Re: [Radiusplugin-users] Framed-IP-Address problem

[Ralf Lübben]

Hi,

the accounting happens in a parallel proccess (AccountingProcess.cpp) based on 
the Interim-Update value. The values are send to the process during 
CLIENT_CONNECT. 

Possible implementations (plugin):
1) Update the IP when a renegotiation occurs (event AUTH_USER_PASS_VERIFY) 
based on the OpenVPN option "reneg-sec". Problem: The the first accounting 
packets would contain the wrong IP.

2) Read the ip from the status file. Problem: Does is already exists for the 
first ACCOUNTING packet?

3) Implement the IPCHANGE event in the plugin. But I don't know if it is 
triggered when the IP is changed during CLIENT_CONNECT.


Can't you use the ENVP variables in your script? They contain the IP 
addresses, so you could still set the iptables rules.

Ralf



Am Mittwoch, 15. Juni 2011, um 00:38:05 schrieben Sie:
> Correct, it appears that the plugin is called before client-connect script.
> 
> I'm a little lost in the source code, but where do you specify the data
> that goes into each accounting call (CLIENT_CONNECT / CLIENT_DISCONNECT)?
> Would it not be possible to update the Framed-IP-Address that gets sent as
> part of the CLIENT_DISCONNECT call from the value defined in ENVP, or even
> modifying the parseStatusFile method to include pulling the
> Framed-IP-Address, similar to how it pulls the in/out bytes.
> 
> Don't get me wrong, I'm not asking you to code me a hack to get this
> working! I'm just curious if that is how it could be done. As randomized
> IPs in the client-connect script isn't essential for me (I can implement
> dynamic iptables commands in the client-connect script, rather than
> persistent SNAT and DNAT entries tied to each client's VPN IP address).
> 
> Cheers,
> Stuart.
> 
> -----Original Message-----
> From: Ralf Lübben [mailto:address@hidden
> Sent: 14 June 2011 21:23
> To: Stuart Stevenson
> Cc: address@hidden
> Subject: Re: [Radiusplugin-users] Framed-IP-Address problem
> 
> Ok, now I see the problem. The script is called after the plugin
> CLIENT_CONNECT, so the plugin is not aware of the randomized IP-address.
> 
> The plugin does not track the IP-address after CLIENT-CONNECT, and it is
> difficult to implement.
> 
> My suggestions are:
> 1) Let the RADIUS server set the IP address (Framed IP option)
> 2) Create the client config file with a "--auth-user-pass-verify" script,
> probably the new IP address is known before CLIENT_CONNECT event is called.
> 3) Use OpenVPN option "--topology subnet"
> 
> Am Dienstag, 14. Juni 2011, um 21:01:58 schrieb Stuart Stevenson:
> > The client-connect script adds the ifconfig-push command into the client
> > config file location sent to the client-connect script as variable $1.
> 
> This
> 
> > pushes a random IP between 10.8.0.2 and 10.8.0.254 to the client.
> > 
> > The RADIUS server sets nothing but the interim acct interval (60
> > seconds).
> > 
> > The problem is, according to the ENVP list on CLIENT_CONNECT, the
> > ifconfig_pool_remote_ip is 10.8.0.2 (the first available IP in the pool
> > specified in the OpenVPN config file). But this is wrong, as the correct
> 
> IP
> 
> > is a randomized IP which is set through the client-connect script as it
> > pushes the randomized IP as an ifconfig-push command.
> > 
> > On CLIENT_DISCONNECT, ENVP reports the ifconfig_pool_remote_ip as the
> > correct (randomized) IP address of the client. But, when RADIUS runs the
> > SQL query to stop the accounting, the Framed-IP-Address sent to the
