Freeradius Framed-IP-Address not working with strongswan
Alexis Lacoste
alexislacoste2 at gmail.com
Wed Jun 1 13:21:18 UTC 2022
Hello Alan,
The thing is that the freeradius is on the same machine as the vpn server.
it has the internal address (172.16.10.111) and the public one.
The user needs to be accepted since the peap authentication succeed. What I
want is for the user (test1.vpn) to get a static virtual IP address.
I thought that I could do that using the Framed-IP-Address attribut by
reading this : https://freeradius.org/rfc/rfc2865.html#Framed-IP-Address
The VPN NAT all the trafic to the designed subnets, it's a roadwarrior
situation.
I now understand a bit on why it doesn't work, But I'm a bit lost on how to
make it work...
Best regards.
Le mer. 1 juin 2022 à 14:48, Alan DeKok <aland at deployingradius.com> a
écrit :
> On Jun 1, 2022, at 8:39 AM, Alexis Lacoste <alexislacoste2 at gmail.com>
> wrote:
> >
> > It is my first time asking a question on the freeradius mailing list, i
> > excuse myself in advance of any error or bad interpretation.
> > I'm using a VPN named strongswan that communicates with a freeradius
> using
> > the eap-radius plugin. The radius is authenticated agaisn't a samba AD
> that
> > authentifies clients using ntlm_auth and mschapv2. It is working great.
>
> That's good.
>
> > Now, I want for the clients to get the IP address that I assign in the
> > users.conf file. What I did was to create an user named test1.vpn in the
> > LDAP, and use rightsourceip=%radius in the ipsec.conf file on
> strongswan. I
> > gave him a framed ip address like this :
> >
> > "test1.vpn" Framed-IP-Address == 10.10.10.6
> > Fall-Through = Yes
>
> You don't need quotes on the name. And the check for Framed-IP-Address
> is checking if the packet contains Framed-IP-Address. It doesn't check the
> source IP of where the packet came from.
>
> And this entry doesn't do anything, because the reply list is empty.
>
> To check the source IP, you need to check Packet-Src-IP-Address. So the
> entry should look like:
>
> test1.vpn Packet-Src-IP-Address == 10.10.10.6
> ...
>
> So what do you want to *do* when the "test1.vpn" user tries to
> authenticarte
>
> > The thing is, it doesn't work... It works great when, on the ipsec.conf
> > file I put rightsourceip=10.10.10.1.
>
> That's where the packets come from. Framed-IP-Address is something
> different.
>
> > The client gets the right framed-ip-address.
>
> No. It uses the right *source* IP address.
>
> > But with %radius, I don't see the 10.10.10.6 ip address
> > in the radius log and it makes an error on the strongswan since the
> client
> > doesn't get a virtual IP address.
> >
> > Here are the output of radiusd -X :
> >
> > (0) Received Access-Request Id 211 from 172.16.10.111:47079 to
> > 172.16.10.111:1812 length 168
> > (0) User-Name = "test1.vpn"
> > (0) NAS-Port-Type = Virtual
> > (0) Service-Type = Framed-User
> > (0) NAS-Port = 3
> > (0) NAS-Port-Id = "test1.vpn"
> > (0) NAS-IP-Address = X.X.X.X
> > (0) Called-Station-Id = "X.X.X.X[4500]"
> > (0) Calling-Station-Id = "X.X.X.X[4500]"
> > (0) Acct-Session-Id = "1654086146-3"
> > (0) EAP-Message = 0x0200000e0174657374312e76706e
> > (0) NAS-Identifier = "strongSwan"
> > (0) Message-Authenticator = 0xce4ddedff45a0a9bd69f9b913a963862
>
> See? No Framed-IP-Address in the packet.
>
> And the packet is coming from 172.16.10.11, not from 10.10.10.6. Either
> fix your network so that it doesn't do this kind of NAT, or change the
> FreeRADIUS configuration to use the IP where the packet is *actually*
> coming from.
>
> And even then... if the user name and IP address match, what do you want
> to *do*? Do you want the user to be accepted, or rejected? or do you want
> the server to reply with some attributes in the reply?
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list