Freeradius Framed-IP-Address not working with strongswan

Alan DeKok aland at
Wed Jun 1 12:48:25 UTC 2022

On Jun 1, 2022, at 8:39 AM, Alexis Lacoste <alexislacoste2 at> wrote:
> It is my first time asking a question on the freeradius mailing list, i
> excuse myself in advance of any error or bad interpretation.
> I'm using a VPN named strongswan that communicates with a freeradius using
> the eap-radius plugin. The radius is authenticated agaisn't a samba AD that
> authentifies clients using ntlm_auth and mschapv2. It is working great.

  That's good.

> Now, I want for the clients to get the IP address that I assign in the
> users.conf file. What I did was to create an user named test1.vpn in the
> LDAP, and use rightsourceip=%radius in the ipsec.conf file on strongswan. I
> gave him a framed ip address like this :
> "test1.vpn"     Framed-IP-Address ==
>                Fall-Through = Yes

  You don't need quotes on the name.  And the check for Framed-IP-Address is checking if the packet contains Framed-IP-Address.  It doesn't check the source IP of where the packet came from.

  And this entry doesn't do anything, because the reply list is empty.

  To check the source IP, you need to check Packet-Src-IP-Address.  So the entry should look like:

test1.vpn	Packet-Src-IP-Address ==

  So what do you want to *do* when the "test1.vpn" user tries to authenticarte

> The thing is, it doesn't work... It works great when, on the ipsec.conf
> file I put rightsourceip=

  That's where the packets come from.  Framed-IP-Address is something different.

> The client gets the right framed-ip-address.

  No.  It uses the right *source* IP address.

> But with %radius, I don't see the ip address
> in the radius log and it makes an error on the strongswan since the client
> doesn't get a virtual IP address.
> Here are the output of radiusd -X :
> (0) Received Access-Request Id 211 from to
> length 168
> (0)   User-Name = "test1.vpn"
> (0)   NAS-Port-Type = Virtual
> (0)   Service-Type = Framed-User
> (0)   NAS-Port = 3
> (0)   NAS-Port-Id = "test1.vpn"
> (0)   NAS-IP-Address = X.X.X.X
> (0)   Called-Station-Id = "X.X.X.X[4500]"
> (0)   Calling-Station-Id = "X.X.X.X[4500]"
> (0)   Acct-Session-Id = "1654086146-3"
> (0)   EAP-Message = 0x0200000e0174657374312e76706e
> (0)   NAS-Identifier = "strongSwan"
> (0)   Message-Authenticator = 0xce4ddedff45a0a9bd69f9b913a963862

  See?  No Framed-IP-Address in the packet.

  And the packet is coming from, not from  Either fix your network so that it doesn't do this kind of NAT, or change the FreeRADIUS configuration to use the IP where the packet is *actually* coming from.

  And even then... if the user name and IP address match, what do you want to *do*?  Do you want the user to be accepted, or rejected? or do you want the server to reply with some attributes in the reply?

  Alan DeKok.

More information about the Freeradius-Users mailing list