> > RADIUS server is 10.8.0.2 -- not the ENVP value of
> > ifconfig_pool_remote_ip. As I am sure the SQL side is working correctly,
> > I can only assume something in the radius plugin is sending the old
> > ifconfig_pool_remote_ip value.
> > 
> > Not that it is a bug in the radius plugin, but perhaps my setup is just
> > unique (or wrong)?
> > 
> > -----Original Message-----
> > From: Ralf Lübben [mailto:address@hidden
> > Sent: 14 June 2011 19:49
> > To: Stuart Stevenson
> > Cc: address@hidden
> > Subject: Re: [Radiusplugin-users] Framed-IP-Address problem
> > 
> > Hi,
> > 
> > which is the IP address (10.8.0.2 or 10.8.0.209) of the tun interface of
> > the client?
> > 
> > Which address is configured by your script? I gues 10.8.0.209 .
> > 
> > Does your RADIUS server set a Framed-IP option? (If not, there is no
> > conflict.)
> > 
> > The address of the interface should be the address the plugin returns to
> > the server ((see RFC2866, chapter 4.1 for more information)).
> > 
> > The code snippet is not repeated in CLIENT_DISCONNECT because in
> > CLIENT_CONNECT the internal database of the plugin is updated.
> > 
> > Also I assume the "ifconfig_pool_remote_ip" should not change between
> > CLIENT_CONNECT and CLIENT_DISCONNECT, maybe this is wrong .
> > 
> > What entries are in your client config file?
> > Does any value of the ENVP list contains the correct IP?
> > 
> > It is strange that "ifconfig_pool_remote_ip" changes.
> > 
> > Am Dienstag, 14. Juni 2011, um 20:18:41 schrieb Stuart Stevenson:
> > > Not quite sure what you mean by this.
> > > 
> > > What I would like to happen is for the accounting update packets, or
> > > the accounting stop packets to contain the correct Framed-IP-Address.
> > > 
> > > On a CLIENT_CONNECT, the ENVP output shows:
> > >   Tue Jun 14 19:01:45 2011 us=737790 bob/192.168.10.8:49121 ENVP[3] =
> > > 
> > > 'ifconfig_pool_remote_ip=10.8.0.2'
> > > 
> > > Which is actually incorrect, but from what you are saying, this is a
> > > conflict between my client-connect script and the client configs file
> > > the radius plugin creates?
> > > 
> > > However, on a CLIENT_DISCONNECT, ENVP shows the correct
> > > ifconfig_pool_remote_ip, which I would like to be entered into my
> > 
> > database.
> > 
> > > But the problem I have is that the radius plugin must still be sending
> > > the old ifconfig_pool_remote_ip from the initial CLIENT_CONNECT.
> > > 
> > >   Tue Jun 14 19:02:10 2011 us=362334 ENVP[6] =
> > > 
> > > 'ifconfig_pool_remote_ip=10.8.0.209'
> > > 
> > > I assume this is because of radiusplugin.cpp, Line 465:
> > >   if (get_env ( "ifconfig_pool_remote_ip", envp ) !=NULL)
> > >   {
> > >   
> > >           newuser->setFramedIp ( string ( get_env (
> > 
> > "ifconfig_pool_remote_ip",
> > 
> > > envp ) ) );
> > > 
> > >   }
> > > 
> > > The setFramedIp method is never called again during the
> > > CLIENT_DISCONNECT stage, so I assume this is why the Framed-IP-Address
> > > that is updated in to my database is incorrect? I haven't tested this
> > > myself yet, but I would hazard a guess that the addition of the above
> > > code snippet into radiusplugin.cpp above Line 563 would solve this for
> > > me?
> > > 
> > > Thanks,
> > > Stuart.
> > > 
> > > -----Original Message-----
> > > From: Ralf Lübben [mailto:address@hidden
> > > Sent: 14 June 2011 18:00
> > > To: address@hidden
> > > Cc: Stuart Stevenson
> > > Subject: Re: [Radiusplugin-users] Framed-IP-Address problem
> > > 
> > > Hi,
> > > 
> > > the plugin just writes the Framed-IP address to the client config file
