[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Radiusplugin-users] Framed-IP-Address problem
From: |
Stuart Stevenson |
Subject: |
Re: [Radiusplugin-users] Framed-IP-Address problem |
Date: |
Tue, 14 Jun 2011 23:38:05 +0100 |
Correct, it appears that the plugin is called before client-connect script.
I'm a little lost in the source code, but where do you specify the data that
goes into each accounting call (CLIENT_CONNECT / CLIENT_DISCONNECT)? Would
it not be possible to update the Framed-IP-Address that gets sent as part of
the CLIENT_DISCONNECT call from the value defined in ENVP, or even modifying
the parseStatusFile method to include pulling the Framed-IP-Address, similar
to how it pulls the in/out bytes.
Don't get me wrong, I'm not asking you to code me a hack to get this
working! I'm just curious if that is how it could be done. As randomized IPs
in the client-connect script isn't essential for me (I can implement dynamic
iptables commands in the client-connect script, rather than persistent SNAT
and DNAT entries tied to each client's VPN IP address).
Cheers,
Stuart.
-----Original Message-----
From: Ralf Lübben [mailto:address@hidden
Sent: 14 June 2011 21:23
To: Stuart Stevenson
Cc: address@hidden
Subject: Re: [Radiusplugin-users] Framed-IP-Address problem
Ok, now I see the problem. The script is called after the plugin
CLIENT_CONNECT, so the plugin is not aware of the randomized IP-address.
The plugin does not track the IP-address after CLIENT-CONNECT, and it is
difficult to implement.
My suggestions are:
1) Let the RADIUS server set the IP address (Framed IP option)
2) Create the client config file with a "--auth-user-pass-verify" script,
probably the new IP address is known before CLIENT_CONNECT event is called.
3) Use OpenVPN option "--topology subnet"
Am Dienstag, 14. Juni 2011, um 21:01:58 schrieb Stuart Stevenson:
> The client-connect script adds the ifconfig-push command into the client
> config file location sent to the client-connect script as variable $1.
This
> pushes a random IP between 10.8.0.2 and 10.8.0.254 to the client.
>
> The RADIUS server sets nothing but the interim acct interval (60 seconds).
>
> The problem is, according to the ENVP list on CLIENT_CONNECT, the
> ifconfig_pool_remote_ip is 10.8.0.2 (the first available IP in the pool
> specified in the OpenVPN config file). But this is wrong, as the correct
IP
> is a randomized IP which is set through the client-connect script as it
> pushes the randomized IP as an ifconfig-push command.
>
> On CLIENT_DISCONNECT, ENVP reports the ifconfig_pool_remote_ip as the
> correct (randomized) IP address of the client. But, when RADIUS runs the
> SQL query to stop the accounting, the Framed-IP-Address sent to the RADIUS
> server is 10.8.0.2 -- not the ENVP value of ifconfig_pool_remote_ip. As I
> am sure the SQL side is working correctly, I can only assume something in
> the radius plugin is sending the old ifconfig_pool_remote_ip value.
>
> Not that it is a bug in the radius plugin, but perhaps my setup is just
> unique (or wrong)?
>
> -----Original Message-----
> From: Ralf Lübben [mailto:address@hidden
> Sent: 14 June 2011 19:49
> To: Stuart Stevenson
> Cc: address@hidden
> Subject: Re: [Radiusplugin-users] Framed-IP-Address problem
>
> Hi,
>
> which is the IP address (10.8.0.2 or 10.8.0.209) of the tun interface of
> the client?
>
> Which address is configured by your script? I gues 10.8.0.209 .
>
> Does your RADIUS server set a Framed-IP option? (If not, there is no
> conflict.)
>
> The address of the interface should be the address the plugin returns to
> the server ((see RFC2866, chapter 4.1 for more information)).
>
> The code snippet is not repeated in CLIENT_DISCONNECT because in
> CLIENT_CONNECT the internal database of the plugin is updated.
>
> Also I assume the "ifconfig_pool_remote_ip" should not change between
> CLIENT_CONNECT and CLIENT_DISCONNECT, maybe this is wrong .
>
> What entries are in your client config file?
> Does any value of the ENVP list contains the correct IP?
>
> It is strange that "ifconfig_pool_remote_ip" changes.
>
> Am Dienstag, 14. Juni 2011, um 20:18:41 schrieb Stuart Stevenson:
> > Not quite sure what you mean by this.
> >
> > What I would like to happen is for the accounting update packets, or
> > the accounting stop packets to contain the correct Framed-IP-Address.
> >
> > On a CLIENT_CONNECT, the ENVP output shows:
> > Tue Jun 14 19:01:45 2011 us=737790 bob/192.168.10.8:49121 ENVP[3] =
> >
> > 'ifconfig_pool_remote_ip=10.8.0.2'
> >
> > Which is actually incorrect, but from what you are saying, this is a
> > conflict between my client-connect script and the client configs file
> > the radius plugin creates?
> >
> > However, on a CLIENT_DISCONNECT, ENVP shows the correct
> > ifconfig_pool_remote_ip, which I would like to be entered into my
>
> database.
>
> > But the problem I have is that the radius plugin must still be sending
> > the old ifconfig_pool_remote_ip from the initial CLIENT_CONNECT.
> >
> > Tue Jun 14 19:02:10 2011 us=362334 ENVP[6] =
> >
> > 'ifconfig_pool_remote_ip=10.8.0.209'
> >
> > I assume this is because of radiusplugin.cpp, Line 465:
> > if (get_env ( "ifconfig_pool_remote_ip", envp ) !=NULL)
> > {
> >
> > newuser->setFramedIp ( string ( get_env (
>
> "ifconfig_pool_remote_ip",
>
> > envp ) ) );
> >
> > }
> >
> > The setFramedIp method is never called again during the
> > CLIENT_DISCONNECT stage, so I assume this is why the Framed-IP-Address
> > that is updated in to my database is incorrect? I haven't tested this
> > myself yet, but I would hazard a guess that the addition of the above
> > code snippet into radiusplugin.cpp above Line 563 would solve this for
> > me?
