scs-cbu-ced-iam / freeradius-mobileid Goto Github PK

https://freeradius.org/releases
The 2.x.x release series is now End Of Life. Only security fixes will be applied to 2.x.x. Users of 2.x.x are encouraged to migrate to the latest 3.0.x series release.

at launch, if not server config present the mobileid sample will raise
/etc/raddb/sites-enabled/mobileid[46]: Invalid location for 'if'

Provide a script that will update an LDAP/AD user with the actual SerialNumber of the DN (X-MSS-MobileID-SN)

In addition, adjust the Mobile ID module to allow different options in regards to the SerialNumber check of the Mobile ID user

1. Ignored
2. If set it must match
3. It has allways to present and match
   id module

--decode is not present on all distros; use -d instead

Apply updates from SCS-CBU-CED-IAM/mobileid#80 also in exec-mobileid.sh

Ensure that X-MSS-Language will have a default value that can be controlled.

1. When using realms the Stripped-User-Name should be set as User-Name for further processing.

2. Move Mobile ID post-auth to authenticate section to support proxy request with other servers and not having additional Mobile ID authentication done

When running freeradius as a service the

TMP=$(mktemp /tmp/_tmp.XXXXXX)           # Request goes here

is not working fine and returning an empty string.

At least on Red Hat Linux

proxy.conf and others

Line 245:

UNIQUEIDNEW=$(echo "$RES_CERT_SUBJ" | sed -n -e 's/.*serialNumber=\(.*\),CN=.*/\1/p')

The regular expression is expecting the 'CN' attribute after the 'serialNumber' attribute. The order of the attributes may change as the order of attributes is not specified.

The regular expression should be improved to be independent of the attribute order.

Add an option to filter out authorised mobile country codes based on Telco Info

1. In case the full certificate chain is returned in the signature response, the local bag file needs to contain the root certificate only.

2. Ensure that the bash scripts will pick the correct signer's certificate and not just the 1st one

freeRadius has taken our patch to avoid hardcoding of the timeout value for an exec process (was 10 seconds). This can now be configured in the corresponding module with the timeout value. The problem is that the maximum is limited to 30 seconds. Better but still not enough to for our MID requests as they are depending on the answer time of the enduser.

Place a change request to freeradius to allow up to 120 seconds

Update the scripts to use https://mobileid.swisscom.com instead of obsolete https://soap.mobileid.swisscom.com

Errors raised during the call of the exec-mobileid.sh

Executing section post-auth from file /etc/freeradius/sites-enabled/mobileid
...
tr: write error: Broken pipe
tr: write error

Return the Telco Information details in a proper attribute.

...
<mss:Status>
          <mss:StatusCode Value="500"/>
          <mss:StatusMessage>SIGNATURE</mss:StatusMessage>
          <mss:StatusDetail>
            <fi:ServiceResponses>
              <fi:ServiceResponse>
                <fi:Description>
                  <mss:mssURI>http://mid.swisscom.ch/as#subscriberInfo</mss:mssURI>
                </fi:Description>
                <ns1:SubscriberInfo xmlns:ns1="http://mid.swisscom.ch/TS102204/as/v1.0">
                  <ns1:Detail id="1901" value="22801"/>
                </ns1:SubscriberInfo>
              </fi:ServiceResponse>
            </fi:ServiceResponses>
          </mss:StatusDetail>
        </mss:Status>
...

Make sure the "yellow" error messages address the user directly. (Some of them might be copied from mobileid-helper and address the support operator.)
See also SCS-CBU-CED-IAM/simplesaml-mobileid#50

Verify the returned rlm_exec error codes and messages. Maybe wrong module definitions.

Example

$echo "User-Name=fkaiser,User-Password='fkaiser'" | radclient -t 120 localhost auth
Received response ID 82, code 3, length = 20

Missing the Reply-Message = "The request has been canceled by the user."

Provide a $TRANS_ID that can be used in the DTBS:

# Message sent to Mobile ID (use $AP_PREFIX to set the customer prefix)
DTBS="$AP_PREFIX: Authentication with Mobile ID?"

to

DTBS="$AP_PREFIX: Authentication with Mobile ID? ($TRANS_ID)"