Problems on replying attributes
Dears. In the authentication process on my freeradius v3 server, I reply to user its IP address to access VPN (Framed-IP-Address vsa). Now, I have to assign different IP address depending on which NAS the user wants access to. Is there a simple solution that I'm not finding ? Can anyone tell me in what direction should I direct my studies ? Thank you. Marco. --
On Apr 21, 2020, at 1:55 PM, Marco Miglietta <marco.miglietta@unisalento.it> wrote:
In the authentication process on my freeradius v3 server, I reply to user its IP address to access VPN (Framed-IP-Address vsa). Now, I have to assign different IP address depending on which NAS the user wants access to.
Assign address from... where? sqlippool? Manually assigned address?
Is there a simple solution that I'm not finding ? Can anyone tell me in what direction should I direct my studies ?
The "unlang" policy language allows for full if / then / else checks. You can do something like: if (Packet-Src-IP-Address == 1.2.3.4) { ... stuff ... } elsif (Packet-Src-IP-Address == 2.3.4.5) { ... other stuff ... } But the best solution depends on what you want to do. So please explain your requirements in detail. It helps a lot. Alan DeKok.
Ok. Thank you. I try to be more accurate. I use radius to authenticate users accessing VPN. The NAS in this case is a VPN gateway and I need each user to have their fixed IP address accessing the private network. This in order to discriminate what he can do. Therefore, in the authentication process radius replies to NAS the IP address to assign to vpn client throught Framed-IP-Address attribute. If user requests connection to another VPN gateway, obviously I need radius assigns a different IP address corrisponding to the subnets managed by that gateway. Except for the initial configuration now I use Daloradius to manage the radius database, so I have few experience with configuration files This is the scenario. I'm looking for a suggestion to know what I can do or on which configuration files I have to operate. Marco. Il 21/04/20 20:09, Alan DeKok ha scritto:
On Apr 21, 2020, at 1:55 PM, Marco Miglietta <marco.miglietta@unisalento.it> wrote:
In the authentication process on my freeradius v3 server, I reply to user its IP address to access VPN (Framed-IP-Address vsa). Now, I have to assign different IP address depending on which NAS the user wants access to. Assign address from... where? sqlippool? Manually assigned address?
Is there a simple solution that I'm not finding ? Can anyone tell me in what direction should I direct my studies ? The "unlang" policy language allows for full if / then / else checks.
You can do something like:
if (Packet-Src-IP-Address == 1.2.3.4) { ... stuff ... } elsif (Packet-Src-IP-Address == 2.3.4.5) { ... other stuff ... }
But the best solution depends on what you want to do. So please explain your requirements in detail. It helps a lot.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -------------------------------------------------------------------------------------- *Ing. Marco Miglietta* *Universita' del Salento* Ripartizione Tecnica e Tecnologica - Area Gestione Infrastrutture Ex Collegio Fiorini - Via per Arnesano - Monteroni di Lecce (LE) - ITALY tel: +39 0832 299050/299058 - fax: +39 0832 299998 mob: +39 320 9223913 skype: marcomiglietta mail: marco.miglietta@unisalento.it web: www.unisalento.it <http://www.unisalento.it> --------------------------------------------------------------------------------------
On Apr 21, 2020, at 3:28 PM, Marco Miglietta <marco.miglietta@unisalento.it> wrote:
I use radius to authenticate users accessing VPN. The NAS in this case is a VPN gateway and I need each user to have their fixed IP address accessing the private network. This in order to discriminate what he can do. Therefore, in the authentication process radius replies to NAS the IP address to assign to vpn client throught Framed-IP-Address attribute. If user requests connection to another VPN gateway, obviously I need radius assigns a different IP address corrisponding to the subnets managed by that gateway. Except for the initial configuration now I use Daloradius to manage the radius database, so I have few experience with configuration files This is the scenario. I'm looking for a suggestion to know what I can do or on which configuration files I have to operate.
You need to edit sites-enabled/default, and edit the "authorize" section. This kind of thing is difficult (if not impossible) to configure in a web UI, so editing the configuration files is your best bet. There are many examples in the configuration files of how to create policies. You should read them, and run the server in debugging mode to see what it's doing. If you use a careful and slow process, then the configuration should be done quickly. Ask questions if you're unsure. Alan DeKok.
Thank you v.m. Alan. I give a look. Il 21/04/20 22:06, Alan DeKok ha scritto:
On Apr 21, 2020, at 3:28 PM, Marco Miglietta <marco.miglietta@unisalento.it> wrote:
I use radius to authenticate users accessing VPN. The NAS in this case is a VPN gateway and I need each user to have their fixed IP address accessing the private network. This in order to discriminate what he can do. Therefore, in the authentication process radius replies to NAS the IP address to assign to vpn client throught Framed-IP-Address attribute. If user requests connection to another VPN gateway, obviously I need radius assigns a different IP address corrisponding to the subnets managed by that gateway. Except for the initial configuration now I use Daloradius to manage the radius database, so I have few experience with configuration files This is the scenario. I'm looking for a suggestion to know what I can do or on which configuration files I have to operate. You need to edit sites-enabled/default, and edit the "authorize" section.
This kind of thing is difficult (if not impossible) to configure in a web UI, so editing the configuration files is your best bet.
There are many examples in the configuration files of how to create policies. You should read them, and run the server in debugging mode to see what it's doing.
