[RADIATOR] Assign static IP to users based on Source address
Howe, Brendan
brendan.howe at hp.com
Tue May 29 00:24:10 CDT 2012
Excellent, it's all working now. Thanks Hugh.
Do you have any documentation for configuring the users file?
-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Tuesday, 29 May 2012 3:02 PM
To: Howe, Brendan
Cc: Heikki Vatiainen; radiator at open.com.au
Subject: Re: [RADIATOR] Assign static IP to users based on Source address
Hello Brendan -
Your users file is not correct - it should look like this (with comma's):
mikem User-Password=fred
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address-VPN0 = 10.1.1.1,
Framed-IP-Address-VPN1 = 10.2.2.2,
Framed-IP-Address-VPN2 = 10.3.3.3,
Framed-IP-Netmask = 255.255.255.255,
Framed-Routing = None,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
That is why the debug shows the confused value for Framed-Protocol.
regards
Hugh
On 29 May 2012, at 14:47, Howe, Brendan wrote:
> Hi Heikki,
>
> I have tried your PostAuthHook suggestion as per below, however it seem to be assigning all the Framed-IP-Addresses in the use file instead of selecting the correct one. It looks like the PostAuthHook isn't passing the identifier to the userfile.
>
> I have included the radius.cfg, userfile and log output.
>
> Radius.cfg:
>
> <Client 10.0.1.100>
> Identifier VPN0
> Secret mysecret
> DupInterval 0
> </Client>
>
> <Client 10.0.1.101>
> Secret mysecret
> DupInterval 0
> Identifier VPN1
> </Client>
>
> <Client 10.0.1.102>
> Secret mysecret
> DupInterval 0
> Identifier VPN2
> </Client>
>
> <Handler>
> <AuthBy FILE>
> Filename %D/test
> </AuthBy>
> PostAuthHook sub { my ($p, $rp) = (${$_[0]}, ${$_[1]}); \
> my ($ip, @to_delete); \
> foreach (@{$rp->{Attributes}}) { \
> my ($name, $value) = @$_; \
> $ip = $value if $name eq 'Framed-IP-Address-' . \
> $p->{Client}->{Identifier}; \
> push (@to_delete, $name) if $name =~ /^Framed-IP-Address-/; \
> } \
> $rp->add_attr('Framed-IP-Address', $ip) if $ip; \
> map {$rp->delete_attr($_)} @to_delete; \ } </Handler>
>
> # Authenticate all realms with this
> #<Realm DEFAULT>
> # Look up user details in a flat file
> # <AuthBy FILE>
> # %D is replaced by DbDir above
> # Filename %D/test0
> # </AuthBy>
>
> # Log accounting to a detail file. %D is replaced by DbDir above
> # AcctLogFileName %D/detail
> #</Realm>
> AuthPort 5555
>
> Userfile:
>
> mikem User-Password=fred
> Service-Type = Framed-User,
> Framed-Protocol = PPP
> Framed-IP-Address-VPN0 = 10.1.1.1
> Framed-IP-Address-VPN1 = 10.2.2.2
> Framed-IP-Address-VPN2 = 10.3.3.3
> Framed-IP-Netmask = 255.255.255.255,
> Framed-Routing = None,
> Framed-MTU = 1500,
> Framed-Compression = Van-Jacobson-TCP-IP
>
> Log output:
>
> *** Received from 10.0.1.102 port 45146 ....
> Code: Access-Request
> Identifier: 132
> Authentic: <18>8<150><14><206><238><140>x<149><197>/f<175><180><226>+
> Attributes:
> User-Name = "mikem"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password =
> <233><156><207>=<21><135><129>p<207>U<220>.0<182>u;
>
> Tue May 29 14:42:04 2012: DEBUG: Handling request with Handler '', Identifier ''
> Tue May 29 14:42:04 2012: DEBUG: Deleting session for mikem,
> 203.63.154.1, 1234 Tue May 29 14:42:04 2012: DEBUG: Handling with Radius::AuthFILE:
> Tue May 29 14:42:04 2012: DEBUG: Reading users file /etc/radiator/test
> Tue May 29 14:42:04 2012: DEBUG: Radius::AuthFILE looks for match with
> mikem [mikem] Tue May 29 14:42:04 2012: DEBUG: Radius::AuthFILE
> ACCEPT: : mikem [mikem] Tue May 29 14:42:04 2012: DEBUG: AuthBy FILE
> result: ACCEPT, Tue May 29 14:42:04 2012: DEBUG: Access accepted for mikem
> Framed-IP-Netmask = 255.255.255.255 for attribute Framed-Protocol. Using 0.