> >
> > Thanks,
> > Stuart.
> >
> > -----Original Message-----
> > From: Ralf Lübben [mailto:address@hidden
> > Sent: 14 June 2011 18:00
> > To: address@hidden
> > Cc: Stuart Stevenson
> > Subject: Re: [Radiusplugin-users] Framed-IP-Address problem
> >
> > Hi,
> >
> > the plugin just writes the Framed-IP address to the client config file
> > (maybe as your client config script does) if it gets one from the
> > radius server.
> >
> > One option could be not to send to the Framed IP option another option
> > could be to do the address selection at the radius.
> >
> > Overall, I think the behavior of a script and a plugin a very similar.
> >
> > If you have further question please let me know.
> >
> > Ralf
> >
> > Am Dienstag, 14. Juni 2011, um 18:38:35 schrieb Stuart Stevenson:
> > > Hi,
> > >
> > >
> > >
> > > I'm trying to get the correct Framed-IP-Address stored into the
> > > database, but it won't update with the new value.
> > >
> > >
> > >
> > > First, I connect to OpenVPN, and by default, it tries to assign an
> > > IP from the range 10.8.0.0/24 (hence the 10.8.0.2) the RADIUS-PLUGIN
> > > sees
> >
> > below:
> > > Tue Jun 14 17:23:09 2011 RADIUS-PLUGIN: FOREGROUND:
> > > OPENVPN_PLUGIN_CLIENT_CONNECT is called.
> > >
> > > Tue Jun 14 17:23:09 2011 RADIUS-PLUGIN: FOREGROUND: Key:
> > > 192.168.10.8:47386.
> > >
> > > Tue Jun 14 17:23:09 2011 RADIUS-PLUGIN: FOREGROUND: Set FramedIP to
> > > the IP
> > > (10.8.0.2) OpenVPN assigned to the user bob
> > >
> > >
> > >
> > > However, I have a client-connect script which pulls a random IP from
> > > the
> > > 10.8.0.0/24 range and puts the random Framed-IP-Address into this
> > > dynamic config file. As can be seen below, OpenVPN recognises this
> > > and updates according (including in the status file):
> > >
> > >
> > >
> > > Tue Jun 14 17:23:09 2011 us=553408 bob/192.168.10.8:47386 OPTIONS
>
> IMPORT:
> > > reading client specific options from:
> > > /tmp/openvpn/ifconfig/openvpn_cc_3745795b4223cfddef61f0260b52ec84.tm
> > > p
> > >
> > > Tue Jun 14 17:23:09 2011 us=742109 bob/192.168.10.8:47386 OPTIONS
>
> IMPORT:
> > > reading client specific options from:
> > > /tmp/openvpn/ifconfig/openvpn_cc_eb3789928b91000666b54c31ecbcc26b.tm
> > > p
> > >
> > > Tue Jun 14 17:23:09 2011 us=742409 bob/192.168.10.8:47386 MULTI:
Learn:
> > > 10.8.0.211 -> bob/192.168.10.8:47386
> > >
> > > Tue Jun 14 17:23:09 2011 us=742449 bob/192.168.10.8:47386 MULTI:
> > > primary virtual IP for bob/192.168.10.8:47386: 10.8.0.211
> > >
> > >
> > >
> > > My problem is that the RADIUS-PLUGIN does not pick up on the fact
> > > that there is an updated Framed-IP-Address, and still updates the
> > > database with the old Framed-IP-Address. Even with accounting
> > > updates like below, (not knowing C/C++ well enough to make sense of
> > > the source code), I would assume that when the plugin reads the
> > > status file, it would update any new information, including the
> > > updated Framed-IP-Address, but it still updated the database with
>
> 10.8.0.2.
>
> > > Tue Jun 14 17:27:09 2011 RADIUS-PLUGIN: BACKGROUND ACCT: Scheduler:
> > > Read Statusfile.
> > >
> > > Tue Jun 14 17:27:09 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Get
> > > ACCOUNTING_RESPONSE-Packet.
> > >
> > > Tue Jun 14 17:27:09 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Scheduler:
> > > Update packet for User bob was send.
> > >
> > >
> > >
> > > Perhaps I am just doing something wrong, or maybe the plugin just
> > > isn't written to pull and update the Framed-IP-Address from the
> > > status file on every accounting update?
> > >
> > >
> > >
> > > Regards,
> > >
> > > Stuart.
- [Radiusplugin-users] Framed-IP-Address problem, Stuart Stevenson, 2011/06/14
- Re: [Radiusplugin-users] Framed-IP-Address problem, Ralf Lübben, 2011/06/14
- Re: [Radiusplugin-users] Framed-IP-Address problem, Stuart Stevenson, 2011/06/14
- Re: [Radiusplugin-users] Framed-IP-Address problem, Ralf Lübben, 2011/06/14
- Re: [Radiusplugin-users] Framed-IP-Address problem, Stuart Stevenson, 2011/06/14
- Re: [Radiusplugin-users] Framed-IP-Address problem, Ralf Lübben, 2011/06/14
- Re: [Radiusplugin-users] Framed-IP-Address problem,
Stuart Stevenson <=
- Re: [Radiusplugin-users] Framed-IP-Address problem, Ralf Lübben, 2011/06/15
- Re: [Radiusplugin-users] Framed-IP-Address problem, Stuart Stevenson, 2011/06/15
- Re: [Radiusplugin-users] Framed-IP-Address problem, Ralf Lübben, 2011/06/16