Text only | Text with Images

OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: thorstenrood on June 03, 2019, 12:59:14 PM

Title: webproxy denies any authenticated user
Post by: thorstenrood on June 03, 2019, 12:59:14 PM
I have an (explicit) forward proxy configured with an authentication method RADIUS and using the tester shows me valid user accounts. They ALL get denied by the proxy however (even local database users). When disabling authentication, anonymous explicit proxy works fine.

Where can I get more insights about the malfunction? Was working before the last update (I guess it was 19.1.7->19.1.8)
Title: Re: webproxy denies any authenticated user
Post by: thorstenrood on June 03, 2019, 01:02:29 PM
access log file says TCP_DENIED/407
Title: Re: webproxy denies any authenticated user
Post by: thorstenrood on June 03, 2019, 01:19:09 PM
it has to do with RADIUS users not inheriting the "Proxy: Login" privilege. a local user with that right works fine. How to ensure a valid RADIUS user is eligible again?
Title: Re: webproxy denies any authenticated user
Post by: thorstenrood on June 03, 2019, 01:31:34 PM
the tester shows me "no groups" for my RADIUS users.

so the webproxy has changed. earlier on, any valid RADIUS user was allowed for "Proxy: Login". now they are all stalled. How to restore functionality?
Title: Re: webproxy denies any authenticated user
Post by: hbc on June 03, 2019, 03:16:56 PM
They switched to pam authentification. If no manual hacks have been done via cli, I would suggest to click save/apply in the proxy/radius sections . Then the configuration should be rewriten/updated with pam support.

For more info and how to test see here:
https://forum.opnsense.org/index.php?topic=12813.msg59345#msg59345 (https://forum.opnsense.org/index.php?topic=12813.msg59345#msg59345)

Title: Re: webproxy denies any authenticated user
Post by: thorstenrood on June 03, 2019, 09:42:08 PM
saved both RADIUS and PROXY but the error persists. RADIUS users do not inherit the proxy:login privilege and as the RADIUS-based authN does not provide any group memberships, the users cannot inherit from there. it's fully broken by design AFAIK.

how to apply for a fix?
Title: Re: webproxy denies any authenticated user
Post by: thorstenrood on June 03, 2019, 09:47:25 PM
opnsense-login also shows "user <xyz> NOT authenticated for service squid"
Title: Re: webproxy denies any authenticated user
Post by: thorstenrood on June 03, 2019, 09:52:14 PM
so the new PAM logic is in place but fails with "all modules were unsuccessful for pam_sm_authenticate()". it seems it has only been checked for ldap-based authentication with respective group  configured for the proxy privilege but when using RADIUS, there is no such group import. tester shows no groups. this is a true deadlock and failure by design AFAIK.
Title: Re: webproxy denies any authenticated user
Post by: thorstenrood on June 04, 2019, 08:45:17 PM
opnsense-patch 450ff5b5
Title: Re: webproxy denies any authenticated user
Post by: franco on June 05, 2019, 09:49:07 PM
Whew, this had to go all the way through Twitter to succeed 8)

https://twitter.com/opnsense/status/1135929896545464322

The patch is part of 19.1.9 tomorrow.


Cheers,
Franco
Text only | Text with Images