Freeradius Framed-IP-Address not working with strongswan
Good morning, It is my first time asking a question on the freeradius mailing list, i excuse myself in advance of any error or bad interpretation. I'm using a VPN named strongswan that communicates with a freeradius using the eap-radius plugin. The radius is authenticated agaisn't a samba AD that authentifies clients using ntlm_auth and mschapv2. It is working great. Now, I want for the clients to get the IP address that I assign in the users.conf file. What I did was to create an user named test1.vpn in the LDAP, and use rightsourceip=%radius in the ipsec.conf file on strongswan. I gave him a framed ip address like this : "test1.vpn" Framed-IP-Address == 10.10.10.6 Fall-Through = Yes The thing is, it doesn't work... It works great when, on the ipsec.conf file I put rightsourceip=10.10.10.1. The client gets the right framed-ip-address. But with %radius, I don't see the 10.10.10.6 ip address in the radius log and it makes an error on the strongswan since the client doesn't get a virtual IP address. Here are the output of radiusd -X : (0) Received Access-Request Id 211 from 172.16.10.111:47079 to 172.16.10.111:1812 length 168 (0) User-Name = "test1.vpn" (0) NAS-Port-Type = Virtual (0) Service-Type = Framed-User (0) NAS-Port = 3 (0) NAS-Port-Id = "test1.vpn" (0) NAS-IP-Address = X.X.X.X (0) Called-Station-Id = "X.X.X.X[4500]" (0) Calling-Station-Id = "X.X.X.X[4500]" (0) Acct-Session-Id = "1654086146-3" (0) EAP-Message = 0x0200000e0174657374312e76706e (0) NAS-Identifier = "strongSwan" (0) Message-Authenticator = 0xce4ddedff45a0a9bd69f9b913a963862 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) [files] = noop (0) [preprocess] = ok (0) [mschap] = noop (0) eap: Peer sent EAP Response (code 2) ID 0 length 14 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 1 length 22 (0) eap: EAP session adding &reply:State = 0x6aa216d56aa312bf (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Sent Access-Challenge Id 211 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (0) EAP-Message = 0x010100160410ff5cd34168d97f580fbfdfa92f86b05a (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x6aa216d56aa312bf987ea9fae6cd4048 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 212 from 172.16.10.111:47079 to 172.16.10.111:1812 length 178 (1) User-Name = "test1.vpn" (1) NAS-Port-Type = Virtual (1) Service-Type = Framed-User (1) NAS-Port = 3 (1) NAS-Port-Id = "test1.vpn" (1) NAS-IP-Address = X.X.X.X (1) Called-Station-Id = "X.X.X.X[4500]" (1) Calling-Station-Id = "X.X.X.X[4500]" (1) Acct-Session-Id = "1654086146-3" (1) EAP-Message = 0x020100060319 (1) NAS-Identifier = "strongSwan" (1) State = 0x6aa216d56aa312bf987ea9fae6cd4048 (1) Message-Authenticator = 0x031a4fe55f8ec1ee08d13034d8164e22 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) [files] = noop (1) [preprocess] = ok (1) [mschap] = noop (1) eap: Peer sent EAP Response (code 2) ID 1 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [expiration] = noop (1) [logintime] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x6aa216d56aa312bf (1) eap: Finished EAP session with state 0x6aa216d56aa312bf (1) eap: Previous EAP request found for state 0x6aa216d56aa312bf, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 2 length 6 (1) eap: EAP session adding &reply:State = 0x6aa216d56ba00fbf (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Sent Access-Challenge Id 212 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (1) EAP-Message = 0x010200061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x6aa216d56ba00fbf987ea9fae6cd4048 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 213 from 172.16.10.111:47079 to 172.16.10.111:1812 length 344 (2) User-Name = "test1.vpn" (2) NAS-Port-Type = Virtual (2) Service-Type = Framed-User (2) NAS-Port = 3 (2) NAS-Port-Id = "test1.vpn" (2) NAS-IP-Address = X.X.X.X (2) Called-Station-Id = "X.X.X.X[4500]" (2) Calling-Station-Id = "X.X.X.X[4500]" (2) Acct-Session-Id = "1654086146-3" (2) EAP-Message = 0x020200ac1980000000a2160303009d01000099030362975ce3469633ee61d0332929a35ae076af708048f1d1b8d8055196ee255f0700002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100 (2) NAS-Identifier = "strongSwan" (2) State = 0x6aa216d56ba00fbf987ea9fae6cd4048 (2) Message-Authenticator = 0x1380eb13af2c8eec169fe4a8c0f7947c (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) [files] = noop (2) [preprocess] = ok (2) [mschap] = noop (2) eap: Peer sent EAP Response (code 2) ID 2 length 172 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x6aa216d56ba00fbf (2) eap: Finished EAP session with state 0x6aa216d56ba00fbf (2) eap: Previous EAP request found for state 0x6aa216d56ba00fbf, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 162 bytes (2) eap_peap: Got complete TLS record (162 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: <<< recv TLS 1.3 [length 009d] (2) eap_peap: TLS_accept: SSLv3/TLS read client hello (2) eap_peap: >>> send TLS 1.2 [length 003d] (2) eap_peap: TLS_accept: SSLv3/TLS write server hello (2) eap_peap: >>> send TLS 1.2 [length 0a0e] (2) eap_peap: TLS_accept: SSLv3/TLS write certificate (2) eap_peap: >>> send TLS 1.2 [length 024d] (2) eap_peap: TLS_accept: SSLv3/TLS write key exchange (2) eap_peap: >>> send TLS 1.2 [length 0004] (2) eap_peap: TLS_accept: SSLv3/TLS write server done (2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (2) eap_peap: TLS - In Handshake Phase (2) eap_peap: TLS - got 3248 bytes of data (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 3 length 1004 (2) eap: EAP session adding &reply:State = 0x6aa216d568a10fbf (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Sent Access-Challenge Id 213 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (2) EAP-Message = 0x010303ec19c000000cb0160303003d0200003903039f516795514d2124f963a729d1c1f5046a8ec1dc38e8620e0df6721d0ecd7bb400c030000011ff01000100000b000403000102001700001603030a0e0b000a0a000a0700050930820505308202eda003020102020859501ffb058af674300d06092a864886f70d01010c05003018311630140603550403130d4c696e6b736f2056504e204341301e170d3232303532373134333135355a170d3332303532343134333135355a3018311630140603550403130d3137382e31382e36322e32323030820222300d06092a864886f70d01010105000382020f003082020a0282020100a78d1c2b41f372a12f579b055680a56749aa46f0ec6c0031b424589ca4371f4904485b011adfebb5de0b47cd85a6009f7ed0d2f8b2ed60d624322e67c6ac0d92f8044774570dddfb12512d3f354dce91b84bab8c1281abc72f7776fb0aaf3d30ad0daf0c69a07709007fb40f2aff69de1effcbe748cab7c6a889d7df5e92488e33 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x6aa216d568a10fbf987ea9fae6cd4048 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 214 from 172.16.10.111:47079 to 172.16.10.111:1812 length 178 (3) User-Name = "test1.vpn" (3) NAS-Port-Type = Virtual (3) Service-Type = Framed-User (3) NAS-Port = 3 (3) NAS-Port-Id = "test1.vpn" (3) NAS-IP-Address = X.X.X.X (3) Called-Station-Id = "X.X.X.X[4500]" (3) Calling-Station-Id = "X.X.X.X[4500]" (3) Acct-Session-Id = "1654086146-3" (3) EAP-Message = 0x020300061900 (3) NAS-Identifier = "strongSwan" (3) State = 0x6aa216d568a10fbf987ea9fae6cd4048 (3) Message-Authenticator = 0x8ec75da2a02763705c4be3fab6e7d4bd (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) [files] = noop (3) [preprocess] = ok (3) [mschap] = noop (3) eap: Peer sent EAP Response (code 2) ID 3 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x6aa216d568a10fbf (3) eap: Finished EAP session with state 0x6aa216d568a10fbf (3) eap: Previous EAP request found for state 0x6aa216d568a10fbf, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 4 length 1000 (3) eap: EAP session adding &reply:State = 0x6aa216d569a60fbf (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Sent Access-Challenge Id 214 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (3) EAP-Message = 0x010403e81940bebf80d34d5d2ffadfe99593245c430b0545f71e325611a471ac019a0eb1b4cc51be9e4c4c6d7173cf00d6b53abe40a709dc7013a54897189721d836b31ae0ba84666749f762e02ab0f7b47d56d4ed0985084c55389e67476016143a29513ce10e4f779ba0e79cfedc620ce3b17c114081e2081221b32789bb7a167feb276b90bd6e5ccf3963a97c3da2a7cc5bee2b19fa21a4aa2f4a0abb2699dbe10fdbd42e93a395609bab8aded14fe6829a91017a7553d91e662a960b104d715a882298b2b57a106b608d5cbf18a416f047f92f8d6edc4631a136a88a1316574dfd306656f721427222732b84808fb63b38afe9f956af9969f506dbed0be473b1004960514231c75a8daff60a37ffe26fc85dcfb077c45ef88166b71a0ede035f7c5d79a749f30c64f5ed4e03ed8436e8f08c1d460fc0bd260ec944f99d183119868e804a7f93de415baea77ff7a29672b674e735b9d9170afd483208bec971d40ec0cb8b901f37c69d44d5c4d88bb63f59744c508a (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x6aa216d569a60fbf987ea9fae6cd4048 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 215 from 172.16.10.111:47079 to 172.16.10.111:1812 length 178 (4) User-Name = "test1.vpn" (4) NAS-Port-Type = Virtual (4) Service-Type = Framed-User (4) NAS-Port = 3 (4) NAS-Port-Id = "test1.vpn" (4) NAS-IP-Address = X.X.X.X (4) Called-Station-Id = "X.X.X.X[4500]" (4) Calling-Station-Id = "X.X.X.X[4500]" (4) Acct-Session-Id = "1654086146-3" (4) EAP-Message = 0x020400061900 (4) NAS-Identifier = "strongSwan" (4) State = 0x6aa216d569a60fbf987ea9fae6cd4048 (4) Message-Authenticator = 0xe26fd6d586c478db00a6786eb735c999 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) [files] = noop (4) [preprocess] = ok (4) [mschap] = noop (4) eap: Peer sent EAP Response (code 2) ID 4 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x6aa216d569a60fbf (4) eap: Finished EAP session with state 0x6aa216d569a60fbf (4) eap: Previous EAP request found for state 0x6aa216d569a60fbf, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer ACKed our handshake fragment (4) eap_peap: [eaptls verify] = request (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 5 length 1000 (4) eap: EAP session adding &reply:State = 0x6aa216d56ea70fbf (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/raddb/sites-enabled/default (4) Sent Access-Challenge Id 215 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (4) EAP-Message = 0x010503e819407082cf40cfcee0f3f12cba3aef5822670128cd6f911798eef08198423886ccf7755c826cdcbe3a99ce66a9eae20d46d7161e7b750203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414add6132f6bb457e0c198d140aba7a264e4dc0d8d300d06092a864886f70d01010c05000382020100902e25abac2dddd6ca56f04588ea1f33d011b08f31e625c387b2230a2f9f378387f2929f02a0e839e8ba589f3fa07aa97df211ce02ce75ca2eeff80a09234bc54ce1cb8be75c16b2356d36c1d4ad6bde1b5c8921a1e03d412bfd280c3cabe5b734bd209d9f8182cf64fd4ecf87ab4e677b6c9c70d10f25f6f2772a611a31fcb3e74a800142a211c766841ad6540913ba8c7b39025308a651829d2dfac79d8dac002e21bf72bd73ccf17774b31e0cd3fde6c927cfea62ed17982d4203aa7ab706fc7883dde5321895ae65e63ff503804f12ff80a8075e0f1f9b169d8a1adae22d (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x6aa216d56ea70fbf987ea9fae6cd4048 (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 216 from 172.16.10.111:47079 to 172.16.10.111:1812 length 178 (5) User-Name = "test1.vpn" (5) NAS-Port-Type = Virtual (5) Service-Type = Framed-User (5) NAS-Port = 3 (5) NAS-Port-Id = "test1.vpn" (5) NAS-IP-Address = X.X.X.X (5) Called-Station-Id = "X.X.X.X[4500]" (5) Calling-Station-Id = "X.X.X.X[4500]" (5) Acct-Session-Id = "1654086146-3" (5) EAP-Message = 0x020500061900 (5) NAS-Identifier = "strongSwan" (5) State = 0x6aa216d56ea70fbf987ea9fae6cd4048 (5) Message-Authenticator = 0xeffc14397e2e2698bbe4717d2ad673d3 (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) [files] = noop (5) [preprocess] = ok (5) [mschap] = noop (5) eap: Peer sent EAP Response (code 2) ID 5 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x6aa216d56ea70fbf (5) eap: Finished EAP session with state 0x6aa216d56ea70fbf (5) eap: Previous EAP request found for state 0x6aa216d56ea70fbf, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer ACKed our handshake fragment (5) eap_peap: [eaptls verify] = request (5) eap_peap: [eaptls process] = handled (5) eap: Sending EAP Request (code 1) ID 6 length 272 (5) eap: EAP session adding &reply:State = 0x6aa216d56fa40fbf (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Sent Access-Challenge Id 216 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (5) EAP-Message = 0x010601101900b95388bf01bc568759d1bcedf399ac35756b2d9ec895c9bbf292cf9cda06422caa91d5ca45ab2b398afb223f946eb59b87855cc7785d21da7388857fe19c71cfddf3e529084da9fbaa5256780b893e76c7627c04a7a8cc73ab61b513a14673f7409dcdf0964badc5cc38b57011876d1ad8bd7a15435aefd05db948107f67da21e45679981950d18eafb02569be67a55b948744cf534598eac71778266dc937c43fd0bb64298d3b30f62299eca9de35fe60517131a19d76ea51648aec407756961b287dcb87e5e9a2674bc24af93f9777d57fa2d31759dc351d2821f731bad747e1231da13f909929fb1ed79ddbf9a1352606b860a0180fe6363d117e2bb45eb1f616030300040e000000 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x6aa216d56fa40fbf987ea9fae6cd4048 (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 217 from 172.16.10.111:47079 to 172.16.10.111:1812 length 308 (6) User-Name = "test1.vpn" (6) NAS-Port-Type = Virtual (6) Service-Type = Framed-User (6) NAS-Port = 3 (6) NAS-Port-Id = "test1.vpn" (6) NAS-IP-Address = X.X.X.X (6) Called-Station-Id = "X.X.X.X[4500]" (6) Calling-Station-Id = "X.X.X.X[4500]" (6) Acct-Session-Id = "1654086146-3" (6) EAP-Message = 0x0206008819800000007e160303004610000042410402341187576763b91077af4fe0f7c05ab045f71ae0111bc7115da8543b730178500de82d67b06be13e3090850e22f014616bbe165f8e789c65e9796cde9ba77d14030300010116030300280000000000000000ef71b7cb6cc71ec0faa37e0680343b19996d8a7578f2057c965f450002579e68 (6) NAS-Identifier = "strongSwan" (6) State = 0x6aa216d56fa40fbf987ea9fae6cd4048 (6) Message-Authenticator = 0x7083d87098fb258fbf0258463f6b3dd1 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) [files] = noop (6) [preprocess] = ok (6) [mschap] = noop (6) eap: Peer sent EAP Response (code 2) ID 6 length 136 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x6aa216d56fa40fbf (6) eap: Finished EAP session with state 0x6aa216d56fa40fbf (6) eap: Previous EAP request found for state 0x6aa216d56fa40fbf, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: Peer indicated complete TLS record size will be 126 bytes (6) eap_peap: Got complete TLS record (126 bytes) (6) eap_peap: [eaptls verify] = length included (6) eap_peap: TLS_accept: SSLv3/TLS write server done (6) eap_peap: <<< recv TLS 1.2 [length 0046] (6) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (6) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (6) eap_peap: <<< recv TLS 1.2 [length 0010] (6) eap_peap: TLS_accept: SSLv3/TLS read finished (6) eap_peap: >>> send TLS 1.2 [length 0001] (6) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (6) eap_peap: >>> send TLS 1.2 [length 0010] (6) eap_peap: TLS_accept: SSLv3/TLS write finished (6) eap_peap: (other): SSL negotiation finished successfully (6) eap_peap: TLS - Connection Established (6) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) eap_peap: TLS-Session-Version = "TLS 1.2" (6) eap_peap: TLS - got 51 bytes of data (6) eap_peap: [eaptls process] = handled (6) eap: Sending EAP Request (code 1) ID 7 length 57 (6) eap: EAP session adding &reply:State = 0x6aa216d56ca50fbf (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/raddb/sites-enabled/default (6) session-state: Saving cached attributes (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) TLS-Session-Version = "TLS 1.2" (6) Sent Access-Challenge Id 217 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (6) EAP-Message = 0x0107003919001403030001011603030028af9cbe4ad48a36eff3a6bdf4ef810aa3e994e6a355bb852f5ca35e72b2783ab141de53d1460b8f14 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x6aa216d56ca50fbf987ea9fae6cd4048 (6) Finished request Waking up in 4.9 seconds. (7) Received Access-Request Id 218 from 172.16.10.111:47079 to 172.16.10.111:1812 length 178 (7) User-Name = "test1.vpn" (7) NAS-Port-Type = Virtual (7) Service-Type = Framed-User (7) NAS-Port = 3 (7) NAS-Port-Id = "test1.vpn" (7) NAS-IP-Address = X.X.X.X (7) Called-Station-Id = "X.X.X.X[4500]" (7) Calling-Station-Id = "X.X.X.X[4500]" (7) Acct-Session-Id = "1654086146-3" (7) EAP-Message = 0x020700061900 (7) NAS-Identifier = "strongSwan" (7) State = 0x6aa216d56ca50fbf987ea9fae6cd4048 (7) Message-Authenticator = 0x839536bbc3f30d7434ad9d19cc1c99dd (7) Restoring &session-state (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { (7) [files] = noop (7) [preprocess] = ok (7) [mschap] = noop (7) eap: Peer sent EAP Response (code 2) ID 7 length 6 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/raddb/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x6aa216d56ca50fbf (7) eap: Finished EAP session with state 0x6aa216d56ca50fbf (7) eap: Previous EAP request found for state 0x6aa216d56ca50fbf, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: Peer ACKed our handshake fragment. handshake is finished (7) eap_peap: [eaptls verify] = success (7) eap_peap: [eaptls process] = success (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state TUNNEL ESTABLISHED (7) eap: Sending EAP Request (code 1) ID 8 length 40 (7) eap: EAP session adding &reply:State = 0x6aa216d56daa0fbf (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /etc/raddb/sites-enabled/default (7) session-state: Saving cached attributes (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) TLS-Session-Version = "TLS 1.2" (7) Sent Access-Challenge Id 218 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (7) EAP-Message = 0x010800281900170303001daf9cbe4ad48a36f0f7e90ea4889d1ec61bd088cf1fa3b7c7d6b699dddb (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x6aa216d56daa0fbf987ea9fae6cd4048 (7) Finished request Waking up in 4.9 seconds. (8) Received Access-Request Id 219 from 172.16.10.111:47079 to 172.16.10.111:1812 length 217 (8) User-Name = "test1.vpn" (8) NAS-Port-Type = Virtual (8) Service-Type = Framed-User (8) NAS-Port = 3 (8) NAS-Port-Id = "test1.vpn" (8) NAS-IP-Address = X.X.X.X (8) Called-Station-Id = "X.X.X.X[4500]" (8) Calling-Station-Id = "X.X.X.X[4500]" (8) Acct-Session-Id = "1654086146-3" (8) EAP-Message = 0x0208002d190017030300220000000000000001153f9416a443657a5ff5eae96e278c16f1ea3e471bf3e6745738 (8) NAS-Identifier = "strongSwan" (8) State = 0x6aa216d56daa0fbf987ea9fae6cd4048 (8) Message-Authenticator = 0xa4ddd3745d4a15c98227f8f81b897453 (8) Restoring &session-state (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) # Executing section authorize from file /etc/raddb/sites-enabled/default (8) authorize { (8) [files] = noop (8) [preprocess] = ok (8) [mschap] = noop (8) eap: Peer sent EAP Response (code 2) ID 8 length 45 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x6aa216d56daa0fbf (8) eap: Finished EAP session with state 0x6aa216d56daa0fbf (8) eap: Previous EAP request found for state 0x6aa216d56daa0fbf, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state WAITING FOR INNER IDENTITY (8) eap_peap: Identity - test1.vpn (8) eap_peap: Got inner identity 'test1.vpn' (8) eap_peap: Setting default EAP type for tunneled EAP session (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x0208000e0174657374312e76706e (8) eap_peap: Setting User-Name to test1.vpn (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x0208000e0174657374312e76706e (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "test1.vpn" (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x0208000e0174657374312e76706e (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "test1.vpn" (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [mschap] = noop (8) eap: Peer sent EAP Response (code 2) ID 8 length 14 (8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Peer sent packet with method EAP Identity (1) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap_mschapv2: Issuing Challenge (8) eap: Sending EAP Request (code 1) ID 9 length 43 (8) eap: EAP session adding &reply:State = 0xb5af7c78b5a66689 (8) [eap] = handled (8) } # authenticate = handled (8) } # server inner-tunnel (8) Virtual server sending reply (8) EAP-Message = 0x0109002b1a010900261087f1a89e580f82fb8741755cf9725926667265657261646975732d332e302e3230 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xb5af7c78b5a66689306ef54310c66f70 (8) eap_peap: Got tunneled reply code 11 (8) eap_peap: EAP-Message = 0x0109002b1a010900261087f1a89e580f82fb8741755cf9725926667265657261646975732d332e302e3230 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: State = 0xb5af7c78b5a66689306ef54310c66f70 (8) eap_peap: Got tunneled reply RADIUS code 11 (8) eap_peap: EAP-Message = 0x0109002b1a010900261087f1a89e580f82fb8741755cf9725926667265657261646975732d332e302e3230 