If you use a careful and slow process, then the configuration should be done quickly. Ask questions if you're unsure.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -------------------------------------------------------------------------------------- *Ing. Marco Miglietta* *Universita' del Salento* Ripartizione Tecnica e Tecnologica - Area Gestione Infrastrutture Ex Collegio Fiorini - Via per Arnesano - Monteroni di Lecce (LE) - ITALY tel: +39 0832 299050/299058 - fax: +39 0832 299998 mob: +39 320 9223913 skype: marcomiglietta mail: marco.miglietta@unisalento.it web: www.unisalento.it <http://www.unisalento.it> --------------------------------------------------------------------------------------
Hi! We are upgrading our current Freeradius servers from Ubuntu-14 to Ubuntu-18. Using the Ubuntu provided Freeradius package this means stepping from 2.1.12 to 3.0.16. I think I pretty much got the config changes done on the old version into the new setup and the system works mostly as expected. But there seems to be a change from version 2 to version 3 that creates additional accounting records with zero session length. We used radsniff to observe that our NAS does send an accounting request stop after receiving an access reject from Freeradius: 2020-04-22 08:16:38.392369 (9) Access-Request Id 169 ens192:192.168.225.20:1645 -> 192.168.227.10:1812 +2.015 User-Name = "testuser153@test.net" CHAP-Password = 0x0275dd4d90353ec539963c8aa22d2caa4e NAS-IP-Address = 192.168.225.20 NAS-Port = 121 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port-Type = Virtual Connect-Info = "1000000000" NAS-Port-Id = "Uniq-Sess-ID121" Authenticator-Field = 0x174eaf56fd80857b520aa893da81c1e8 2020-04-22 08:16:39.395955 (10) Access-Reject Id 169 ens192:192.168.225.20:1645 <- 192.168.227.10:1812 +3.019 +1.003 Authenticator-Field = 0xf1917ec032bf848906f021074d267cd7 2020-04-22 08:16:39.396846 (11) Accounting-Request Id 11 ens192:192.168.225.20:1646 -> 192.168.227.10:1813 +3.020 User-Name = "testuser153@test.net" NAS-IP-Address = 192.168.225.20 NAS-Port = 121 Service-Type = Framed-User NAS-Port-Type = Virtual Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Session-Id = "001E2FED" Acct-Authentic = RADIUS Acct-Session-Time = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Acct-Terminate-Cause = User-Error Acct-Tunnel-Connection = "2058273712" Tunnel-Type:0 = L2TP Tunnel-Medium-Type:0 = IPv4 Tunnel-Client-Endpoint:0 = "192.168.254.2" Tunnel-Server-Endpoint:0 = "192.168.254.3" Tunnel-Assignment-Id:0 = "TEST_LAC" Tunnel-Client-Auth-Id:0 = "ALAC01" Tunnel-Server-Auth-Id:0 = "BLNS01" Connect-Info = "1000000000" NAS-Port-Id = "Uniq-Sess-ID121" PMIP6-Home-HN-Prefix = 3541:3238:3238::/52 Cisco-AVPair = "ppp-disconnect-cause=User failed CHAP authentication" Cisco-AVPair = "connect-progress=Auth Failed" Cisco-AVPair = "nas-tx-speed=1000000000" Cisco-AVPair = "nas-rx-speed=1000000000" Cisco-AVPair = "disc-cause-ext=PPP CHAP Fail" Authenticator-Field = 0x20c83037e2d128ec2a6ba6be1519e1ef This accounting record shows up in the database which it didn’t do when Freeradius 2 was used. I searched the archives and found a discussion where someone (I thing it was Alan) said, that the NAS is broken if it does this. I agree but currently this is how it is. Using Freeradius 2 we got the follwing log messages: [sql_acct] stop packet with zero session length. [user '', nas '192.168.225.20'] Looking a the source code I got the impression that this is where things changed from version 2 to version 3. In version 2 the log message indicates the the zero length stop message was ignores. In version 3 the code changed and the accounting recored is written to the database. Can we do anything about this? I’m thinking about using the following unlang code in the accounting section to avoid these records to show up in the database: accounting { if (&Acct-Status-Type == "Stop" && &Acct-Terminate-Cause == "User-Error" && &Acct-Session-Time == 0) { attr_filter.accounting_response return } sql_acct attr_filter.accounting_response } Does this look reasonable? Do I miss anything? Thanks! Stefan
On Apr 22, 2020, at 2:38 AM, Stefan Möding <s.moeding@gmail.com> wrote:
I think I pretty much got the config changes done on the old version into the new setup and the system works mostly as expected. But there seems to be a change from version 2 to version 3 that creates additional accounting records with zero session length.
Yeah, that used to be suppressed by the SQL module. In the interest of making things more configurable, we remove many hard-coded rules.
We used radsniff to observe that our NAS does send an accounting request stop after receiving an access reject from Freeradius:
Which is technically allowed by the specs. However, it's entirely a stupid thing to do.
Looking a the source code I got the impression that this is where things changed from version 2 to version 3. In version 2 the log message indicates the the zero length stop message was ignores. In version 3 the code changed and the accounting recored is written to the database.
Yes.
Can we do anything about this?
Yes. The unlang policy you posted will work.
Does this look reasonable? Do I miss anything?
Yes, and no. :) Alan DeKok.
participants (3)
-
Alan DeKok -
Marco Miglietta -
Stefan Möding