Re: [Radiusplugin-users] Framed-IP-Address problem

[Stuart Stevenson]

Yes, the environmental variable that client-connect script sees is the
correct (randomized) IP address, so there is no problem setting iptables
rules.

Like I was saying, the problem I have is that the RADIUS plugin doesn't get
updated with the new (randomized) IP address, and thus, doesn't pass it
along to my RADIUS server to update the database with.

Surely number 2 (the suggestion I made) would be the easiest? From what I
understand from the source, the sendUpdatePacket and sendStopPacket methods
pull the Framed-IP-Address by:

        ra2(ATTRIB_Framed_IP_Address,this->getFramedIp()),

So the simplest thing to do would be edit the parseStatusFile method, or add
a new method to pull the correct (randomized) IP address from the status
file, which would then be used in AcctScheduler::doAccounting and
AcctScheduler::delUser by calling setFramedIP? This would remove your
specified problem of the IP not existing in the first account packet,
because the randomized IP address is added/updated after client-connect has
been run (or so I hope!).

Thanks,
Stuart.

-----Original Message-----
From: Ralf Lübben [mailto:address@hidden 
Sent: 15 June 2011 08:04
To: Stuart Stevenson
Cc: address@hidden
Subject: Re: [Radiusplugin-users] Framed-IP-Address problem

Hi,

the accounting happens in a parallel proccess (AccountingProcess.cpp) based
on the Interim-Update value. The values are send to the process during
CLIENT_CONNECT. 

Possible implementations (plugin):
1) Update the IP when a renegotiation occurs (event AUTH_USER_PASS_VERIFY)
based on the OpenVPN option "reneg-sec". Problem: The the first accounting
packets would contain the wrong IP.

2) Read the ip from the status file. Problem: Does is already exists for the
first ACCOUNTING packet?

3) Implement the IPCHANGE event in the plugin. But I don't know if it is
triggered when the IP is changed during CLIENT_CONNECT.


Can't you use the ENVP variables in your script? They contain the IP 
addresses, so you could still set the iptables rules.