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: State = 0xb5af7c78b5a66689306ef54310c66f70 (8) eap_peap: Got tunneled Access-Challenge (8) eap: Sending EAP Request (code 1) ID 9 length 74 (8) eap: EAP session adding &reply:State = 0x6aa216d562ab0fbf (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /etc/raddb/sites-enabled/default (8) session-state: Saving cached attributes (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) TLS-Session-Version = "TLS 1.2" (8) Sent Access-Challenge Id 219 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (8) EAP-Message = 0x0109004a1900170303003faf9cbe4ad48a36f1d629f5421ac4bd1824440e73056b065a53331c3e0a92dc863006c61a4e3c5b2fd79ec0d2a0560e60915e009f9a35362e1cae48cd0ced91 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x6aa216d562ab0fbf987ea9fae6cd4048 (8) Finished request Waking up in 4.9 seconds. (9) Received Access-Request Id 220 from 172.16.10.111:47079 to 172.16.10.111:1812 length 271 (9) User-Name = "test1.vpn" (9) NAS-Port-Type = Virtual (9) Service-Type = Framed-User (9) NAS-Port = 3 (9) NAS-Port-Id = "test1.vpn" (9) NAS-IP-Address = X.X.X.X (9) Called-Station-Id = "X.X.X.X[4500]" (9) Calling-Station-Id = "X.X.X.X[4500]" (9) Acct-Session-Id = "1654086146-3" (9) EAP-Message = 0x02090063190017030300580000000000000002f0c4c37ddbcba1c1e20a93357294aea5ad42b3ee3213a8669f1a63385ed6ca36ac718fa232c6b16b8cb665c475065e3efe5c09616bc2fe15fbef55fbc01bcd59a69df14f9e98a138ad31732fa8a60845 (9) NAS-Identifier = "strongSwan" (9) State = 0x6aa216d562ab0fbf987ea9fae6cd4048 (9) Message-Authenticator = 0x224b063c7046c016feef7eead14ad30e (9) Restoring &session-state (9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (9) &session-state:TLS-Session-Version = "TLS 1.2" (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) [files] = noop (9) [preprocess] = ok (9) [mschap] = noop (9) eap: Peer sent EAP Response (code 2) ID 9 length 99 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0xb5af7c78b5a66689 (9) eap: Finished EAP session with state 0x6aa216d562ab0fbf (9) eap: Previous EAP request found for state 0x6aa216d562ab0fbf, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state phase2 (9) eap_peap: EAP method MSCHAPv2 (26) (9) eap_peap: Got tunneled request (9) eap_peap: EAP-Message = 0x020900441a0209003f31048bd0d906cf0bc9dc125a8b6a3a065f00000000000000009b2a6af5d7787c8c36e1b09356339ba3ec6a8acbf2be654b0074657374312e76706e (9) eap_peap: Setting User-Name to test1.vpn (9) eap_peap: Sending tunneled request to inner-tunnel (9) eap_peap: EAP-Message = 0x020900441a0209003f31048bd0d906cf0bc9dc125a8b6a3a065f00000000000000009b2a6af5d7787c8c36e1b09356339ba3ec6a8acbf2be654b0074657374312e76706e (9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (9) eap_peap: User-Name = "test1.vpn" (9) eap_peap: State = 0xb5af7c78b5a66689306ef54310c66f70 (9) Virtual server inner-tunnel received request (9) EAP-Message = 0x020900441a0209003f31048bd0d906cf0bc9dc125a8b6a3a065f00000000000000009b2a6af5d7787c8c36e1b09356339ba3ec6a8acbf2be654b0074657374312e76706e (9) FreeRADIUS-Proxied-To = 127.0.0.1 (9) User-Name = "test1.vpn" (9) State = 0xb5af7c78b5a66689306ef54310c66f70 (9) WARNING: Outer and inner identities are the same. User privacy is compromised. (9) server inner-tunnel { (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [mschap] = noop (9) eap: Peer sent EAP Response (code 2) ID 9 length 68 (9) eap: No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) [files] = noop (9) [expiration] = noop (9) [logintime] = noop Not doing PAP as Auth-Type is already set. (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = eap (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) authenticate { (9) eap: Expiring EAP session with state 0xb5af7c78b5a66689 (9) eap: Finished EAP session with state 0xb5af7c78b5a66689 (9) eap: Previous EAP request found for state 0xb5af7c78b5a66689, released from the list (9) eap: Peer sent packet with method EAP MSCHAPv2 (26) (9) eap: Calling submodule eap_mschapv2 to process data (9) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) eap_mschapv2: authenticate { (9) mschap: Creating challenge hash with username: test1.vpn (9) mschap: Client is using MS-CHAPv2 (9) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{mschap:User-Name} --domain=BRANCHET --challenge=%{mschap:Challenge:-01} --nt-response=%{mschap:NT-Response:-00}: (9) mschap: EXPAND --username=%{mschap:User-Name} (9) mschap: --> --username=test1.vpn (9) mschap: Creating challenge hash with username: test1.vpn (9) mschap: EXPAND --challenge=%{mschap:Challenge:-01} (9) mschap: --> --challenge=578147340978c207 (9) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00} (9) mschap: --> --nt-response=9b2a6af5d7787c8c36e1b09356339ba3ec6a8acbf2be654b lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated added interface ens3 ip=172.16.10.111 bcast=172.16.10.255 netmask=255.255.255.0 added interface ens4 ip=X.X.X.X bcast=X.X.X.X netmask=255.255.255.224 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated added interface ens3 ip=172.16.10.111 bcast=172.16.10.255 netmask=255.255.255.0 added interface ens4 ip=X.X.X.X bcast=X.X.X.X netmask=255.255.255.224 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated added interface ens3 ip=172.16.10.111 bcast=172.16.10.255 netmask=255.255.255.0 added interface ens4 ip=X.X.X.X bcast=X.X.X.X netmask=255.255.255.224 (9) mschap: Program returned code (0) and output 'NT_KEY: 6F5564CE191F31EAC91AE7DAFA4E36FE' (9) mschap: Adding MS-CHAPv2 MPPE keys (9) eap_mschapv2: [mschap] = ok (9) eap_mschapv2: } # authenticate = ok (9) eap_mschapv2: MSCHAP Success (9) eap: Sending EAP Request (code 1) ID 10 length 51 (9) eap: EAP session adding &reply:State = 0xb5af7c78b4a56689 (9) [eap] = handled (9) } # authenticate = handled (9) } # server inner-tunnel (9) Virtual server sending reply (9) EAP-Message = 0x010a00331a0309002e533d46383132373533393846324338373131353643444443333330463841323639363744364137373436 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0xb5af7c78b4a56689306ef54310c66f70 (9) eap_peap: Got tunneled reply code 11 (9) eap_peap: EAP-Message = 0x010a00331a0309002e533d46383132373533393846324338373131353643444443333330463841323639363744364137373436 (9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap: State = 0xb5af7c78b4a56689306ef54310c66f70 (9) eap_peap: Got tunneled reply RADIUS code 11 (9) eap_peap: EAP-Message = 0x010a00331a0309002e533d46383132373533393846324338373131353643444443333330463841323639363744364137373436 (9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap: State = 0xb5af7c78b4a56689306ef54310c66f70 (9) eap_peap: Got tunneled Access-Challenge (9) eap: Sending EAP Request (code 1) ID 10 length 82 (9) eap: EAP session adding &reply:State = 0x6aa216d563a80fbf (9) [eap] = handled (9) } # authenticate = handled (9) Using Post-Auth-Type Challenge (9) Post-Auth-Type sub-section not found. Ignoring. (9) # Executing group from file /etc/raddb/sites-enabled/default (9) session-state: Saving cached attributes (9) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (9) TLS-Session-Version = "TLS 1.2" (9) Sent Access-Challenge Id 220 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (9) EAP-Message = 0x010a005219001703030047af9cbe4ad48a36f200cc2406e608e52bf7ca0116a6a6ad1c82837ff257670d9493de1d036022b1d203ec1b0ae8eafe1f394197f42c44488b5c18f803c8044e550e72240fd51805 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0x6aa216d563a80fbf987ea9fae6cd4048 (9) Finished request Waking up in 4.7 seconds. (10) Received Access-Request Id 221 from 172.16.10.111:47079 to 172.16.10.111:1812 length 209 (10) User-Name = "test1.vpn" (10) NAS-Port-Type = Virtual (10) Service-Type = Framed-User (10) NAS-Port = 3 (10) NAS-Port-Id = "test1.vpn" (10) NAS-IP-Address = X.X.X.X (10) Called-Station-Id = "X.X.X.X[4500]" (10) Calling-Station-Id = "X.X.X.X[4500]" (10) Acct-Session-Id = "1654086146-3" (10) EAP-Message = 0x020a00251900170303001a00000000000000036997b7ebc43aa9f223d249567570b31c76a8 (10) NAS-Identifier = "strongSwan" (10) State = 0x6aa216d563a80fbf987ea9fae6cd4048 (10) Message-Authenticator = 0xa363ba931cbea130a76c5684496de326 (10) Restoring &session-state (10) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (10) &session-state:TLS-Session-Version = "TLS 1.2" (10) # Executing section authorize from file /etc/raddb/sites-enabled/default (10) authorize { (10) [files] = noop (10) [preprocess] = ok (10) [mschap] = noop (10) eap: Peer sent EAP Response (code 2) ID 10 length 37 (10) eap: Continuing tunnel setup (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = eap (10) # Executing group from file /etc/raddb/sites-enabled/default (10) authenticate { (10) eap: Expiring EAP session with state 0xb5af7c78b4a56689 (10) eap: Finished EAP session with state 0x6aa216d563a80fbf (10) eap: Previous EAP request found for state 0x6aa216d563a80fbf, released from the list (10) eap: Peer sent packet with method EAP PEAP (25) (10) eap: Calling submodule eap_peap to process data (10) eap_peap: Continuing EAP-TLS (10) eap_peap: [eaptls verify] = ok (10) eap_peap: Done initial handshake (10) eap_peap: [eaptls process] = ok (10) eap_peap: Session established. Decoding tunneled attributes (10) eap_peap: PEAP state phase2 (10) eap_peap: EAP method MSCHAPv2 (26) (10) eap_peap: Got tunneled request (10) eap_peap: EAP-Message = 0x020a00061a03 (10) eap_peap: Setting User-Name to test1.vpn (10) eap_peap: Sending tunneled request to inner-tunnel (10) eap_peap: EAP-Message = 0x020a00061a03 (10) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (10) eap_peap: User-Name = "test1.vpn" (10) eap_peap: State = 0xb5af7c78b4a56689306ef54310c66f70 (10) Virtual server inner-tunnel received request (10) EAP-Message = 0x020a00061a03 (10) FreeRADIUS-Proxied-To = 127.0.0.1 (10) User-Name = "test1.vpn" (10) State = 0xb5af7c78b4a56689306ef54310c66f70 (10) WARNING: Outer and inner identities are the same. User privacy is compromised. (10) server inner-tunnel { (10) session-state: No cached attributes (10) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (10) authorize { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = notfound (10) } # policy filter_username = notfound (10) [mschap] = noop (10) eap: Peer sent EAP Response (code 2) ID 10 length 6 (10) eap: No EAP Start, assuming it's an on-going EAP conversation (10) [eap] = updated (10) [files] = noop (10) [expiration] = noop (10) [logintime] = noop Not doing PAP as Auth-Type is already set. (10) [pap] = noop (10) } # authorize = updated (10) Found Auth-Type = eap (10) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (10) authenticate { (10) eap: Expiring EAP session with state 0xb5af7c78b4a56689 (10) eap: Finished EAP session with state 0xb5af7c78b4a56689 (10) eap: Previous EAP request found for state 0xb5af7c78b4a56689, released from the list (10) eap: Peer sent packet with method EAP MSCHAPv2 (26) (10) eap: Calling submodule eap_mschapv2 to process data (10) eap: Sending EAP Success (code 3) ID 10 length 4 (10) eap: Freeing handler (10) [eap] = ok (10) } # authenticate = ok (10) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (10) } # server inner-tunnel (10) Virtual server sending reply (10) MS-MPPE-Encryption-Policy = Encryption-Allowed (10) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (10) MS-MPPE-Send-Key = 0x38f00ae461f810993896a387f0103cae (10) MS-MPPE-Recv-Key = 0xb9343e513345bafd0f237fec4de02f9d (10) EAP-Message = 0x030a0004 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) User-Name = "test1.vpn" (10) eap_peap: Got tunneled reply code 2 (10) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (10) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (10) eap_peap: MS-MPPE-Send-Key = 0x38f00ae461f810993896a387f0103cae (10) eap_peap: MS-MPPE-Recv-Key = 0xb9343e513345bafd0f237fec4de02f9d (10) eap_peap: EAP-Message = 0x030a0004 (10) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (10) eap_peap: User-Name = "test1.vpn" (10) eap_peap: Got tunneled reply RADIUS code 2 (10) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (10) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (10) eap_peap: MS-MPPE-Send-Key = 0x38f00ae461f810993896a387f0103cae (10) eap_peap: MS-MPPE-Recv-Key = 0xb9343e513345bafd0f237fec4de02f9d (10) eap_peap: EAP-Message = 0x030a0004 (10) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (10) eap_peap: User-Name = "test1.vpn" (10) eap_peap: Tunneled authentication was successful (10) eap_peap: SUCCESS (10) eap: Sending EAP Request (code 1) ID 11 length 46 (10) eap: EAP session adding &reply:State = 0x6aa216d560a90fbf (10) [eap] = handled (10) } # authenticate = handled (10) Using Post-Auth-Type Challenge (10) Post-Auth-Type sub-section not found. Ignoring. (10) # Executing group from file /etc/raddb/sites-enabled/default (10) session-state: Saving cached attributes (10) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (10) TLS-Session-Version = "TLS 1.2" (10) Sent Access-Challenge Id 221 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (10) EAP-Message = 0x010b002e19001703030023af9cbe4ad48a36f35cb384eb93f8c567b161c1bd7d269ba5882c40b425d5243b03aaad (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) State = 0x6aa216d560a90fbf987ea9fae6cd4048 (10) Finished request Waking up in 4.7 seconds. (11) Received Access-Request Id 222 from 172.16.10.111:47079 to 172.16.10.111:1812 length 218 (11) User-Name = "test1.vpn" (11) NAS-Port-Type = Virtual (11) Service-Type = Framed-User (11) NAS-Port = 3 (11) NAS-Port-Id = "test1.vpn" (11) NAS-IP-Address =X.X.X.X (11) Called-Station-Id = "X.X.X.X[4500]" (11) Calling-Station-Id = "X.X.X.X[4500]" (11) Acct-Session-Id = "1654086146-3" (11) EAP-Message = 0x020b002e190017030300230000000000000004c7753a144d7875cf1f9f774ec59202fa053603eb1b3e706bb2e274 (11) NAS-Identifier = "strongSwan" (11) State = 0x6aa216d560a90fbf987ea9fae6cd4048 (11) Message-Authenticator = 0x167bcc052f0017f11a83525b00cf4925 (11) Restoring &session-state (11) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (11) &session-state:TLS-Session-Version = "TLS 1.2" (11) # Executing section authorize from file /etc/raddb/sites-enabled/default (11) authorize { (11) [files] = noop (11) [preprocess] = ok (11) [mschap] = noop (11) eap: Peer sent EAP Response (code 2) ID 11 length 46 (11) eap: Continuing tunnel setup (11) [eap] = ok (11) } # authorize = ok (11) Found Auth-Type = eap (11) # Executing group from file /etc/raddb/sites-enabled/default (11) authenticate { (11) eap: Expiring EAP session with state 0x6aa216d560a90fbf (11) eap: Finished EAP session with state 0x6aa216d560a90fbf (11) eap: Previous EAP request found for state 0x6aa216d560a90fbf, released from the list (11) eap: Peer sent packet with method EAP PEAP (25) (11) eap: Calling submodule eap_peap to process data (11) eap_peap: Continuing EAP-TLS (11) eap_peap: [eaptls verify] = ok (11) eap_peap: Done initial handshake (11) eap_peap: [eaptls process] = ok (11) eap_peap: Session established. Decoding tunneled attributes (11) eap_peap: PEAP state send tlv success (11) eap_peap: Received EAP-TLV response (11) eap_peap: Success (11) eap: Sending EAP Success (code 3) ID 11 length 4 (11) eap: Freeing handler (11) [eap] = ok (11) } # authenticate = ok (11) # Executing section post-auth from file /etc/raddb/sites-enabled/default (11) post-auth { (11) policy remove_reply_message_if_eap { (11) if (&reply:EAP-Message && &reply:Reply-Message) { (11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (11) else { (11) [noop] = noop (11) } # else = noop (11) } # policy remove_reply_message_if_eap = noop (11) } # post-auth = noop (11) Sent Access-Accept Id 222 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (11) MS-MPPE-Recv-Key = 0xfbbfa1eb5d9e5f987d2f628b5ff6b79a3640ff3a061dd1feaf86725d22d772f4 (11) MS-MPPE-Send-Key = 0x8417c69e87eaf761ea94f5348adb9f0d5101b513fe918c81a5953b73997c04a6 (11) EAP-Message = 0x030b0004 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) User-Name = "test1.vpn" (11) Finished request Waking up in 4.7 seconds. (12) Received Accounting-Request Id 223 from 172.16.10.111:42384 to 172.16.10.111:1813 length 140 (12) Acct-Status-Type = Start (12) Acct-Session-Id = "1654086146-3" (12) NAS-Port-Type = Virtual (12) Service-Type = Framed-User (12) NAS-Port = 3 (12) NAS-Port-Id = "test1.vpn" (12) NAS-IP-Address =X.X.X.X (12) Called-Station-Id = "X.X.X.X[4500]" (12) Calling-Station-Id = "X.X.X.X[4500]" (12) User-Name = "test1.vpn" (12) NAS-Identifier = "strongSwan" (12) # Executing section preacct from file /etc/raddb/sites-enabled/default (12) preacct { (12) [files] = noop (12) [preprocess] = ok (12) policy acct_unique { (12) update request { (12) &Tmp-String-9 := "ai:" (12) } # update request = noop (12) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (12) EXPAND %{hex:&Class} (12) --> (12) EXPAND ^%{hex:&Tmp-String-9} (12) --> ^61693a (12) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (12) else { (12) update request { (12) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (12) --> a6b8d5646c70fd58db892395d8013f10 (12) &Acct-Unique-Session-Id := a6b8d5646c70fd58db892395d8013f10 (12) } # update request = noop (12) } # else = noop (12) } # policy acct_unique = noop (12) } # preacct = ok (12) # Executing section accounting from file /etc/raddb/sites-enabled/default (12) accounting { (12) attr_filter.accounting_response: EXPAND %{User-Name} (12) attr_filter.accounting_response: --> test1.vpn (12) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (12) [attr_filter.accounting_response] = updated (12) } # accounting = updated (12) Sent Accounting-Response Id 223 from 172.16.10.111:1813 to 172.16.10.111:42384 length 0 (12) Finished request (12) Cleaning up request packet ID 223 with timestamp +6 Waking up in 4.7 seconds. (13) Received Accounting-Request Id 224 from 172.16.10.111:42384 to 172.16.10.111:1813 length 176 (13) Acct-Status-Type = Stop (13) Acct-Session-Id = "1654086146-3" (13) NAS-Port-Type = Virtual (13) Service-Type = Framed-User (13) NAS-Port = 3 (13) NAS-Port-Id = "test1.vpn" (13) NAS-IP-Address =X.X.X.X (13) Called-Station-Id = "X.X.X.X[4500]" (13) Calling-Station-Id = "X.X.X.X[4500]" (13) User-Name = "test1.vpn" (13) Acct-Output-Octets = 0 (13) Acct-Output-Packets = 0 (13) Acct-Input-Octets = 0 (13) Acct-Input-Packets = 0 (13) Acct-Session-Time = 0 (13) Acct-Terminate-Cause = User-Request (13) NAS-Identifier = "strongSwan" (13) # Executing section preacct from file /etc/raddb/sites-enabled/default (13) preacct { (13) [files] = noop (13) [preprocess] = ok (13) policy acct_unique { (13) update request { (13) &Tmp-String-9 := "ai:" (13) } # update request = noop (13) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (13) EXPAND %{hex:&Class} (13) --> (13) EXPAND ^%{hex:&Tmp-String-9} (13) --> ^61693a (13) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (13) else { (13) update request { (13) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (13) --> a6b8d5646c70fd58db892395d8013f10 (13) &Acct-Unique-Session-Id := a6b8d5646c70fd58db892395d8013f10 (13) } # update request = noop (13) } # else = noop (13) } # policy acct_unique = noop (13) } # preacct = ok (13) # Executing section accounting from file /etc/raddb/sites-enabled/default (13) accounting { (13) attr_filter.accounting_response: EXPAND %{User-Name} (13) attr_filter.accounting_response: --> test1.vpn (13) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (13) [attr_filter.accounting_response] = updated (13) } # accounting = updated (13) Sent Accounting-Response Id 224 from 172.16.10.111:1813 to 172.16.10.111:42384 length 0 (13) Finished request (13) Cleaning up request packet ID 224 with timestamp +6 Waking up in 4.7 seconds. (0) Cleaning up request packet ID 211 with timestamp +5 (1) Cleaning up request packet ID 212 with timestamp +5 (2) Cleaning up request packet ID 213 with timestamp +5 (3) Cleaning up request packet ID 214 with timestamp +5 (4) Cleaning up request packet ID 215 with timestamp +5 (5) Cleaning up request packet ID 216 with timestamp +5 (6) Cleaning up request packet ID 217 with timestamp +5 (7) Cleaning up request packet ID 218 with timestamp +5 (8) Cleaning up request packet ID 219 with timestamp +5 Waking up in 0.1 seconds. (9) Cleaning up request packet ID 220 with timestamp +5 (10) Cleaning up request packet ID 221 with timestamp +6 (11) Cleaning up request packet ID 222 with timestamp +6 Ready to process requests I replaced the public IP address with X.X.X.X. Thanks in advance for any tips, or leads. Have a wonderful day.
