modify NAS-Port in incoming messages

Volodymyr Litovka doka at funlab.cc
Mon Dec 26 00:37:20 UTC 2022


Hi colleagues,

I'm trying to use Freeradius with Strongswan and have an issue with 
"registering" user sessions. In short, upon IPSec session reconfiguring 
(to be more precise - IKE_SA rekeying) Strongswan changes NAS-Port 
attribute and, thus, FreeRadius upon receiving of next Interim-Update 
with another NAS-Port value, consider it as a new session and create new 
entry in radutmp db, so finally I have the following (TTY is NAS-Port 
received from NAS):

root at vpn01:/etc/freeradius/3.0# radwho
Login      Name          What  TTY  When      From        Location
doka       doka              shell S3   Sun 22:44 xxx.xxx.xx.xx 100.100.2.1
doka       doka              shell S4   Sun 22:53 xxx.xxx.xx.xx 100.100.2.1
doka       doka              shell S5   Sun 23:03 xxx.xxx.xx.xx 100.100.2.1
doka       doka              shell S6   Sun 23:12 xxx.xxx.xx.xx 100.100.2.1
doka       doka              shell S12  Sun 23:27 xxx.xxx.xx.xx 100.100.2.1
doka       doka              shell S15  Sun 23:35 xxx.xxx.xx.xx 100.100.2.1
doka       doka              shell S18  Sun 23:40 xxx.xxx.xx.xx 100.100.2.1
doka       doka              shell S19  Sun 23:51 xxx.xxx.xx.xx 100.100.2.1

which makes it impossible to use Simultaneous-Use. There is attribute 
which do not change during IKE_SA rekey - Acct-Session-Id and I'd like 
to use it instead of Nas-Port to identify this session, but have two issues:

- the statement (added to preacct section of 'default' site):

         update request {
                 NAS-Port = %{integer:%{base64:&Acct-Session-Id}}
         }

gives an error:

/etc/freeradius/3.0/sites-enabled/default[610]: Unknown or invalid value 
"%{integer:%{base64:&Acct-Session-Id}}" for attribute NAS-Port

while if using double quotes `... = "%{integer...}"` converts the value 
improperly:

(3) # Executing section preacct from file 
/etc/freeradius/3.0/sites-enabled/default
(3)   preacct {
(3)     [preprocess] = ok
(3)     update request {
*(3)       EXPAND %{integer:%{base64:&Acct-Session-Id}}*
(3)          -->
*(3)       NAS-Port = 0*
(3)     } # update request = noop

- and nevertheless, in second case accounting records in 'details' file 
contains the original NAS-Port value:

Mon Dec 26 00:17:19 2022
         Acct-Status-Type = Interim-Update
         Acct-Session-Id = "1672007843-24"
         Class = 0x70667367726f7570
         NAS-Port-Type = Virtual
         Service-Type = Framed-User
*NAS-Port = 25*

and radutmp continues to expand the list of connections with original 
NAS-Port value:

doka       doka              shell *S24*  Mon 00:14 xxx.xxx.xx.xx   
100.100.2.1
doka       doka              shell *S25*  Mon 00:24 xxx.xxx.xx.xx   
100.100.2.1

So, there are two questions:

- what is correct way to uniquely convert string to integer?
- whether it's possible to mangle NAS-Port attribute to achieve what I need?

Thank you!

Have a nice holidays and happy next year :-)

-- 
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison


More information about the Freeradius-Users mailing list