[RADIATOR] Assign static IP to users based on Source address

[Heikki Vatiainen]

On 05/21/2012 03:20 AM, Howe, Brendan wrote:

> I am in the process of evaluating Radiator and would like to know if it
> is possible to assign a static IP address to clients based on the source
> IP address radiator sees the connection from.  I would like to implement
> this using a single user file.

File does not offer that kind of flexibility, but you could consider a
hook to do a fixup after a lookup from the file.

> ATM I have configured the Radiator radius.cfg using 3 client IP
> addresses each with their own Identifier.  I then use 3x “Handler
> Client-Identifier=xxx” to define separate AuthBy FILE filenames.  Each
> users file is exactly the same, except for the “Framed-IP-Address”. 
> This configuration works and the user is assigned a different static IP
> address dependant on their source address.  The problem is I then need
> to maintain 3 separate user files all with the same usernames and passwords.

Your current approach is correct, but I see it can be a bit problematic
to maintain.

> Is it possible to implement this setup using a single user file that has
> a “Framed-IP-Address” for each Identifier or is there a better way to do
> this?

If you need stay with AuthBy FILE, you could consider having something
like this for each user in the users file:

hvn	User-Password = password
	Framed-IP-Address-Client1 = 10.10.10.10,
	Framed-IP-Address-Client2 = 10.20.20.20,
	Framed-IP-Address-Client3 = 10.30.30.30

For the Handler, use something like below for PostAuthHook. The hook
tries to match the Client's Identifier with Framed-IP-Address-*
attributes, and picks the IP from the one that matches. The rest are
deleted, so that they do not cause complaints in the log about unknown
attributes.

The IP from the matching attribute is added as Framed-IP-Address. If it
can not match anything with Client's Identifier, no Framed-IP-Address is
added.

<Handler>
  <AuthBy FILE>
    Filename        %D/users
  </AuthBy>
  PostAuthHook sub { my ($p, $rp) = (${$_[0]}, ${$_[1]}); \
    my ($ip, @to_delete); \
    foreach (@{$rp->{Attributes}}) { \
      my ($name, $value) = @$_; \
      $ip = $value if $name eq 'Framed-IP-Address-' .
$p->{Client}->{Identifier}; \
      push (@to_delete, $name) if $name =~ /^Framed-IP-Address-/; \
    } \
    $rp->add_attr('Framed-IP-Address', $ip) if $ip; \
    map {$rp->delete_attr($_)} @to_delete; \
  }
</Handler>


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.