Merge pull request #502 from TheJumpCloud/SA-3225_LocalUserRadiusFix

local user fix for cert CN identification
TheJumpCloud · Jul 20, 2023 · 5898cd0 · 5898cd0
2 parents f3bde22 + 0beee57
commit 5898cd0
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 16 deletions.
diff --git a/scripts/automation/Radius/Changelog.md b/scripts/automation/Radius/Changelog.md
@@ -1,3 +1,17 @@
+## 1.0.5
+
+Release Date: July 20, 2023
+
+#### RELEASE NOTES
+
+```
+Addressed an issue generating certificates for users with localUsernames (systemUsernames specified in the JumpCloud console). These user certificates were generated with the localUsername instead of their username field. The resulting certificate would never be allowed to access a radius backed network as their localUsername does not match the username.
+```
+
+#### Bug Fixes:
+
+- Certificates for users with localUsername (systemUsernames) should now authenticate to radius networks. Their CNs should now be based on their usernames, not localUsernames.
+
 ## 1.0.4
 
 Release Date: June 5, 2023

diff --git a/scripts/automation/Radius/Config.ps1 b/scripts/automation/Radius/Config.ps1
@@ -14,7 +14,7 @@ $JCUSERCERTVALIDITY = 90
 $NETWORKSSID = "YOUR_SSID"
 # OpenSSLBinary by default this is (openssl)
 # NOTE: If openssl does not work, try using the full path to the openssl file
-# MacOS HomeBrew Example: '/usr/local/Cellar/openssl@3/3.0.7/bin/openssl'
+# MacOS HomeBrew Example: '/usr/local/Cellar/openssl@3/3.1.1/bin/openssl'
 $opensslBinary = 'openssl'
 # Enter Cert Subject Headers (do not enter strings with spaces)
 $Subj = [PSCustomObject]@{
@@ -37,7 +37,7 @@ $CertType = "UsernameCn"
 # Do not modify below
 ################################################################################
 
-$UserAgent_ModuleVersion = '1.0.4'
+$UserAgent_ModuleVersion = '1.0.5'
 $UserAgent_ModuleName = 'PasswordlessRadiusConfig'
 #Build the UserAgent string
 $UserAgent_ModuleName = "JumpCloud_$($UserAgent_ModuleName).PowerShellModule"

diff --git a/scripts/automation/Radius/Functions/Private/Get-WebJCUser.ps1 b/scripts/automation/Radius/Functions/Private/Get-WebJCUser.ps1
@@ -15,10 +15,16 @@ function get-webjcuser {
         $response = Invoke-RestMethod -Uri "https://console.jumpcloud.com/api/systemusers/$userID" -Method GET -Headers $headers
         $userObj = [PSCustomObject]@{
             # If the localUserAccount field is set, use that for username, otherwise use JC username
-            username = $(if ([string]::IsNullOrEmpty($response.systemUsername)) { $response.username } else { $response.systemUsername })
+            hasLocalUsername = $(if ([string]::IsNullOrEmpty($response.systemUsername)) {
+                    $false
+                } else {
+                    $true
+                })
+            username         = $response.username
+            localUsername    = $response.systemUsername
 
-            id       = $response._id
-            email    = $response.email
+            id               = $response._id
+            email            = $response.email
         }
     }
     end {

diff --git a/scripts/automation/Radius/Functions/Public/Distribute-UserCerts.ps1 b/scripts/automation/Radius/Functions/Public/Distribute-UserCerts.ps1
@@ -116,8 +116,8 @@ currentUser=`$(/usr/bin/stat -f%Su /dev/console)
 currentUserUID=`$(id -u "`$currentUser")
 currentCertSN="$($certHash.serial)"
 networkSsid="$($NETWORKSSID)"
-if [[ `$currentUser ==  $($user.userName) ]]; then
-    certs=`$(security find-certificate -a -$($macCertSearch) "$($certIdentifier)" -Z /Users/$($user.userName)/Library/Keychains/login.keychain)
+if [[ `$currentUser ==  $($user.localUsername) ]]; then
+    certs=`$(security find-certificate -a -$($macCertSearch) "$($certIdentifier)" -Z /Users/$($user.localUsername)/Library/Keychains/login.keychain)
     regexSHA='SHA-1 hash: ([0-9A-F]{5,40})'
     regexSN='"snbr"<blob>=0x([0-9A-F]{5,40})'
     global_rematch() {
@@ -154,7 +154,7 @@ if [[ `$currentUser ==  $($user.userName) ]]; then
             else
                 echo "Removing previously installed radius cert:"
                 echo "SN: `${arraySN[`$i]} SHA: `${arraySHA[`$i]}"
-                security delete-certificate -Z "`${arraySHA[`$i]}" /Users/$($user.userName)/Library/Keychains/login.keychain
+                security delete-certificate -Z "`${arraySHA[`$i]}" /Users/$($user.localUsername)/Library/Keychains/login.keychain
             fi
         done
 
