Update Radius auth to accept permissions attributes (#14531)

* Update Radius-Auth to accept permission attribute * Update Radius-Auth to accept permission attribute * Fixed list of strings * Swapped " with ' in switch statement * Added whitespace to satisfy styleCI bot * Yet another whitespace... * Removed two blank lines.... * Fixed missing "s" * Try to satisfy linter - fixed a stupid mistake Had put the code for mapping attributes inside the if statement that states that user exists in librenms. It has to be done before testing of user exists, and after radius auth is true. * Comments was skewed * Stylefix * Update LibreNMS/Authentication/RadiusAuthorizer.php Murrant's edit Co-authored-by: Tony Murray <murraytony@gmail.com> * Added 0 on line 54 to satisfy test. * StyleFix * Stylefix2 * Style test complained about whitespaces, i guess.. * Update Authentication.md * Update Authentication.md Co-authored-by: Tony Murray <murraytony@gmail.com>
2024-09-21 10:28:13 +00:00 · 2022-11-09 17:10:33 +01:00 · 2022-11-09 17:10:33 +01:00 · 524e0c097b
commit 524e0c097b
parent f411c1a6a7
2 changed files with 42 additions and 4 deletions
--- a/LibreNMS/Authentication/RadiusAuthorizer.php
+++ b/LibreNMS/Authentication/RadiusAuthorizer.php
@ -33,7 +33,26 @@ class RadiusAuthorizer extends MysqlAuthorizer

        $password = $credentials['password'] ?? null;
        if ($this->radius->accessRequest($credentials['username'], $password) === true) {
-            $this->addUser($credentials['username'], $password, Config::get('radius.default_level', 1));
+            // attribute 11 is "Filter-Id", apply and enforce user role (level) if set
+
+            $filter_id_attribute = $this->radius->getAttribute(11);
+            $level = match ($filter_id_attribute) {
+                'librenms_role_admin' => 10,
+                'librenms_role_normal' => 1,
+                'librenms_role_global-read' => 5,
+                default => Config::get('radius.default_level', 1)
+            };
+
+            // if Filter-Id was given and the user exists, update the level
+            if ($filter_id_attribute && $this->userExists($credentials['username'])) {
+                $user = \App\Models\User::find($this->getUserid($credentials['username']));
+                $user->level = $level;
+                $user->save();
+
+                return true;
+            }
+
+            $this->addUser($credentials['username'], $password, $level, '', $credentials['username'], 0);

            return true;
        }
--- a/doc/Extensions/Authentication.md
+++ b/doc/Extensions/Authentication.md
@ -267,9 +267,23 @@ setsebool -P httpd_can_connect_ldap 1
 ## Radius Authentication

 Please note that a mysql user is created for each user the logs in
-successfully. User level 1 is assigned to those accounts so you will
-then need to assign the relevant permissions unless you set
-`$config['radius']['userlevel']` to be something other than 1.
+successfully. User level 1 is assigned by default to those accounts 
+unless radius sends a reply attribute with the correct userlevel. 
+
+You can change the default userlevel by setting
+`$config['radius']['userlevel']` to something other than 1.
+
+The attribute `Filter-ID` is a standard Radius-Reply-Attribute (string) that
+can be assigned a value which translates into a userlevel in LibreNMS. 
+
+The strings to send in `Filter-ID` reply attribute is *one* of the following:
+
+- `librenms_role_normal` - Sets the value `1`, which is the normal user level.
+- `librenms_role_admin` - Sets the value `5`, which is the administrator level.
+- `librenms_role_global-read` - Sets the value `10`, which is the global read level.
+
+LibreNMS will ignore any other strings sent in `Filter-ID` and revert to default userlevel that is set in `config.php`.
+

 ```php
 $config['radius']['hostname']      = 'localhost';
@ -280,6 +294,11 @@ $config['radius']['users_purge']   = 14;  // Purge users who haven't logged in f
 $config['radius']['default_level'] = 1;  // Set the default user level when automatically creating a user.
 ```

+### Radius Huntgroup
+
+Freeradius has a function called `Radius Huntgroup` which allows to send different attributes based on NAS.
+This may be utilized if you already use `Filter-ID` in your environment and also want to use radius with LibreNMS.
+
 ### Old account cleanup

 Cleanup of old accounts is done by checking the authlog. You will need