Ralf



Am Mittwoch, 15. Juni 2011, um 00:38:05 schrieben Sie:
> Correct, it appears that the plugin is called before client-connect
script.
> 
> I'm a little lost in the source code, but where do you specify the data
> that goes into each accounting call (CLIENT_CONNECT / CLIENT_DISCONNECT)?
> Would it not be possible to update the Framed-IP-Address that gets sent as
> part of the CLIENT_DISCONNECT call from the value defined in ENVP, or even
> modifying the parseStatusFile method to include pulling the
> Framed-IP-Address, similar to how it pulls the in/out bytes.
> 
> Don't get me wrong, I'm not asking you to code me a hack to get this
> working! I'm just curious if that is how it could be done. As randomized
> IPs in the client-connect script isn't essential for me (I can implement
> dynamic iptables commands in the client-connect script, rather than
> persistent SNAT and DNAT entries tied to each client's VPN IP address).
> 
> Cheers,
> Stuart.
> 
> -----Original Message-----
> From: Ralf Lübben [mailto:address@hidden
> Sent: 14 June 2011 21:23
> To: Stuart Stevenson
> Cc: address@hidden
> Subject: Re: [Radiusplugin-users] Framed-IP-Address problem
> 
> Ok, now I see the problem. The script is called after the plugin
> CLIENT_CONNECT, so the plugin is not aware of the randomized IP-address.
> 
> The plugin does not track the IP-address after CLIENT-CONNECT, and it is
> difficult to implement.
> 
> My suggestions are:
> 1) Let the RADIUS server set the IP address (Framed IP option)
> 2) Create the client config file with a "--auth-user-pass-verify" script,
> probably the new IP address is known before CLIENT_CONNECT event is
called.
> 3) Use OpenVPN option "--topology subnet"
> 
> Am Dienstag, 14. Juni 2011, um 21:01:58 schrieb Stuart Stevenson:
> > The client-connect script adds the ifconfig-push command into the client
> > config file location sent to the client-connect script as variable $1.
> 
> This
> 
> > pushes a random IP between 10.8.0.2 and 10.8.0.254 to the client.
> > 
> > The RADIUS server sets nothing but the interim acct interval (60
> > seconds).
> > 
> > The problem is, according to the ENVP list on CLIENT_CONNECT, the
> > ifconfig_pool_remote_ip is 10.8.0.2 (the first available IP in the pool
> > specified in the OpenVPN config file). But this is wrong, as the correct
> 
> IP
> 
> > is a randomized IP which is set through the client-connect script as it
> > pushes the randomized IP as an ifconfig-push command.
> > 
> > On CLIENT_DISCONNECT, ENVP reports the ifconfig_pool_remote_ip as the
> > correct (randomized) IP address of the client. But, when RADIUS runs the
> > SQL query to stop the accounting, the Framed-IP-Address sent to the
> > RADIUS server is 10.8.0.2 -- not the ENVP value of
> > ifconfig_pool_remote_ip. As I am sure the SQL side is working correctly,
> > I can only assume something in the radius plugin is sending the old
> > ifconfig_pool_remote_ip value.
> > 
> > Not that it is a bug in the radius plugin, but perhaps my setup is just
> > unique (or wrong)?
> > 
> > -----Original Message-----
> > From: Ralf Lübben [mailto:address@hidden
> > Sent: 14 June 2011 19:49
> > To: Stuart Stevenson
> > Cc: address@hidden
> > Subject: Re: [Radiusplugin-users] Framed-IP-Address problem
> > 
> > Hi,
> > 
> > which is the IP address (10.8.0.2 or 10.8.0.209) of the tun interface of
> > the client?
> > 
> > Which address is configured by your script? I gues 10.8.0.209 .
> > 
> > Does your RADIUS server set a Framed-IP option? (If not, there is no
> > conflict.)
> > 
> > The address of the interface should be the address the plugin returns to
> > the server ((see RFC2866, chapter 4.1 for more information)).
> > 
> > The code snippet is not repeated in CLIENT_DISCONNECT because in
> > CLIENT_CONNECT the internal database of the plugin is updated.
> > 
> > Also I assume the "ifconfig_pool_remote_ip" should not change between
> > CLIENT_CONNECT and CLIENT_DISCONNECT, maybe this is wrong .
> > 
> > What entries are in your client config file?
> > Does any value of the ENVP list contains the correct IP?
> > 
> > It is strange that "ifconfig_pool_remote_ip" changes.
> > 
> > Am Dienstag, 14. Juni 2011, um 20:18:41 schrieb Stuart Stevenson:
> > > Not quite sure what you mean by this.
> > > 
> > > What I would like to happen is for the accounting update packets, or
> > > the accounting stop packets to contain the correct Framed-IP-Address.
> > > 
> > > On a CLIENT_CONNECT, the ENVP output shows:
> > >   Tue Jun 14 19:01:45 2011 us=737790 bob/192.168.10.8:49121 ENVP[3] =
> > > 
> > > 'ifconfig_pool_remote_ip=10.8.0.2'
> > > 
> > > Which is actually incorrect, but from what you are saying, this is a
> > > conflict between my client-connect script and the client configs file
> > > the radius plugin creates?
> > > 
> > > However, on a CLIENT_DISCONNECT, ENVP shows the correct