> > > (maybe as your client config script does) if it gets one from the
> > > radius server.
> > > 
> > > One option could be not to send to the Framed IP option another option
> > > could be to do the address selection at the radius.
> > > 
> > > Overall, I think the behavior of a script and a plugin a very similar.
> > > 
> > > If you have further question please let me know.
> > > 
> > > Ralf
> > > 
> > > Am Dienstag, 14. Juni 2011, um 18:38:35 schrieb Stuart Stevenson:
> > > > Hi,
> > > > 
> > > > 
> > > > 
> > > > I'm trying to get the correct Framed-IP-Address stored into the
> > > > database, but it won't update with the new value.
> > > > 
> > > > 
> > > > 
> > > > First, I connect to OpenVPN, and by default, it tries to assign an
> > > > IP from the range 10.8.0.0/24 (hence the 10.8.0.2) the RADIUS-PLUGIN
> > > > sees
> > > 
> > > below:
> > > > Tue Jun 14 17:23:09 2011 RADIUS-PLUGIN: FOREGROUND:
> > > > OPENVPN_PLUGIN_CLIENT_CONNECT is called.
> > > > 
> > > > Tue Jun 14 17:23:09 2011 RADIUS-PLUGIN: FOREGROUND: Key:
> > > > 192.168.10.8:47386.
> > > > 
> > > > Tue Jun 14 17:23:09 2011 RADIUS-PLUGIN: FOREGROUND: Set FramedIP to
> > > > the IP
> > > > (10.8.0.2) OpenVPN assigned to the user bob
> > > > 
> > > > 
> > > > 
> > > > However, I have a client-connect script which pulls a random IP from
> > > > the
> > > > 10.8.0.0/24 range and puts the random Framed-IP-Address into this
> > > > dynamic config file. As can be seen below, OpenVPN recognises this
> > > > and updates according (including in the status file):
> > > > 
> > > > 
> > > > 
> > > > Tue Jun 14 17:23:09 2011 us=553408 bob/192.168.10.8:47386 OPTIONS
> > 
> > IMPORT:
> > > > reading client specific options from:
> > > > /tmp/openvpn/ifconfig/openvpn_cc_3745795b4223cfddef61f0260b52ec84.tm
> > > > p
> > > > 
> > > > Tue Jun 14 17:23:09 2011 us=742109 bob/192.168.10.8:47386 OPTIONS
> > 
> > IMPORT:
> > > > reading client specific options from:
> > > > /tmp/openvpn/ifconfig/openvpn_cc_eb3789928b91000666b54c31ecbcc26b.tm
> > > > p
> 
> > > > Tue Jun 14 17:23:09 2011 us=742409 bob/192.168.10.8:47386 MULTI:
> Learn:
> > > > 10.8.0.211 -> bob/192.168.10.8:47386
> > > > 
> > > > Tue Jun 14 17:23:09 2011 us=742449 bob/192.168.10.8:47386 MULTI:
> > > > primary virtual IP for bob/192.168.10.8:47386: 10.8.0.211
> > > > 
> > > > 
> > > > 
> > > > My problem is that the RADIUS-PLUGIN does not pick up on the fact
> > > > that there is an updated Framed-IP-Address, and still updates the
> > > > database with the old Framed-IP-Address. Even with accounting
> > > > updates like below, (not knowing C/C++ well enough to make sense of
> > > > the source code), I would assume that when the plugin reads the
> > > > status file, it would update any new information, including the
> > > > updated Framed-IP-Address, but it still updated the database with
> > 
> > 10.8.0.2.
> > 
> > > > Tue Jun 14 17:27:09 2011 RADIUS-PLUGIN: BACKGROUND ACCT: Scheduler:
> > > > Read Statusfile.
> > > > 
> > > > Tue Jun 14 17:27:09 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Get
> > > > ACCOUNTING_RESPONSE-Packet.
> > > > 
> > > > Tue Jun 14 17:27:09 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Scheduler:
> > > > Update packet for User bob was send.
> > > > 
> > > > 
> > > > 
> > > > Perhaps I am just doing something wrong, or maybe the plugin just
> > > > isn't written to pull and update the Framed-IP-Address from the
> > > > status file on every accounting update?
> > > > 
> > > > 
> > > > 
> > > > Regards,
> > > > 
> > > > Stuart.