On Jun 1, 2022, at 8:39 AM, Alexis Lacoste <alexislacoste2@gmail.com> wrote:
It is my first time asking a question on the freeradius mailing list, i excuse myself in advance of any error or bad interpretation. I'm using a VPN named strongswan that communicates with a freeradius using the eap-radius plugin. The radius is authenticated agaisn't a samba AD that authentifies clients using ntlm_auth and mschapv2. It is working great.
That's good.
Now, I want for the clients to get the IP address that I assign in the users.conf file. What I did was to create an user named test1.vpn in the LDAP, and use rightsourceip=%radius in the ipsec.conf file on strongswan. I gave him a framed ip address like this :
"test1.vpn" Framed-IP-Address == 10.10.10.6 Fall-Through = Yes
You don't need quotes on the name. And the check for Framed-IP-Address is checking if the packet contains Framed-IP-Address. It doesn't check the source IP of where the packet came from. And this entry doesn't do anything, because the reply list is empty. To check the source IP, you need to check Packet-Src-IP-Address. So the entry should look like: test1.vpn Packet-Src-IP-Address == 10.10.10.6 ... So what do you want to *do* when the "test1.vpn" user tries to authenticarte
The thing is, it doesn't work... It works great when, on the ipsec.conf file I put rightsourceip=10.10.10.1.
That's where the packets come from. Framed-IP-Address is something different.
The client gets the right framed-ip-address.
No. It uses the right *source* IP address.
But with %radius, I don't see the 10.10.10.6 ip address in the radius log and it makes an error on the strongswan since the client doesn't get a virtual IP address.
Here are the output of radiusd -X :
(0) Received Access-Request Id 211 from 172.16.10.111:47079 to 172.16.10.111:1812 length 168 (0) User-Name = "test1.vpn" (0) NAS-Port-Type = Virtual (0) Service-Type = Framed-User (0) NAS-Port = 3 (0) NAS-Port-Id = "test1.vpn" (0) NAS-IP-Address = X.X.X.X (0) Called-Station-Id = "X.X.X.X[4500]" (0) Calling-Station-Id = "X.X.X.X[4500]" (0) Acct-Session-Id = "1654086146-3" (0) EAP-Message = 0x0200000e0174657374312e76706e (0) NAS-Identifier = "strongSwan" (0) Message-Authenticator = 0xce4ddedff45a0a9bd69f9b913a963862
See? No Framed-IP-Address in the packet. And the packet is coming from 172.16.10.11, not from 10.10.10.6. Either fix your network so that it doesn't do this kind of NAT, or change the FreeRADIUS configuration to use the IP where the packet is *actually* coming from. And even then... if the user name and IP address match, what do you want to *do*? Do you want the user to be accepted, or rejected? or do you want the server to reply with some attributes in the reply? Alan DeKok.
Hello Alan, The thing is that the freeradius is on the same machine as the vpn server. it has the internal address (172.16.10.111) and the public one. The user needs to be accepted since the peap authentication succeed. What I want is for the user (test1.vpn) to get a static virtual IP address. I thought that I could do that using the Framed-IP-Address attribut by reading this : https://freeradius.org/rfc/rfc2865.html#Framed-IP-Address The VPN NAT all the trafic to the designed subnets, it's a roadwarrior situation. I now understand a bit on why it doesn't work, But I'm a bit lost on how to make it work... Best regards. Le mer. 1 juin 2022 à 14:48, Alan DeKok <aland@deployingradius.com> a écrit :
On Jun 1, 2022, at 8:39 AM, Alexis Lacoste <alexislacoste2@gmail.com> wrote:
It is my first time asking a question on the freeradius mailing list, i excuse myself in advance of any error or bad interpretation. I'm using a VPN named strongswan that communicates with a freeradius
using
the eap-radius plugin. The radius is authenticated agaisn't a samba AD that authentifies clients using ntlm_auth and mschapv2. It is working great.
That's good.
Now, I want for the clients to get the IP address that I assign in the users.conf file. What I did was to create an user named test1.vpn in the LDAP, and use rightsourceip=%radius in the ipsec.conf file on strongswan. I gave him a framed ip address like this :
"test1.vpn" Framed-IP-Address == 10.10.10.6 Fall-Through = Yes
You don't need quotes on the name. And the check for Framed-IP-Address is checking if the packet contains Framed-IP-Address. It doesn't check the source IP of where the packet came from.
And this entry doesn't do anything, because the reply list is empty.
To check the source IP, you need to check Packet-Src-IP-Address. So the entry should look like:
test1.vpn Packet-Src-IP-Address == 10.10.10.6 ...
So what do you want to *do* when the "test1.vpn" user tries to authenticarte
The thing is, it doesn't work... It works great when, on the ipsec.conf file I put rightsourceip=10.10.10.1.
That's where the packets come from. Framed-IP-Address is something different.
The client gets the right framed-ip-address.
No. It uses the right *source* IP address.
But with %radius, I don't see the 10.10.10.6 ip address in the radius log and it makes an error on the strongswan since the client doesn't get a virtual IP address.
Here are the output of radiusd -X :
(0) Received Access-Request Id 211 from 172.16.10.111:47079 to 172.16.10.111:1812 length 168 (0) User-Name = "test1.vpn" (0) NAS-Port-Type = Virtual (0) Service-Type = Framed-User (0) NAS-Port = 3 (0) NAS-Port-Id = "test1.vpn" (0) NAS-IP-Address = X.X.X.X (0) Called-Station-Id = "X.X.X.X[4500]" (0) Calling-Station-Id = "X.X.X.X[4500]" (0) Acct-Session-Id = "1654086146-3" (0) EAP-Message = 0x0200000e0174657374312e76706e (0) NAS-Identifier = "strongSwan" (0) Message-Authenticator = 0xce4ddedff45a0a9bd69f9b913a963862
See? No Framed-IP-Address in the packet.
