -w secret -f add_country.ldif
ldapadd -H ldap://ldap.mycompany.ch:389 -D "cn=admin,dc=mycompany,dc=ch" -w secret -f create_geo_groups_ou.ldif
To create a group entry that represents a whitelist of countries, with each member representing a country, you can follow these steps:
Create an LDIF file with the content for your group entry. Make sure the DN and the members listed in the file correspond to the actual entries in your LDAP directory.
add_whitelist_group.ldif:
dn: cn=whitelist-dach,ou=geo-groups,dc=mycompany,dc=ch
objectClass: groupOfNames
cn: whitelist-dach
member: c=CH,ou=countries,dc=mycompany,dc=ch
member: c=AT,ou=countries,dc=mycompany,dc=ch
member: c=DE,ou=countries,dc=mycompany,dc=ch
Use the ldapadd command to add this group entry to your LDAP directory.
ldapadd -H ldap://ldap.mycompany.ch:389 -D "cn=admin,dc=mycompany,dc=ch" -w secret -f add_whitelist_group.ldif
To add the user cn=alice,ou=users,dc=mycompany,dc=ch as a member of the group cn=whitelist-dach,ou=geo-groups,dc=mycompany,dc=ch, you need to modify the group entry in your LDAP directory. This involves creating an LDIF file that specifies the modification and then using the ldapmodify command to apply this change. Note: You may replace the "add:" with "delete:" to remove a user from the group.
modify_whitelist_group.ldif:
dn: cn=whitelist-dach,ou=geo-groups,dc=mycompany,dc=ch
changetype: modify
add: member
member: cn=alice,ou=users,dc=mycompany,dc=ch
Use the ldapmodify command to apply this modification to your LDAP directory.
ldapmodify -H ldap://ldap.mycompany.ch:389 -D "cn=admin,dc=mycompany,dc=ch" -w secret -f modify_whitelist_group.ldif
To check if the user cn=alice,ou=users,dc=mycompany,dc=ch has the cn=whitelist-dach group listed in their attributes, you can use the ldapsearch command to query the user's attributes from the LDAP server.
ldapsearch -LLL -H ldap://ldap.mycompany.ch:389 -b "cn=whitelist-dach,ou=geo-groups,dc=mycompany,dc=ch" -D "cn=admin,dc=mycompany,dc=ch" -w secret "objectClass=groupOfNames"
dn: cn=whitelist-dach,ou=geo-groups,dc=mycompany,dc=ch
objectClass: groupOfNames
cn: whitelist-dach
member: c=CH,ou=countries,dc=mycompany,dc=ch
member: c=AT,ou=countries,dc=mycompany,dc=ch
member: c=DE,ou=countries,dc=mycompany,dc=ch
member: cn=alice,ou=users,dc=mycompany,dc=ch
Checking and modifying Microsoft Active Directory schema:
Be careful while modifying the schema, this can alter the behavior of your systems.
A. Ensure "country" and "groupOfNames" classes exist:
Verification:
- Open the Run dialog (Windows + R) and type mmc.exe.
- Navigate to "File" -> "Add/Remove Snap-in" -> "Add" -> "Active Directory Schema."
- Browse the "Classes" directory to confirm the presence of the "country" and "groupOfNames" classes.
Creation (if not present):
- If the classes are not present, go to the "Action" tab to create them.
- Add "country" and "groupOfNames" classes as needed.
B. Add new superiors to "country" and "groupOfNames" classes:
- In the "Relationship" tab of the "country" class properties: add "organisationUnit" as a possible superior.
- In the "Relationship" tab of the "groupOfNames" class properties: add "organisationUnit" and "user" as possible superiors.
C. Make "country" and "groupOfNames" browsable:
- In the "General" tab of the "country" class properties: check the case "Show object of this class while browsing."
- In the "General" tab of the "groupOfNames" class properties: check the case "Show object of this class while browsing."
Following these steps enables you to:
- Create country entries, geo-groups with specific countries, and add users as members of the geo-groups.
- Perform these actions using command line, PowerShell, and the Active Directory GUI.
Docker Image
https://hub.docker.com/r/mobileidch/mid-radius-rig
Release v1.2.1
Change Log
- CR-1009 Add LDAP search scope configuration
- CR-1008 Enhance LDAP log details (DEBUG level)
- CR-1007 Support multiple username placeholder in search filter
- CR-1006 Add LDAP referral configuration
Configuration changes
- New Configuration parameters
Add the new configuration parameters to your env file:
CustomerConfigs__0__Ldap__FollowReferrals=false
CustomerConfigs__0__Ldap__DefaultSearchScope=LDAP_SCOPE_SUBTREE
in REDIS database (JSON configuration):
"Ldap": {
...
"FollowReferrals": false,
"DefaultSearchScope": "LDAP_SCOPE_SUBTREE",
...
- Search Filter
The search filter can be set to match more than one attribute and even look for your username in two or more attributes. The example can match a SAM account name like 'john.doe' but can also match a UPN like '[email protected]'.
"UserSearchFilter": "(&(objectclass=person)(|(sAMAccountName={username})(userPrincipalName={username})))"
Docker Image
https://hub.docker.com/r/mobileidch/mid-radius-rig
Release v1.2
Change Log
- CR-1005 Add Support for RADIUS Accounting (Port 1812 for both Server Authentication and Accounting)
- CR-1004 Ignore Radius Clients Retry Packets
- CR-1003 Add configuration for MSS Signature TXN Timeout
- CR-1002 Add Support for Fortinet Vendor Specific Attribute (VSA)
Configuration changes
- Change
ENVIRONMENT=Production
to
ASPNETCORE_ENVIRONMENT=Production - Add
Schnittstellen__MobileIdClient__TransactionTimeoutSeconds=60
RadiusServer__DuplicatePacketHandlingExpirationSeconds=120
Docker Image
https://hub.docker.com/r/mobileidch/mid-radius-rig