Radius Sentinel Policy

thespawnoflard · May 23, 2024, 1:24pm

I’m using sentinel for the first time and I’m trying to create a policy to restrict radius authentication to only entities within a specific group.

I thought a simple policy like this would do it

main = rule {
“d8c7e054-eb48-11a0-4d80-648f5b1f6b0a” in keys(identity.groups.by_id)
}

but after applying it I get this error
vault write sys/policies/egp/radius-policy policy=“${POLICY}” paths=“/auth/radius/login/*” enforcement_level=“hard-mandatory”

vault login -method=radius -token-only username=letmein

Password (will be hidden):

Error authenticating: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/radius/login/letmein

Code: 400. Errors:

1 error occurred:
error running lookahead function for mfa: missing username

I’m guessing I need to import something but I tried import “mfa” and a few others but I suspect it’s my approach that’s wrong.

Trying to figure out if it’s something from here like the urlusername I need to specify

github.com

hashicorp/vault/blob/4ba40e40b382f39170663884bedaf6865e9fe8d6/builtin/credential/radius/path_login.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package radius

import (
	"context"
	"fmt"
	"net"
	"strconv"
	"strings"
	"time"

	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/helper/cidrutil"
	"github.com/hashicorp/vault/sdk/helper/policyutil"
	"github.com/hashicorp/vault/sdk/logical"
	"layeh.com/radius"
	. "layeh.com/radius/rfc2865"
)

This file has been truncated. show original

jeffsanicola · May 26, 2024, 7:12pm

In my experience you can only make decisions on the payload of the request itself. In the case of radius authentication you would only be able to realistically base any decisions off of the following items:

Any attribute in the request properities
Any of the available radius auth endpoint properties (username and password)

Neither of these contain group information, as that would be included in the login response.

You could, however, enable the Sentinel http import and make a post request to your own Vault instance to lookup an entity by name (assuming you know what the name is and it already exists) in order to retrieve the list of groups the ID is a member of. This does require a hard-coded token in the policy (make sure it only has access to only the information it needs).

If you go down that route, be sure to heed the warnings on the http import in the documentation (it’s disabled by default for a reason). Also write and validate against unit tests to make sure it’s behaving the way you intend before hitting any of your customer facing environments.

Topic		Replies	Views
`vault list sys/policy` works but `vault policy list` returns permission denied Vault	3	1121	August 6, 2021
Control role policy attachment Vault	1	227	February 7, 2021
HCSEC-2023-29 - Vault Enterprise’s Sentinel RGP Policies Allowed For Cross-Namespace Denial of Service Security security-vault	0	7934	September 28, 2023
HCSEC-2020-24 - Vault Enterprise’s Sentinel EGP Policies May Impact Parent or Sibling Namespaces Security security-vault	0	7302	December 16, 2020
Vault Error Error making API request Code: 403 Permission Denied HCP Vault hashiconf , hcp-terraform , vault , consul-vault	1	3704	October 23, 2023

Radius Sentinel Policy

Related topics