> > > ifconfig_pool_remote_ip, which I would like to be entered into my
> > 
> > database.
> > 
> > > But the problem I have is that the radius plugin must still be sending
> > > the old ifconfig_pool_remote_ip from the initial CLIENT_CONNECT.
> > > 
> > >   Tue Jun 14 19:02:10 2011 us=362334 ENVP[6] =
> > > 
> > > 'ifconfig_pool_remote_ip=10.8.0.209'
> > > 
> > > I assume this is because of radiusplugin.cpp, Line 465:
> > >   if (get_env ( "ifconfig_pool_remote_ip", envp ) !=NULL)
> > >   {
> > >   
> > >           newuser->setFramedIp ( string ( get_env (
> > 
> > "ifconfig_pool_remote_ip",
> > 
> > > envp ) ) );
> > > 
> > >   }
> > > 
> > > The setFramedIp method is never called again during the
> > > CLIENT_DISCONNECT stage, so I assume this is why the Framed-IP-Address
> > > that is updated in to my database is incorrect? I haven't tested this
> > > myself yet, but I would hazard a guess that the addition of the above
> > > code snippet into radiusplugin.cpp above Line 563 would solve this for
> > > me?
> > > 
> > > Thanks,
> > > Stuart.
> > > 
> > > -----Original Message-----
> > > From: Ralf Lübben [mailto:address@hidden
> > > Sent: 14 June 2011 18:00
> > > To: address@hidden
> > > Cc: Stuart Stevenson
> > > Subject: Re: [Radiusplugin-users] Framed-IP-Address problem
> > > 
> > > Hi,
> > > 
> > > the plugin just writes the Framed-IP address to the client config file
> > > (maybe as your client config script does) if it gets one from the
> > > radius server.
> > > 
> > > One option could be not to send to the Framed IP option another option
> > > could be to do the address selection at the radius.
> > > 
> > > Overall, I think the behavior of a script and a plugin a very similar.
> > > 
> > > If you have further question please let me know.
> > > 
> > > Ralf
> > > 
> > > Am Dienstag, 14. Juni 2011, um 18:38:35 schrieb Stuart Stevenson:
> > > > Hi,
> > > > 
> > > > 
> > > > 
> > > > I'm trying to get the correct Framed-IP-Address stored into the
> > > > database, but it won't update with the new value.
> > > > 
> > > > 
> > > > 
> > > > First, I connect to OpenVPN, and by default, it tries to assign an
> > > > IP from the range 10.8.0.0/24 (hence the 10.8.0.2) the RADIUS-PLUGIN
> > > > sees
> > > 
> > > below:
> > > > Tue Jun 14 17:23:09 2011 RADIUS-PLUGIN: FOREGROUND:
> > > > OPENVPN_PLUGIN_CLIENT_CONNECT is called.
> > > > 
> > > > Tue Jun 14 17:23:09 2011 RADIUS-PLUGIN: FOREGROUND: Key:
> > > > 192.168.10.8:47386.
> > > > 
> > > > Tue Jun 14 17:23:09 2011 RADIUS-PLUGIN: FOREGROUND: Set FramedIP to
> > > > the IP
> > > > (10.8.0.2) OpenVPN assigned to the user bob
> > > > 
> > > > 
> > > > 
> > > > However, I have a client-connect script which pulls a random IP from
> > > > the
> > > > 10.8.0.0/24 range and puts the random Framed-IP-Address into this
> > > > dynamic config file. As can be seen below, OpenVPN recognises this
> > > > and updates according (including in the status file):
> > > > 
> > > > 
> > > > 
> > > > Tue Jun 14 17:23:09 2011 us=553408 bob/192.168.10.8:47386 OPTIONS
> > 
> > IMPORT:
> > > > reading client specific options from:
> > > > /tmp/openvpn/ifconfig/openvpn_cc_3745795b4223cfddef61f0260b52ec84.tm
> > > > p
> > > > 
> > > > Tue Jun 14 17:23:09 2011 us=742109 bob/192.168.10.8:47386 OPTIONS
> > 
> > IMPORT:
> > > > reading client specific options from:
> > > > /tmp/openvpn/ifconfig/openvpn_cc_eb3789928b91000666b54c31ecbcc26b.tm
> > > > p
> 
> > > > Tue Jun 14 17:23:09 2011 us=742409 bob/192.168.10.8:47386 MULTI:
> Learn:
> > > > 10.8.0.211 -> bob/192.168.10.8:47386
> > > > 
> > > > Tue Jun 14 17:23:09 2011 us=742449 bob/192.168.10.8:47386 MULTI:
> > > > primary virtual IP for bob/192.168.10.8:47386: 10.8.0.211
> > > > 
> > > > 
> > > > 
> > > > My problem is that the RADIUS-PLUGIN does not pick up on the fact
> > > > that there is an updated Framed-IP-Address, and still updates the
> > > > database with the old Framed-IP-Address. Even with accounting
> > > > updates like below, (not knowing C/C++ well enough to make sense of
> > > > the source code), I would assume that when the plugin reads the
> > > > status file, it would update any new information, including the
> > > > updated Framed-IP-Address, but it still updated the database with
> > 
> > 10.8.0.2.
> > 
> > > > Tue Jun 14 17:27:09 2011 RADIUS-PLUGIN: BACKGROUND ACCT: Scheduler:
> > > > Read Statusfile.
> > > > 
> > > > Tue Jun 14 17:27:09 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Get
> > > > ACCOUNTING_RESPONSE-Packet.
> > > > 
> > > > Tue Jun 14 17:27:09 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Scheduler:
> > > > Update packet for User bob was send.
> > > > 
> > > > 
> > > > 
> > > > Perhaps I am just doing something wrong, or maybe the plugin just
> > > > isn't written to pull and update the Framed-IP-Address from the
> > > > status file on every accounting update?
> > > > 
> > > > 
> > > > 
> > > > Regards,
> > > > 
> > > > Stuart.