And the packet is coming from 172.16.10.11, not from 10.10.10.6. Either fix your network so that it doesn't do this kind of NAT, or change the FreeRADIUS configuration to use the IP where the packet is *actually* coming from.
And even then... if the user name and IP address match, what do you want to *do*? Do you want the user to be accepted, or rejected? or do you want the server to reply with some attributes in the reply?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 01.06.22 15:21, Alexis Lacoste wrote:
Hello Alan,
The thing is that the freeradius is on the same machine as the vpn server. it has the internal address (172.16.10.111) and the public one. The user needs to be accepted since the peap authentication succeed. What I want is for the user (test1.vpn) to get a static virtual IP address. I thought that I could do that using the Framed-IP-Address attribut by reading this : https://freeradius.org/rfc/rfc2865.html#Framed-IP-Address The VPN NAT all the trafic to the designed subnets, it's a roadwarrior situation.
I now understand a bit on why it doesn't work, But I'm a bit lost on how to make it work... Best regards.
Le mer. 1 juin 2022 à 14:48, Alan DeKok <aland@deployingradius.com> a écrit :
On Jun 1, 2022, at 8:39 AM, Alexis Lacoste <alexislacoste2@gmail.com> wrote:
It is my first time asking a question on the freeradius mailing list, i excuse myself in advance of any error or bad interpretation. I'm using a VPN named strongswan that communicates with a freeradius using the eap-radius plugin. The radius is authenticated agaisn't a samba AD that authentifies clients using ntlm_auth and mschapv2. It is working great. That's good.
Now, I want for the clients to get the IP address that I assign in the users.conf file. What I did was to create an user named test1.vpn in the LDAP, and use rightsourceip=%radius in the ipsec.conf file on strongswan. I gave him a framed ip address like this :
"test1.vpn" Framed-IP-Address == 10.10.10.6 Fall-Through = Yes You don't need quotes on the name. And the check for Framed-IP-Address is checking if the packet contains Framed-IP-Address. It doesn't check the source IP of where the packet came from.
And this entry doesn't do anything, because the reply list is empty.
To check the source IP, you need to check Packet-Src-IP-Address. So the entry should look like:
test1.vpn Packet-Src-IP-Address == 10.10.10.6 ...
So what do you want to *do* when the "test1.vpn" user tries to authenticarte
The thing is, it doesn't work... It works great when, on the ipsec.conf file I put rightsourceip=10.10.10.1. That's where the packets come from. Framed-IP-Address is something different.
The client gets the right framed-ip-address. No. It uses the right *source* IP address.
But with %radius, I don't see the 10.10.10.6 ip address in the radius log and it makes an error on the strongswan since the client doesn't get a virtual IP address.
Here are the output of radiusd -X :
(0) Received Access-Request Id 211 from 172.16.10.111:47079 to 172.16.10.111:1812 length 168 (0) User-Name = "test1.vpn" (0) NAS-Port-Type = Virtual (0) Service-Type = Framed-User (0) NAS-Port = 3 (0) NAS-Port-Id = "test1.vpn" (0) NAS-IP-Address = X.X.X.X (0) Called-Station-Id = "X.X.X.X[4500]" (0) Calling-Station-Id = "X.X.X.X[4500]" (0) Acct-Session-Id = "1654086146-3" (0) EAP-Message = 0x0200000e0174657374312e76706e (0) NAS-Identifier = "strongSwan" (0) Message-Authenticator = 0xce4ddedff45a0a9bd69f9b913a963862 See? No Framed-IP-Address in the packet.
And the packet is coming from 172.16.10.11, not from 10.10.10.6. Either fix your network so that it doesn't do this kind of NAT, or change the FreeRADIUS configuration to use the IP where the packet is *actually* coming from.
And even then... if the user name and IP address match, what do you want to *do*? Do you want the user to be accepted, or rejected? or do you want the server to reply with some attributes in the reply?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The Framed-IP-Address attribute is not seen in the Access-Accept packet that the VPN server sees. You have to copy it from the answer of the inner-tunnel server to the outer default server. See the config of FR. See option "use_tunneled_reply" If you want to assign static IP addresses to specific users, you can do this in post-processing of FR. No need to define specific connections in strongswan. Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
On Jun 1, 2022, at 9:21 AM, Alexis Lacoste <alexislacoste2@gmail.com> wrote:
The thing is that the freeradius is on the same machine as the vpn server. it has the internal address (172.16.10.111) and the public one.
That doesn't matter. As I said: a) leave your network alone, and fix FreeRADIUS to use the IPs supplied by the network b) leave FreeRADIUS alone, and fix your network to use the IPs you expect Pick one. FreeRADIUS doesn't control the networking configuration on the OS. So if the packets come from the "wrong" IP address, nothing you do to FreeRADIUS will change the source IP of the UDP packets.
The user needs to be accepted since the peap authentication succeed. What I want is for the user (test1.vpn) to get a static virtual IP address.
You want FreeRADIUS to *reply* with a static IP address.
I thought that I could do that using the Framed-IP-Address attribut by reading this : https://freeradius.org/rfc/rfc2865.html#Framed-IP-Address The VPN NAT all the trafic to the designed subnets, it's a roadwarrior situation.
Yes, Framed-IP-Address is the correct attribute to use. But you're not *checking* for the existence of the Framed-IP-Address attribute. You're *adding* it to the reply. See "man users", which is the documentation for the "users" file you were editing. This is made very clear. If you read the rest of the file you were editing (mods-config/files/authorize), you will see references to Framed-IP-Address. These are examples of how to reply with a Framed-IP-Address. Alan DeKok.
Thanks for the answers Alan and Michael. I corrected my error in the users.conf file after reading the man users. I put Service-Type = Framed-User before the Framed-IP-Address attribut. I understood that there are reply items and check items, and that check items are always at the beginning. It works perfectly now. Best regards. Le mer. 1 juin 2022 à 15:51, Alan DeKok <aland@deployingradius.com> a écrit :
On Jun 1, 2022, at 9:21 AM, Alexis Lacoste <alexislacoste2@gmail.com> wrote:
The thing is that the freeradius is on the same machine as the vpn server. it has the internal address (172.16.10.111) and the public one.
That doesn't matter. As I said:
a) leave your network alone, and fix FreeRADIUS to use the IPs supplied by the network
b) leave FreeRADIUS alone, and fix your network to use the IPs you expect
Pick one.
FreeRADIUS doesn't control the networking configuration on the OS. So if the packets come from the "wrong" IP address, nothing you do to FreeRADIUS will change the source IP of the UDP packets.
The user needs to be accepted since the peap authentication succeed. What I want is for the user (test1.vpn) to get a static virtual IP address.
You want FreeRADIUS to *reply* with a static IP address.
I thought that I could do that using the Framed-IP-Address attribut by reading this : https://freeradius.org/rfc/rfc2865.html#Framed-IP-Address The VPN NAT all the trafic to the designed subnets, it's a roadwarrior situation.
Yes, Framed-IP-Address is the correct attribute to use. But you're not *checking* for the existence of the Framed-IP-Address attribute. You're *adding* it to the reply.
See "man users", which is the documentation for the "users" file you were editing. This is made very clear.
If you read the rest of the file you were editing (mods-config/files/authorize), you will see references to Framed-IP-Address. These are examples of how to reply with a Framed-IP-Address.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Alexis Lacoste -
Michael Schwartzkopff