As of today the only method supported for authentication by the Active Directory SSO is PAP/SPAP which are unencrypted, meaning the password is sent in clear from the pritunl server to the RADIUS server.
my proposal is to implement the more secure EAP MS-CHAPv2 auth method.
There isn’t any good support in Python for RADIUS with EAP MS-CHAPv2. Most Active Directory installations have transitioned to Microsoft Entra which is supported in Pritunl. It could be done with the plugin system by adding the file /var/lib/pritunl/plugins/radius.py.
from pritunl import settings
from pritunl import logger
# [SYNCHRONOUS] Called on user login must return True or False and an
# organization name that the user will be added to. The organization name must
# be included. Also called on each user connection. This plugin is used to
# support user logins with credentials from other systems. The user_name and
# password must be verified in the plugin, no other authentication will be
# checked.
def user_authenticate(host_id, host_name, user_name, password, remote_ip,
**kwargs):
logger.info('RADIUS plugin authenticate', 'plugin',
host_id=host_id,
host_name=host_name,
user_name=user_name,
remote_ip=remote_ip,
sso=settings.app.sso,
sso_radius_host=settings.app.sso_radius_host,
sso_radius_secret=settings.app.sso_radius_secret,
sso_radius_timeout=settings.app.sso_radius_timeout,
sso_radius_prefix=settings.app.sso_radius_prefix,
)
if AUTH_OK:
return True, 'organization_name', ['group', 'names']
else:
return False, None, None