Skip to content

Release v1.4.2
Compare
Choose a tag to compare
@phaupt phaupt released this 06 Dec 13:57
1.4.2
1251ff1
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

Consider version 1.5.0 if you need a geofencing system using configuration file mode.

Change Log

New features:

  • CR-1011 Class attribute in Access-Accept

(BREAKING-CHANGE) For simplicity/consistency of the solution, the UserGroupSearchFilter is removed from the FortigateBehaviour section and moved to the LDAP config level. This filter can then be used for both Fortigate, Class, and MFA-Matching (Change Request 1016) - instead of maintaining three separate queries or reading the memberOf attribute.

  • CR-1012 New parameters for UserSearchFilter

(BREAKING-CHANGE): The deprecated placeholder {0} is removed. After this change, only {username} can be used as a placeholder for the username.

  • CR-1013 User Account Control attribute

Improved security control of user authentication in a specific scenario.

  • CR-1014 Without LDAP Admin User (Service User)
  • CR-1015 Accounting Webhook

Allows to forward the accounting traffic to another system.

  • CR-1016 MemberOf attribute for MFA method

Use of groups to define the MFA method is available.

  • CR-1017 MFA Method "None"

Allows to temporarily turn off MFA.

  • CR-1018 Use NAS-Identifier as ID for state handling

AP_ID doesn't need to be unique in customer configs.

Bug fixes:

  • Bug 22239 - Priorisierung MFA-Methoden bei Mapping über Group nicht korrekt
  • Bug 22108 - JSON serialization of System.Net.IPAddress fails
  • Bug 22107 - UserAccountControl attribute case sensitivity
  • Bug 21797 - Specific Redis keys lead to errors when reading

New Configuration section

If you have no REDIS, add the following configuration to your env file:
(Be careful about the line order and updated parameters; take, for example, the sample file.)

...

CustomerConfigs__0__AccountingWebhook__Url=<your-webhook-url>
CustomerConfigs__0__AccountingWebhook__HttpMethod=POST

...

CustomerConfigs__0__MfaMethods__0=SIM
CustomerConfigs__0__MfaMethods__1=APP
CustomerConfigs__0__MfaMethods__2=OTP
CustomerConfigs__0__MfaMethods__3=NONE

...

CustomerConfigs__0__Ldap__UseClientCredentialsForConnection=false

...

CustomerConfigs__0__Ldap__CheckUserAccountControl=false

...

CustomerConfigs__0__Ldap__UserSearchFilter=(&(objectclass=inetOrgPerson)(uid={username}{domain}))

...

CustomerConfigs__0__Ldap__UserGroupSearchFilter=(&(objectClass=groupOfNames)(member={userdn}))

...

CustomerConfigs__0__Ldap__MfaMethod__MappingType=Attribute
CustomerConfigs__0__Ldap__MfaMethod__AttributeName=mfa_type
CustomerConfigs__0__Ldap__MfaMethod__Mappings__Sim=LDAP_SIM_VALUE
CustomerConfigs__0__Ldap__MfaMethod__Mappings__App=LDAP_APP_VALUE
CustomerConfigs__0__Ldap__MfaMethod__Mappings__Otp=LDAP_OTP_VALUE
CustomerConfigs__0__Ldap__MfaMethod__Mappings__None=LDAP_NONE_VALUE

...

CustomerConfigs__0__Ldap__ClassMatching__ClassMappings__0__GroupDn=cn=readers,ou=users,dc=example,dc=org
CustomerConfigs__0__Ldap__ClassMatching__ClassMappings__0__ClassName=Group Policy A
CustomerConfigs__0__Ldap__ClassMatching__ClassMappings__1__GroupDn=cn=readers,ou=users,dc=example,dc=org
CustomerConfigs__0__Ldap__ClassMatching__ClassMappings__1__ClassName=Group Policy B

...

Else, if you have a REDIS database, add the following JSON configuration inside your customer config:
(Be careful about the line order and updated parameters; take, for example, the sample file.)


...

"AccountingWebhook": {
    "Url": "http://nginx:8080?apikey=abc1234",
    "HttpMethod": "POST"
},

...

  "Ldap": {

            ...

            "UseClientCredentialsForConnection": false,

            ...     

            "CheckUserAccountControl": false, 

            ...     

            "UserSearchFilter": "(&(objectclass=inetOrgPerson)(uid={username}{domain}))",

            ...

            "UserGroupSearchFilter": "(&(objectClass=groupOfNames)(member={userdn}))",

            ...   

            "MfaMethod": {
                "MappingType": "Attribute",
                "AttributeName": "mfa_type",
                "Mappings": {
                    "Sim": "SIM",
                    "App": "APP",
                    "Otp": "OTP",
                    "None": "NONE"
                }

            ...

            "ClassMatching": {
                "ClassMappings": [
                    {
                        "GroupDn": "cn=readers,ou=users,dc=example,dc=org",
                        "ClassName": "Group Policy A"
                    },
                    {
                        "GroupDn": "cn=readers,ou=users,dc=example,dc=org",
                        "ClassName": "Group Policy B"
                    }
                ]
            },

            ...         

}

...

"MfaMethods": [
    "SIM",
    "APP",
    "OTP",
    "NONE"
],

...

The new parameters are not mandatory, you can ignore them if they are not used.
Example of handover for a running RIG instance with Docker-Compose:

docker-compose stop
docker-compose rm -f
(service redis stop)
docker-compose pull   
docker-compose up -d

Docker Image
https://hub.docker.com/r/mobileidch/mid-radius-rig

Assets 2
Loading