Re: [Radiusplugin-users] Framed-IP-Address problem

[Stuart Stevenson]

Correct, it appears that the plugin is called before client-connect script.

I'm a little lost in the source code, but where do you specify the data that
goes into each accounting call (CLIENT_CONNECT / CLIENT_DISCONNECT)? Would
it not be possible to update the Framed-IP-Address that gets sent as part of
the CLIENT_DISCONNECT call from the value defined in ENVP, or even modifying
the parseStatusFile method to include pulling the Framed-IP-Address, similar
to how it pulls the in/out bytes.

Don't get me wrong, I'm not asking you to code me a hack to get this
working! I'm just curious if that is how it could be done. As randomized IPs
in the client-connect script isn't essential for me (I can implement dynamic
iptables commands in the client-connect script, rather than persistent SNAT
and DNAT entries tied to each client's VPN IP address).

Cheers,
Stuart.

-----Original Message-----
From: Ralf Lübben [mailto:address@hidden 
Sent: 14 June 2011 21:23
To: Stuart Stevenson
Cc: address@hidden
Subject: Re: [Radiusplugin-users] Framed-IP-Address problem

Ok, now I see the problem. The script is called after the plugin
CLIENT_CONNECT, so the plugin is not aware of the randomized IP-address. 

The plugin does not track the IP-address after CLIENT-CONNECT, and it is
difficult to implement.

My suggestions are:
1) Let the RADIUS server set the IP address (Framed IP option)
2) Create the client config file with a "--auth-user-pass-verify" script,
probably the new IP address is known before CLIENT_CONNECT event is called.
3) Use OpenVPN option "--topology subnet"


Am Dienstag, 14. Juni 2011, um 21:01:58 schrieb Stuart Stevenson:
> The client-connect script adds the ifconfig-push command into the client
> config file location sent to the client-connect script as variable $1.
This
> pushes a random IP between 10.8.0.2 and 10.8.0.254 to the client.
> 
> The RADIUS server sets nothing but the interim acct interval (60 seconds).
> 
> The problem is, according to the ENVP list on CLIENT_CONNECT, the
> ifconfig_pool_remote_ip is 10.8.0.2 (the first available IP in the pool
> specified in the OpenVPN config file). But this is wrong, as the correct
IP
> is a randomized IP which is set through the client-connect script as it
> pushes the randomized IP as an ifconfig-push command.
> 
> On CLIENT_DISCONNECT, ENVP reports the ifconfig_pool_remote_ip as the
> correct (randomized) IP address of the client. But, when RADIUS runs the
> SQL query to stop the accounting, the Framed-IP-Address sent to the RADIUS
> server is 10.8.0.2 -- not the ENVP value of ifconfig_pool_remote_ip. As I
> am sure the SQL side is working correctly, I can only assume something in
> the radius plugin is sending the old ifconfig_pool_remote_ip value.
> 
> Not that it is a bug in the radius plugin, but perhaps my setup is just
> unique (or wrong)?
> 
> -----Original Message-----
> From: Ralf Lübben [mailto:address@hidden
> Sent: 14 June 2011 19:49
> To: Stuart Stevenson
> Cc: address@hidden
> Subject: Re: [Radiusplugin-users] Framed-IP-Address problem
> 
> Hi,
> 
> which is the IP address (10.8.0.2 or 10.8.0.209) of the tun interface of
> the client?
> 
> Which address is configured by your script? I gues 10.8.0.209 .
> 
> Does your RADIUS server set a Framed-IP option? (If not, there is no
> conflict.)
> 
> The address of the interface should be the address the plugin returns to
> the server ((see RFC2866, chapter 4.1 for more information)).
> 
> The code snippet is not repeated in CLIENT_DISCONNECT because in
> CLIENT_CONNECT the internal database of the plugin is updated.
> 
> Also I assume the "ifconfig_pool_remote_ip" should not change between
> CLIENT_CONNECT and CLIENT_DISCONNECT, maybe this is wrong .
> 
> What entries are in your client config file?
> Does any value of the ENVP list contains the correct IP?
> 
> It is strange that "ifconfig_pool_remote_ip" changes.
> 
> Am Dienstag, 14. Juni 2011, um 20:18:41 schrieb Stuart Stevenson:
> > Not quite sure what you mean by this.
> > 
> > What I would like to happen is for the accounting update packets, or
> > the accounting stop packets to contain the correct Framed-IP-Address.
> > 
> > On a CLIENT_CONNECT, the ENVP output shows:
> >     Tue Jun 14 19:01:45 2011 us=737790 bob/192.168.10.8:49121 ENVP[3] =
> > 
> > 'ifconfig_pool_remote_ip=10.8.0.2'
> > 
> > Which is actually incorrect, but from what you are saying, this is a
> > conflict between my client-connect script and the client configs file
> > the radius plugin creates?
> > 
> > However, on a CLIENT_DISCONNECT, ENVP shows the correct
> > ifconfig_pool_remote_ip, which I would like to be entered into my
> 
> database.
> 
> > But the problem I have is that the radius plugin must still be sending
> > the old ifconfig_pool_remote_ip from the initial CLIENT_CONNECT.
> > 
> >     Tue Jun 14 19:02:10 2011 us=362334 ENVP[6] =
> > 
> > 'ifconfig_pool_remote_ip=10.8.0.209'
> > 
> > I assume this is because of radiusplugin.cpp, Line 465:
> >     if (get_env ( "ifconfig_pool_remote_ip", envp ) !=NULL)
> >     {
> >     
> >             newuser->setFramedIp ( string ( get_env (
> 
> "ifconfig_pool_remote_ip",
> 
> > envp ) ) );
> > 
> >     }
> > 
> > The setFramedIp method is never called again during the
> > CLIENT_DISCONNECT stage, so I assume this is why the Framed-IP-Address
> > that is updated in to my database is incorrect? I haven't tested this
> > myself yet, but I would hazard a guess that the addition of the above
> > code snippet into radiusplugin.cpp above Line 563 would solve this for
> > me?
> > 
> > Thanks,
> > Stuart.
> > 
> > -----Original Message-----
> > From: Ralf Lübben [mailto:address@hidden
> > Sent: 14 June 2011 18:00
> > To: address@hidden
> > Cc: Stuart Stevenson
> > Subject: Re: [Radiusplugin-users] Framed-IP-Address problem
> > 
> > Hi,
> > 
> > the plugin just writes the Framed-IP address to the client config file
> > (maybe as your client config script does) if it gets one from the
> > radius server.
> > 
> > One option could be not to send to the Framed IP option another option
> > could be to do the address selection at the radius.
> > 
> > Overall, I think the behavior of a script and a plugin a very similar.
> > 
> > If you have further question please let me know.
> > 
> > Ralf
> > 
> > Am Dienstag, 14. Juni 2011, um 18:38:35 schrieb Stuart Stevenson:
> > > Hi,
> > > 
> > > 
> > > 
> > > I'm trying to get the correct Framed-IP-Address stored into the
> > > database, but it won't update with the new value.
> > > 
> > > 
> > > 
> > > First, I connect to OpenVPN, and by default, it tries to assign an
> > > IP from the range 10.8.0.0/24 (hence the 10.8.0.2) the RADIUS-PLUGIN
> > > sees
> > 
> > below:
> > > Tue Jun 14 17:23:09 2011 RADIUS-PLUGIN: FOREGROUND:
> > > OPENVPN_PLUGIN_CLIENT_CONNECT is called.
> > > 
> > > Tue Jun 14 17:23:09 2011 RADIUS-PLUGIN: FOREGROUND: Key:
> > > 192.168.10.8:47386.
> > > 
> > > Tue Jun 14 17:23:09 2011 RADIUS-PLUGIN: FOREGROUND: Set FramedIP to
> > > the IP
> > > (10.8.0.2) OpenVPN assigned to the user bob
> > > 
> > > 
> > > 
> > > However, I have a client-connect script which pulls a random IP from
> > > the
> > > 10.8.0.0/24 range and puts the random Framed-IP-Address into this
> > > dynamic config file. As can be seen below, OpenVPN recognises this
> > > and updates according (including in the status file):
> > > 
> > > 
> > > 
> > > Tue Jun 14 17:23:09 2011 us=553408 bob/192.168.10.8:47386 OPTIONS
> 
> IMPORT:
> > > reading client specific options from:
> > > /tmp/openvpn/ifconfig/openvpn_cc_3745795b4223cfddef61f0260b52ec84.tm
> > > p
> > > 
> > > Tue Jun 14 17:23:09 2011 us=742109 bob/192.168.10.8:47386 OPTIONS
> 
> IMPORT:
> > > reading client specific options from:
> > > /tmp/openvpn/ifconfig/openvpn_cc_eb3789928b91000666b54c31ecbcc26b.tm
> > > p
> > > 
> > > Tue Jun 14 17:23:09 2011 us=742409 bob/192.168.10.8:47386 MULTI:
Learn:
> > > 10.8.0.211 -> bob/192.168.10.8:47386
> > > 
> > > Tue Jun 14 17:23:09 2011 us=742449 bob/192.168.10.8:47386 MULTI:
> > > primary virtual IP for bob/192.168.10.8:47386: 10.8.0.211
> > > 
> > > 
> > > 
> > > My problem is that the RADIUS-PLUGIN does not pick up on the fact
> > > that there is an updated Framed-IP-Address, and still updates the
> > > database with the old Framed-IP-Address. Even with accounting
> > > updates like below, (not knowing C/C++ well enough to make sense of
> > > the source code), I would assume that when the plugin reads the
> > > status file, it would update any new information, including the
> > > updated Framed-IP-Address, but it still updated the database with
> 
> 10.8.0.2.
> 
> > > Tue Jun 14 17:27:09 2011 RADIUS-PLUGIN: BACKGROUND ACCT: Scheduler:
> > > Read Statusfile.
> > > 
> > > Tue Jun 14 17:27:09 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Get
> > > ACCOUNTING_RESPONSE-Packet.
> > > 
> > > Tue Jun 14 17:27:09 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Scheduler:
> > > Update packet for User bob was send.
> > > 
> > > 
> > > 
> > > Perhaps I am just doing something wrong, or maybe the plugin just
> > > isn't written to pull and update the Framed-IP-Address from the
> > > status file on every accounting update?
> > > 
> > > 
> > > 
> > > Regards,
> > > 
> > > Stuart.