modify NAS-Port in incoming messages
Alan DeKok
aland at deployingradius.com
Mon Dec 26 14:26:35 UTC 2022
On Dec 25, 2022, at 7:37 PM, Volodymyr Litovka via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I'm trying to use Freeradius with Strongswan and have an issue with "registering" user sessions. In short, upon IPSec session reconfiguring (to be more precise - IKE_SA rekeying) Strongswan changes NAS-Port attribute and, thus, FreeRadius upon receiving of next Interim-Update with another NAS-Port value, consider it as a new session and create new entry in radutmp db, so finally I have the following (TTY is NAS-Port received from NAS):
The real solution is to fix Strongswan so that it sends the same NAS-Port in all accounting packets.
> which makes it impossible to use Simultaneous-Use. There is attribute which do not change during IKE_SA rekey - Acct-Session-Id and I'd like to use it instead of Nas-Port to identify this session, but have two issues:
>
> - the statement (added to preacct section of 'default' site):
>
> update request {
> NAS-Port = %{integer:%{base64:&Acct-Session-Id}}
> }
>
> gives an error:
>
> /etc/freeradius/3.0/sites-enabled/default[610]: Unknown or invalid value "%{integer:%{base64:&Acct-Session-Id}}" for attribute NAS-Port
Yes... The documentation says expansions belong in a double-quoted string. You can't just invent syntax and make it work.
> while if using double quotes `... = "%{integer...}"` converts the value improperly:
Well, no. I think that the real problem is that the base64 expansion isn't doing anything useful. For reasons which don't matter here.
> - and nevertheless, in second case accounting records in 'details' file contains the original NAS-Port value:
Yes. The '=' operator doesn't overwrite existing attributes. This is documented. See "man unlang".
> - what is correct way to uniquely convert string to integer?
Make sure that the string is a valid integer.
> - whether it's possible to mangle NAS-Port attribute to achieve what I need?
You can rewrite the NAS-Port to any value you want. But that rewrite has to make sense, and has to follow the documentation on how the server works.
The problem here is that StrongSwan is sending the server garbage data, and you're trying to figure out a way to "fix" it in FreeRADIUS. While this might work sometimes, it's not really a long-term solution. The correct fix is to make StrongSwan behave properly.
So the solution here is really to figure out how to get a consistent NAS-Port value for a particular session, AND a value which is different for every session. If the Acct-Session-Id value is the same across all packets for one session, then you can use that.
I'd suggest this:
preacct {
update request {
Tmp-Octets-0 := "%{md5:%{Acct-Session-ID}%{User-Name}"
NAS-Port := %{integer:Tmp-Octets-0}
}
...
That should work.
Alan DeKok.
More information about the Freeradius-Users
mailing list