> Tue May 29 14:42:04 2012: DEBUG: Packet dump:
> *** Sending to 10.0.1.102 port 45146 ....
> Code: Access-Accept
> Identifier: 132
> Authentic: <163>2<140><22><182><187><31><135>Bu5<201><144><183><243>z
> Attributes:
> Service-Type = Framed-User
> Framed-Protocol = PPP<13> Framed-IP-Address-VPN0 = 10.1.1.1<13><9>Framed-IP-Address-VPN1 = 10.2.2.2<13><9>Framed-IP-Address-VPN2 = 10.3.3.3<13> Framed-IP-Netmask = 255.255.255.255
> Framed-Routing = None
> Framed-MTU = 1500
> Framed-Compression = Van-Jacobson-TCP-IP
>
>
>
> -----Original Message-----
> From: radiator-bounces at open.com.au
> [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
> Sent: Monday, 21 May 2012 7:33 PM
> To: radiator at open.com.au
> Subject: Re: [RADIATOR] Assign static IP to users based on Source
> address
>
> On 05/21/2012 03:20 AM, Howe, Brendan wrote:
>
>> I am in the process of evaluating Radiator and would like to know if
>> it is possible to assign a static IP address to clients based on the
>> source IP address radiator sees the connection from. I would like to
>> implement this using a single user file.
>
> File does not offer that kind of flexibility, but you could consider a hook to do a fixup after a lookup from the file.
>
>> ATM I have configured the Radiator radius.cfg using 3 client IP
>> addresses each with their own Identifier. I then use 3x "Handler
>> Client-Identifier=xxx" to define separate AuthBy FILE filenames.
>> Each users file is exactly the same, except for the "Framed-IP-Address".
>> This configuration works and the user is assigned a different static
>> IP address dependant on their source address. The problem is I then
>> need to maintain 3 separate user files all with the same usernames and passwords.
>
> Your current approach is correct, but I see it can be a bit problematic to maintain.
>
>> Is it possible to implement this setup using a single user file that
>> has a "Framed-IP-Address" for each Identifier or is there a better
>> way to do this?
>
> If you need stay with AuthBy FILE, you could consider having something like this for each user in the users file:
>
> hvn User-Password = password
> Framed-IP-Address-Client1 = 10.10.10.10,
> Framed-IP-Address-Client2 = 10.20.20.20,
> Framed-IP-Address-Client3 = 10.30.30.30
>
> For the Handler, use something like below for PostAuthHook. The hook tries to match the Client's Identifier with Framed-IP-Address-* attributes, and picks the IP from the one that matches. The rest are deleted, so that they do not cause complaints in the log about unknown attributes.
>
> The IP from the matching attribute is added as Framed-IP-Address. If it can not match anything with Client's Identifier, no Framed-IP-Address is added.
>
> <Handler>
> <AuthBy FILE>
> Filename %D/users
> </AuthBy>
> PostAuthHook sub { my ($p, $rp) = (${$_[0]}, ${$_[1]}); \
> my ($ip, @to_delete); \
> foreach (@{$rp->{Attributes}}) { \
> my ($name, $value) = @$_; \
> $ip = $value if $name eq 'Framed-IP-Address-' .
> $p->{Client}->{Identifier}; \
> push (@to_delete, $name) if $name =~ /^Framed-IP-Address-/; \
> } \
> $rp->add_attr('Framed-IP-Address', $ip) if $ip; \
> map {$rp->delete_attr($_)} @to_delete; \ } </Handler>
>
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
hugh at open.com.au
Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list