packetfence
packetfence copied to clipboard
inverse-inc
Fortinet VPN login authentication, always defaults to CLI
Describe the bug When we send a VPN Login radius request from our FortiGate to PacketFence Cluster it is not returned as PacketFence treats is as a CLI login attempt, which is not defined on our FortiGate switch in PacketFence
To Reproduce Steps to reproduce the behavior:
- Send VPN login request to PacketFence
- Fails, says user role is not configured for CLI login
Expected behavior PacketFence to reply with Radius Accept, with Role attached.
In FortiGate.pm, in sub: identifyConnectionType
sub identifyConnectionType {
my ( $self, $connection, $radius_request ) = @_;
my $logger = $self->logger;
my @require = qw(Connect-Info);
my @found = grep {exists $radius_request->{$_}} @require;
if ( (@require == @found) && $radius_request->{'Connect-Info'} =~ /^(vpn-ssl|vpn-ikev2)$/i ) {
$connection->isVPN($TRUE);
$connection->isCLI($FALSE);
} elsif ( (@require == @found) && $radius_request->{'Connect-Info'} =~ /^(admin-login)$/i ) {
$connection->isVPN($FALSE);
$connection->isCLI($TRUE);
}
**# Default to CLI
$connection->isVPN($FALSE);
$connection->isCLI($TRUE);**
}
The above is missing an IF Statement lacking an else, so it always defaults to a CLI login, issue is bolded.
We adjusted the code to include an ELSE at the end.
sub identifyConnectionType {
my ( $self, $connection, $radius_request ) = @_;
my $logger = $self->logger;
my @require = qw(Connect-Info);
my @found = grep {exists $radius_request->{$_}} @require;
if ( (@require == @found) && $radius_request->{'Connect-Info'} =~ /^(vpn-ssl|vpn-ikev2)$/i ) {
$connection->isVPN($TRUE);
$connection->isCLI($FALSE);
} elsif ( (@require == @found) && $radius_request->{'Connect-Info'} =~ /^(admin-login)$/i ) {
$connection->isVPN($FALSE);
$connection->isCLI($TRUE);
}
**else {
# Default to CLI
$connection->isVPN($FALSE);
$connection->isCLI($TRUE);
}**
}
The added ELSE in the IF statement allows for the VPN connection TRUE to be continued to the end of the sub routine.