[RADIATOR] Assign static IP to users based on Source address

Howe, Brendan brendan.howe at hp.com
Mon May 28 23:47:56 CDT 2012 

Hi Heikki,

I have tried your PostAuthHook suggestion as per below, however it seem to be assigning all the Framed-IP-Addresses in the use file instead of selecting the correct one.  It looks like the PostAuthHook isn't passing the identifier to the userfile.

I have included the radius.cfg, userfile and log output.  

Radius.cfg:

<Client 10.0.1.100>
	Identifier	VPN0
	Secret	mysecret
	DupInterval 0	
</Client>

<Client 10.0.1.101>
	Secret	mysecret
	DupInterval 0
	Identifier VPN1
</Client>

<Client 10.0.1.102>
	Secret	mysecret
	DupInterval 0
	Identifier VPN2
</Client>

<Handler>
  <AuthBy FILE>
    Filename        %D/test
  </AuthBy>
  PostAuthHook sub { my ($p, $rp) = (${$_[0]}, ${$_[1]}); \
    my ($ip, @to_delete); \
    foreach (@{$rp->{Attributes}}) { \
      my ($name, $value) = @$_; \
      $ip = $value if $name eq 'Framed-IP-Address-' . \
$p->{Client}->{Identifier}; \
      push (@to_delete, $name) if $name =~ /^Framed-IP-Address-/; \
    } \
    $rp->add_attr('Framed-IP-Address', $ip) if $ip; \
    map {$rp->delete_attr($_)} @to_delete; \
  }
</Handler>

# Authenticate all realms with this
#<Realm DEFAULT>
	# Look up user details in a flat file
#	<AuthBy FILE>
		# %D is replaced by DbDir above
#		Filename %D/test0
#	</AuthBy>

	# Log accounting to a detail file. %D is replaced by DbDir above
#	AcctLogFileName	%D/detail
#</Realm>
AuthPort	5555

Userfile:

mikem	User-Password=fred
	Service-Type = Framed-User,
        Framed-Protocol = PPP
        Framed-IP-Address-VPN0 = 10.1.1.1
	Framed-IP-Address-VPN1 = 10.2.2.2
	Framed-IP-Address-VPN2 = 10.3.3.3
        Framed-IP-Netmask = 255.255.255.255,
        Framed-Routing = None,
        Framed-MTU = 1500,
        Framed-Compression = Van-Jacobson-TCP-IP	

Log output:

*** Received from 10.0.1.102 port 45146 ....
Code:       Access-Request
Identifier: 132
Authentic:  <18>8<150><14><206><238><140>x<149><197>/f<175><180><226>+
Attributes:
        User-Name = "mikem"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Identifier = "203.63.154.1"
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = <233><156><207>=<21><135><129>p<207>U<220>.0<182>u;

Tue May 29 14:42:04 2012: DEBUG: Handling request with Handler '', Identifier ''
Tue May 29 14:42:04 2012: DEBUG:  Deleting session for mikem, 203.63.154.1, 1234
Tue May 29 14:42:04 2012: DEBUG: Handling with Radius::AuthFILE: 
Tue May 29 14:42:04 2012: DEBUG: Reading users file /etc/radiator/test
Tue May 29 14:42:04 2012: DEBUG: Radius::AuthFILE looks for match with mikem [mikem]
Tue May 29 14:42:04 2012: DEBUG: Radius::AuthFILE ACCEPT: : mikem [mikem]
Tue May 29 14:42:04 2012: DEBUG: AuthBy FILE result: ACCEPT, 
Tue May 29 14:42:04 2012: DEBUG: Access accepted for mikem
        Framed-IP-Netmask = 255.255.255.255 for attribute Framed-Protocol. Using 0.
Tue May 29 14:42:04 2012: DEBUG: Packet dump:
*** Sending to 10.0.1.102 port 45146 ....
Code:       Access-Accept
Identifier: 132
Authentic:  <163>2<140><22><182><187><31><135>Bu5<201><144><183><243>z
Attributes:
        Service-Type = Framed-User
        Framed-Protocol = PPP<13>        Framed-IP-Address-VPN0 = 10.1.1.1<13><9>Framed-IP-Address-VPN1 = 10.2.2.2<13><9>Framed-IP-Address-VPN2 = 10.3.3.3<13>        Framed-IP-Netmask = 255.255.255.255
        Framed-Routing = None
        Framed-MTU = 1500
        Framed-Compression = Van-Jacobson-TCP-IP



-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
Sent: Monday, 21 May 2012 7:33 PM
To: radiator at open.com.au
Subject: Re: [RADIATOR] Assign static IP to users based on Source address

On 05/21/2012 03:20 AM, Howe, Brendan wrote:

> I am in the process of evaluating Radiator and would like to know if 
> it is possible to assign a static IP address to clients based on the 
> source IP address radiator sees the connection from.  I would like to 
> implement this using a single user file.

File does not offer that kind of flexibility, but you could consider a hook to do a fixup after a lookup from the file.

> ATM I have configured the Radiator radius.cfg using 3 client IP 
> addresses each with their own Identifier.  I then use 3x "Handler 
> Client-Identifier=xxx" to define separate AuthBy FILE filenames.  Each 
> users file is exactly the same, except for the "Framed-IP-Address".
> This configuration works and the user is assigned a different static 
> IP address dependant on their source address.  The problem is I then 
> need to maintain 3 separate user files all with the same usernames and passwords.

Your current approach is correct, but I see it can be a bit problematic to maintain.

> Is it possible to implement this setup using a single user file that 
> has a "Framed-IP-Address" for each Identifier or is there a better way 
> to do this?

If you need stay with AuthBy FILE, you could consider having something like this for each user in the users file:

hvn	User-Password = password
	Framed-IP-Address-Client1 = 10.10.10.10,
	Framed-IP-Address-Client2 = 10.20.20.20,
	Framed-IP-Address-Client3 = 10.30.30.30

For the Handler, use something like below for PostAuthHook. The hook tries to match the Client's Identifier with Framed-IP-Address-* attributes, and picks the IP from the one that matches. The rest are deleted, so that they do not cause complaints in the log about unknown attributes.

The IP from the matching attribute is added as Framed-IP-Address. If it can not match anything with Client's Identifier, no Framed-IP-Address is added.

<Handler>
  <AuthBy FILE>
    Filename        %D/users
  </AuthBy>
  PostAuthHook sub { my ($p, $rp) = (${$_[0]}, ${$_[1]}); \
    my ($ip, @to_delete); \
    foreach (@{$rp->{Attributes}}) { \
      my ($name, $value) = @$_; \
      $ip = $value if $name eq 'Framed-IP-Address-' .
$p->{Client}->{Identifier}; \
      push (@to_delete, $name) if $name =~ /^Framed-IP-Address-/; \
    } \
    $rp->add_attr('Framed-IP-Address', $ip) if $ip; \
    map {$rp->delete_attr($_)} @to_delete; \
  }
</Handler>


--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator

More information about the radiator mailing list