@@ -163,13 +163,13 @@ if [[ `$currentUser ==  $($user.userName) ]]; then
     fi
 
     if [[ `$import == true ]]; then
-        /bin/launchctl asuser "`$currentUserUID" sudo -iu "`$currentUser" /usr/bin/security import /tmp/$($user.userName)-client-signed.pfx -k /Users/$($user.userName)/Library/Keychains/login.keychain -P $JCUSERCERTPASS -T "/System/Library/SystemConfiguration/EAPOLController.bundle/Contents/Resources/eapolclient"
+        /bin/launchctl asuser "`$currentUserUID" sudo -iu "`$currentUser" /usr/bin/security import /tmp/$($user.userName)-client-signed.pfx -k /Users/$($user.localUsername)/Library/Keychains/login.keychain -P $JCUSERCERTPASS -T "/System/Library/SystemConfiguration/EAPOLController.bundle/Contents/Resources/eapolclient"
         if [[ `$? -eq 0 ]]; then
             echo "Import Success"
             # get the SHA hash of the newly imported cert
-            installedCertSN=`$(/bin/launchctl asuser "`$currentUserUID" sudo -iu "`$currentUser" /usr/bin/security find-certificate -$($macCertSearch) "$($certIdentifier)" -Z /Users/$($user.userName)/Library/Keychains/login.keychain | grep snbr | awk '{print `$1}' | sed 's/"snbr"<blob>=0x//g')
+            installedCertSN=`$(/bin/launchctl asuser "`$currentUserUID" sudo -iu "`$currentUser" /usr/bin/security find-certificate -$($macCertSearch) "$($certIdentifier)" -Z /Users/$($user.localUsername)/Library/Keychains/login.keychain | grep snbr | awk '{print `$1}' | sed 's/"snbr"<blob>=0x//g')
             if [[ `$installedCertSN == `$currentCertSN ]]; then
-                installedCertSHA=`$(/bin/launchctl asuser "`$currentUserUID" sudo -iu "`$currentUser" /usr/bin/security find-certificate -$($macCertSearch) "$($certIdentifier)" -Z /Users/$($user.userName)/Library/Keychains/login.keychain | grep SHA-1 | awk '{print `$3}')
+                installedCertSHA=`$(/bin/launchctl asuser "`$currentUserUID" sudo -iu "`$currentUser" /usr/bin/security find-certificate -$($macCertSearch) "$($certIdentifier)" -Z /Users/$($user.localUsername)/Library/Keychains/login.keychain | grep SHA-1 | awk '{print `$3}')
             fi
 
         else
@@ -213,7 +213,7 @@ if [[ `$currentUser ==  $($user.userName) ]]; then
         rm "/tmp/$($user.userName)-client-signed.pfx"
     fi
 else
-    echo "Current logged in user, `$currentUser, does not match expected certificate user. Please ensure $($user.userName) is signed in and retry"
+    echo "Current logged in user, `$currentUser, does not match expected certificate user. Please ensure $($user.localUsername) is signed in and retry"
     # Finally clean up files
     if [[ -f "/tmp/$($user.userName)-client-signed.zip" ]]; then
         echo "Removing Temp Zip"
@@ -286,7 +286,7 @@ if ( -Not [string]::isNullOrEmpty(`$CurrentUser) ){
 } else {
     `$CurrentUser = `$null
 }
-if (`$CurrentUser -eq "$($user.userName)") {
+if (`$CurrentUser -eq "$($user.localUsername)") {
     if (-not(Get-InstalledModule -Name RunAsUser -errorAction "SilentlyContinue")) {
         Write-Host "RunAsUser Module not installed, Installing..."
         Install-Module RunAsUser -Force
@@ -358,7 +358,7 @@ if (`$CurrentUser -eq "$($user.userName)") {
     if (`$CurrentUser -eq `$null){
         Write-Host "No users are signed into the system. Please ensure $($user.userName) is signed in and retry."
     } else {
-        Write-Host "Current logged in user, `$CurrentUser, does not match expected certificate user. Please ensure $($user.userName) is signed in and retry."
+        Write-Host "Current logged in user, `$CurrentUser, does not match expected certificate user. Please ensure $($user.localUsername) is signed in and retry."
     }
     # finally clean up temp files:
     If (Test-Path "C:\Windows\Temp\$($user.userName)-client-signed.zip"){

diff --git a/scripts/automation/Radius/Functions/Public/Generate-UserCerts.ps1 b/scripts/automation/Radius/Functions/Public/Generate-UserCerts.ps1
@@ -62,14 +62,13 @@ if (Test-Path "$JCScriptRoot/UserCerts") {
 foreach ($user in $groupMembers) {
     # Create the User Certs
     $MatchedUser = get-webjcuser -userID $user.id
-
     Write-Host "Generating Cert for user: $($MatchedUser.username)"
 
     if ($MatchedUser.id -in $userArray.userId) {
         if (Test-Path -Path "$JCScriptRoot/UserCerts/$($MatchedUser.username)-client-signed.pfx") {
             Write-Host "[status] $($MatchedUser.username) already has certs generated... skipping"
         } else {
-            Generate-UserCert -CertType $CertType -user $MatchedUser -rootCAKey "$JCScriptRoot/Cert/radius_ca_key.pem" -rootCA "$JCScriptRoot/Cert/radius_ca_cert.pem"
+            Generate-UserCert -CertType $CertType -user $MatchedUser.username -rootCAKey "$JCScriptRoot/Cert/radius_ca_key.pem" -rootCA "$JCScriptRoot/Cert/radius_ca_cert.pem"
         }
     } else {
         Write-Host "[status] $($MatchedUser.username) not found in users.json"
@@ -92,6 +91,11 @@ foreach ($user in $groupMembers) {
         $userTable = @{
             userId              = $MatchedUser.id
             userName            = $MatchedUser.username
+            localUsername       = $(If ($MatchedUser.hasLocalUsername) {
+                    $matchedUser.localUsername
+                } else {
+                    $matchedUser.username
+                })
             systemAssociations  = $systemAssociations
             commandAssociations = @()
         }