[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Radiusplugin-users] Framed-IP-Address problem
From: |
Ralf Lübben |
Subject: |
Re: [Radiusplugin-users] Framed-IP-Address problem |
Date: |
Thu, 16 Jun 2011 18:33:21 +0200 |
User-agent: |
KMail/1.13.5 (Linux/2.6.35-28-generic; KDE/4.5.5; i686; ; ) |
Which script configures the randomized IPs? I thought the script which sets the
iptables rules also configures the IPs.
If the randomized IPs are configured before CLIENT-CONNECT I'm wondering why
the plugin and the script see different IPs. (this would be problem of OpenVPN
)
Your idea to modify parseStatusFile is right, but the accounting START packet
would have the wrong IP, but also the packet contains a unique identifier,
which you can use to identify your connections.
Am Mittwoch, 15. Juni 2011, um 12:59:12 schrieb Stuart Stevenson:
> Yes, the environmental variable that client-connect script sees is the
> correct (randomized) IP address, so there is no problem setting iptables
> rules.
>
> Like I was saying, the problem I have is that the RADIUS plugin doesn't get
> updated with the new (randomized) IP address, and thus, doesn't pass it
> along to my RADIUS server to update the database with.
>
> Surely number 2 (the suggestion I made) would be the easiest? From what I
> understand from the source, the sendUpdatePacket and sendStopPacket methods
> pull the Framed-IP-Address by:
>
> ra2(ATTRIB_Framed_IP_Address,this->getFramedIp()),
>
> So the simplest thing to do would be edit the parseStatusFile method, or
> add a new method to pull the correct (randomized) IP address from the
> status file, which would then be used in AcctScheduler::doAccounting and
> AcctScheduler::delUser by calling setFramedIP? This would remove your
> specified problem of the IP not existing in the first account packet,
> because the randomized IP address is added/updated after client-connect has
> been run (or so I hope!).
>
> Thanks,
> Stuart.
>
> -----Original Message-----
> From: Ralf Lübben [mailto:address@hidden
> Sent: 15 June 2011 08:04
> To: Stuart Stevenson
> Cc: address@hidden
> Subject: Re: [Radiusplugin-users] Framed-IP-Address problem
>
> Hi,
>
> the accounting happens in a parallel proccess (AccountingProcess.cpp) based
> on the Interim-Update value. The values are send to the process during
> CLIENT_CONNECT.
>
> Possible implementations (plugin):
> 1) Update the IP when a renegotiation occurs (event AUTH_USER_PASS_VERIFY)
> based on the OpenVPN option "reneg-sec". Problem: The the first accounting
> packets would contain the wrong IP.
>
> 2) Read the ip from the status file. Problem: Does is already exists for
> the first ACCOUNTING packet?
>
> 3) Implement the IPCHANGE event in the plugin. But I don't know if it is
> triggered when the IP is changed during CLIENT_CONNECT.
>
>
> Can't you use the ENVP variables in your script? They contain the IP
> addresses, so you could still set the iptables rules.
>
> Ralf
>
> Am Mittwoch, 15. Juni 2011, um 00:38:05 schrieben Sie:
> > Correct, it appears that the plugin is called before client-connect
>
> script.
>
> > I'm a little lost in the source code, but where do you specify the data
> > that goes into each accounting call (CLIENT_CONNECT / CLIENT_DISCONNECT)?
> > Would it not be possible to update the Framed-IP-Address that gets sent
> > as part of the CLIENT_DISCONNECT call from the value defined in ENVP, or
> > even modifying the parseStatusFile method to include pulling the
> > Framed-IP-Address, similar to how it pulls the in/out bytes.
> >
> > Don't get me wrong, I'm not asking you to code me a hack to get this
> > working! I'm just curious if that is how it could be done. As randomized
> > IPs in the client-connect script isn't essential for me (I can implement
> > dynamic iptables commands in the client-connect script, rather than
> > persistent SNAT and DNAT entries tied to each client's VPN IP address).
> >
> > Cheers,
> > Stuart.
> >
> > -----Original Message-----
> > From: Ralf Lübben [mailto:address@hidden
> > Sent: 14 June 2011 21:23
> > To: Stuart Stevenson
> > Cc: address@hidden
> > Subject: Re: [Radiusplugin-users] Framed-IP-Address problem
> >
> > Ok, now I see the problem. The script is called after the plugin
> > CLIENT_CONNECT, so the plugin is not aware of the randomized IP-address.
> >
> > The plugin does not track the IP-address after CLIENT-CONNECT, and it is
> > difficult to implement.
> >
> > My suggestions are:
> > 1) Let the RADIUS server set the IP address (Framed IP option)
> > 2) Create the client config file with a "--auth-user-pass-verify" script,
> > probably the new IP address is known before CLIENT_CONNECT event is
>
> called.
>
> > 3) Use OpenVPN option "--topology subnet"
> >
> > Am Dienstag, 14. Juni 2011, um 21:01:58 schrieb Stuart Stevenson:
> > > The client-connect script adds the ifconfig-push command into the
> > > client config file location sent to the client-connect script as
> > > variable $1.
> >
> > This
> >
> > > pushes a random IP between 10.8.0.2 and 10.8.0.254 to the client.
> > >
> > > The RADIUS server sets nothing but the interim acct interval (60
> > > seconds).
> > >
> > > The problem is, according to the ENVP list on CLIENT_CONNECT, the
> > > ifconfig_pool_remote_ip is 10.8.0.2 (the first available IP in the pool
> > > specified in the OpenVPN config file). But this is wrong, as the
> > > correct
> >
> > IP
> >
> > > is a randomized IP which is set through the client-connect script as it
> > > pushes the randomized IP as an ifconfig-push command.
> > >
> > > On CLIENT_DISCONNECT, ENVP reports the ifconfig_pool_remote_ip as the
> > > correct (randomized) IP address of the client. But, when RADIUS runs
> > > the SQL query to stop the accounting, the Framed-IP-Address sent to
> > > the RADIUS server is 10.8.0.2 -- not the ENVP value of
> > > ifconfig_pool_remote_ip. As I am sure the SQL side is working
> > > correctly, I can only assume something in the radius plugin is sending
> > > the old ifconfig_pool_remote_ip value.
> > >
> > > Not that it is a bug in the radius plugin, but perhaps my setup is just
> > > unique (or wrong)?
> > >
> > > -----Original Message-----
> > > From: Ralf Lübben [mailto:address@hidden
> > > Sent: 14 June 2011 19:49
> > > To: Stuart Stevenson
> > > Cc: address@hidden
> > > Subject: Re: [Radiusplugin-users] Framed-IP-Address problem
> > >
> > > Hi,
> > >
> > > which is the IP address (10.8.0.2 or 10.8.0.209) of the tun interface
> > > of the client?
> > >
> > > Which address is configured by your script? I gues 10.8.0.209 .
> > >
> > > Does your RADIUS server set a Framed-IP option? (If not, there is no
> > > conflict.)
> > >
> > > The address of the interface should be the address the plugin returns
> > > to the server ((see RFC2866, chapter 4.1 for more information)).
> > >
> > > The code snippet is not repeated in CLIENT_DISCONNECT because in
> > > CLIENT_CONNECT the internal database of the plugin is updated.
> > >
> > > Also I assume the "ifconfig_pool_remote_ip" should not change between
> > > CLIENT_CONNECT and CLIENT_DISCONNECT, maybe this is wrong .
> > >
> > > What entries are in your client config file?
> > > Does any value of the ENVP list contains the correct IP?
> > >
> > > It is strange that "ifconfig_pool_remote_ip" changes.
> > >
> > > