Bug Report: OPNsense Captive Portal UserEnricher sending empty "groups" payload (Zenarmor Business)

Follow
Saleh Madi

Hello Zenarmor Support Team,

I am experiencing an issue where Zenarmor Policies based on Groups are failing to apply for Captive Portal users, even though the users are correctly mapped to groups within OPNsense.

Environment:

  • Firewall: OPNsense (Latest Stable)

  • Zenarmor: Business Subscription (Emulated Mode enabled)

  • Authentication: Captive Portal + FreeRADIUS Plugin

  • Configuration: "Synchronize groups" and "Automatic user creation" are enabled in OPNsense Access Server settings.

The Issue: When a user logs in via the Captive Portal, Zenarmor correctly detects the Username but fails to detect the Group. Consequently, the traffic hits the Default Policy instead of the Group-specific policy.

Troubleshooting Performed:

  1. OPNsense Mapping is Correct: I have verified via System > Access > Users and the Tester tool that the user is successfully authenticated and assigned to the local group Sales (mapped via Radius Class attribute).

  2. Zenarmor "Emulated Mode" is Active: I switched to Emulated mode to ensure better compatibility, but the issue persists.

  3. Manual Mapping Works: If I manually add the user to the policy via "Add User," it works. The failure is specific to the Group criteria.

The Root Cause (Log Evidence): I enabled DEBUG logging and inspected /usr/local/zenarmor/log/zenarmor.log. The logs confirm that the UserEnrichUtils script is detecting the login event but is sending an empty string for the group field, despite the user being in a group in the OPNsense database.

Relevant Log Snippet:

[::INFO::] 2026-01-06 21:04:03 <FILE: UserEnrichUtils.php UserEnrichUtils:resultLog>
Userenrich Data From 127.0.0.1 {"logonid": "...", "username": "saleh", "groups": "", "ip": "10.10.10.50", "action": "login"} Result : 1/1

As you can see, "groups": "" is empty. It appears there is a race condition or a parsing failure in the UserEnricher script where it queries the OPNsense user database before the group membership is fully committed or accessible during the Captive Portal login process.

Please advise on how to resolve this integration failure so Zenarmor can correctly receive the Group tags from OPNsense Captive Portal sessions.

Note: Zenarmor version is  2.3.1

Best Regards,

Saleh Madi

0

Comments

3 comments

Date Votes
  • Official comment
    SVN Support Team

    Hi Saleh, 
     

    Thanks for reaching out and bringing the issue to our attention.

    Could you please provide the logs and configuration by following the steps outlined in the link below? I kindly request that you select all checkboxes. 
    https://www.zenarmor.com/docs/support/reporting-bug
     
     
    Best regards,

    Comment actions Permalink
  • Saleh Madi

    Hello Salih, 

    Thank you so much for your reply.
    Sending Feedback via OPNsense UI already done. Please check.


    Note:
    Name: Saleh Madi
    Email Address: saleh.madi@premiertech.ps

    Best Regards,
    Saleh

    0
    Comment actions Permalink
  • Saleh Madi

    Hello Salih, 

    Any update!!

    Thank you and Best Regards,

    Saleh

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post
Powered by Zendesk