Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
webproxy denies any authenticated user
« previous
next »
Print
Pages: [
1
]
Author
Topic: webproxy denies any authenticated user (Read 4695 times)
thorstenrood
Newbie
Posts: 17
Karma: 0
webproxy denies any authenticated user
«
on:
June 03, 2019, 12:59:14 pm »
I have an (explicit) forward proxy configured with an authentication method RADIUS and using the tester shows me valid user accounts. They ALL get denied by the proxy however (even local database users). When disabling authentication, anonymous explicit proxy works fine.
Where can I get more insights about the malfunction? Was working before the last update (I guess it was 19.1.7->19.1.
Logged
thorstenrood
Newbie
Posts: 17
Karma: 0
Re: webproxy denies any authenticated user
«
Reply #1 on:
June 03, 2019, 01:02:29 pm »
access log file says TCP_DENIED/407
Logged
thorstenrood
Newbie
Posts: 17
Karma: 0
Re: webproxy denies any authenticated user
«
Reply #2 on:
June 03, 2019, 01:19:09 pm »
it has to do with RADIUS users not inheriting the "Proxy: Login" privilege. a local user with that right works fine. How to ensure a valid RADIUS user is eligible again?
Logged
thorstenrood
Newbie
Posts: 17
Karma: 0
Re: webproxy denies any authenticated user
«
Reply #3 on:
June 03, 2019, 01:31:34 pm »
the tester shows me "no groups" for my RADIUS users.
so the webproxy has changed. earlier on, any valid RADIUS user was allowed for "Proxy: Login". now they are all stalled. How to restore functionality?
Logged
hbc
Hero Member
Posts: 501
Karma: 47
Re: webproxy denies any authenticated user
«
Reply #4 on:
June 03, 2019, 03:16:56 pm »
They switched to pam authentification. If no manual hacks have been done via cli, I would suggest to click save/apply in the proxy/radius sections . Then the configuration should be rewriten/updated with pam support.
For more info and how to test see here:
https://forum.opnsense.org/index.php?topic=12813.msg59345#msg59345
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
thorstenrood
Newbie
Posts: 17
Karma: 0
Re: webproxy denies any authenticated user
«
Reply #5 on:
June 03, 2019, 09:42:08 pm »
saved both RADIUS and PROXY but the error persists. RADIUS users do not inherit the proxy:login privilege and as the RADIUS-based authN does not provide any group memberships, the users cannot inherit from there. it's fully broken by design AFAIK.
how to apply for a fix?
Logged
thorstenrood
Newbie
Posts: 17
Karma: 0
Re: webproxy denies any authenticated user
«
Reply #6 on:
June 03, 2019, 09:47:25 pm »
opnsense-login also shows "user <xyz> NOT authenticated for service squid"
Logged
thorstenrood
Newbie
Posts: 17
Karma: 0
Re: webproxy denies any authenticated user
«
Reply #7 on:
June 03, 2019, 09:52:14 pm »
so the new PAM logic is in place but fails with "all modules were unsuccessful for pam_sm_authenticate()". it seems it has only been checked for ldap-based authentication with respective group configured for the proxy privilege but when using RADIUS, there is no such group import. tester shows no groups. this is a true deadlock and failure by design AFAIK.
Logged
thorstenrood
Newbie
Posts: 17
Karma: 0
Re: webproxy denies any authenticated user
«
Reply #8 on:
June 04, 2019, 08:45:17 pm »
opnsense-patch 450ff5b5
Logged
franco
Administrator
Hero Member
Posts: 17707
Karma: 1618
Re: webproxy denies any authenticated user
«
Reply #9 on:
June 05, 2019, 09:49:07 pm »
Whew, this had to go all the way through Twitter to succeed
https://twitter.com/opnsense/status/1135929896545464322
The patch is part of 19.1.9 tomorrow.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
webproxy denies any authenticated user
