Freeradius Framed-IP-Address not working with strongswan

Michael Schwartzkopff ms at sys4.de
Wed Jun 1 13:26:24 UTC 2022 

On 01.06.22 15:21, Alexis Lacoste wrote:
> Hello Alan,
>
> The thing is that the freeradius is on the same machine as the vpn server.
> it has the internal address (172.16.10.111) and the public one.
> The user needs to be accepted since the peap authentication succeed. What I
> want is for the user (test1.vpn) to get a static virtual IP address.
> I thought that I could do that using the Framed-IP-Address attribut by
> reading this : https://freeradius.org/rfc/rfc2865.html#Framed-IP-Address
> The VPN NAT all the trafic to the designed subnets, it's a roadwarrior
> situation.
>
> I now understand a bit on why it doesn't work, But I'm a bit lost on how to
> make it work...
> Best regards.
>
> Le mer. 1 juin 2022 à 14:48, Alan DeKok <aland at deployingradius.com> a
> écrit :
>
>> On Jun 1, 2022, at 8:39 AM, Alexis Lacoste <alexislacoste2 at gmail.com>
>> wrote:
>>> It is my first time asking a question on the freeradius mailing list, i
>>> excuse myself in advance of any error or bad interpretation.
>>> I'm using a VPN named strongswan that communicates with a freeradius
>> using
>>> the eap-radius plugin. The radius is authenticated agaisn't a samba AD
>> that
>>> authentifies clients using ntlm_auth and mschapv2. It is working great.
>>    That's good.
>>
>>> Now, I want for the clients to get the IP address that I assign in the
>>> users.conf file. What I did was to create an user named test1.vpn in the
>>> LDAP, and use rightsourceip=%radius in the ipsec.conf file on
>> strongswan. I
>>> gave him a framed ip address like this :
>>>
>>> "test1.vpn"     Framed-IP-Address == 10.10.10.6
>>>                 Fall-Through = Yes
>>    You don't need quotes on the name.  And the check for Framed-IP-Address
>> is checking if the packet contains Framed-IP-Address.  It doesn't check the
>> source IP of where the packet came from.
>>
>>    And this entry doesn't do anything, because the reply list is empty.
>>
>>    To check the source IP, you need to check Packet-Src-IP-Address.  So the
>> entry should look like:
>>
>> test1.vpn       Packet-Src-IP-Address == 10.10.10.6
>>          ...
>>
>>    So what do you want to *do* when the "test1.vpn" user tries to
>> authenticarte
>>
>>> The thing is, it doesn't work... It works great when, on the ipsec.conf
>>> file I put rightsourceip=10.10.10.1.
>>    That's where the packets come from.  Framed-IP-Address is something
>> different.
>>
>>> The client gets the right framed-ip-address.
>>    No.  It uses the right *source* IP address.
>>
>>> But with %radius, I don't see the 10.10.10.6 ip address
>>> in the radius log and it makes an error on the strongswan since the
>> client
>>> doesn't get a virtual IP address.
>>>
>>> Here are the output of radiusd -X :
>>>
>>> (0) Received Access-Request Id 211 from 172.16.10.111:47079 to
>>> 172.16.10.111:1812 length 168
>>> (0)   User-Name = "test1.vpn"
>>> (0)   NAS-Port-Type = Virtual
>>> (0)   Service-Type = Framed-User
>>> (0)   NAS-Port = 3
>>> (0)   NAS-Port-Id = "test1.vpn"
>>> (0)   NAS-IP-Address = X.X.X.X
>>> (0)   Called-Station-Id = "X.X.X.X[4500]"
>>> (0)   Calling-Station-Id = "X.X.X.X[4500]"
>>> (0)   Acct-Session-Id = "1654086146-3"
>>> (0)   EAP-Message = 0x0200000e0174657374312e76706e
>>> (0)   NAS-Identifier = "strongSwan"
>>> (0)   Message-Authenticator = 0xce4ddedff45a0a9bd69f9b913a963862
>>    See?  No Framed-IP-Address in the packet.
>>
>>    And the packet is coming from 172.16.10.11, not from 10.10.10.6.  Either
>> fix your network so that it doesn't do this kind of NAT, or change the
>> FreeRADIUS configuration to use the IP where the packet is *actually*
>> coming from.
>>
>>    And even then... if the user name and IP address match, what do you want
>> to *do*?  Do you want the user to be accepted, or rejected? or do you want
>> the server to reply with some attributes in the reply?
>>
>>    Alan DeKok.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



The Framed-IP-Address attribute is not seen in the Access-Accept packet 
that the VPN server sees. You have to copy it from the answer of the 
inner-tunnel server to the outer default server.

See the config of FR. See option "use_tunneled_reply"


If you want to assign static IP addresses to specific users, you can do 
this in post-processing of FR. No need to define specific connections in 
strongswan.



Mit freundlichen Grüßen,

-- 

[*] sys4 AG
  
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
  
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the Freeradius-Users mailing list