Freeradius Framed-IP-Address not working with strongswan

Alan DeKok aland at
Wed Jun 1 13:50:55 UTC 2022

On Jun 1, 2022, at 9:21 AM, Alexis Lacoste <alexislacoste2 at> wrote:
> The thing is that the freeradius is on the same machine as the vpn server.
> it has the internal address ( and the public one.

  That doesn't matter.  As I said:

a) leave your network alone, and fix FreeRADIUS to use the IPs supplied by the network

b) leave FreeRADIUS alone, and fix your network to use the IPs you expect

  Pick one.

  FreeRADIUS doesn't control the networking configuration on the OS.  So if the packets come from the "wrong" IP address, nothing you do to FreeRADIUS will change the source IP of the UDP packets.

> The user needs to be accepted since the peap authentication succeed. What I
> want is for the user (test1.vpn) to get a static virtual IP address.

  You want FreeRADIUS to *reply* with a static IP address.

> I thought that I could do that using the Framed-IP-Address attribut by
> reading this :
> The VPN NAT all the trafic to the designed subnets, it's a roadwarrior
> situation.

  Yes, Framed-IP-Address is the correct attribute to use.  But you're not *checking* for the existence of the Framed-IP-Address attribute.  You're *adding* it to the reply.

  See "man users", which is the documentation for the "users" file you were editing.  This is made very clear.

  If you read the rest of the file you were editing (mods-config/files/authorize), you will see references to Framed-IP-Address.  These are examples of how to reply with a Framed-IP-Address.

  Alan DeKok.

More information about the Freeradius-Users mailing list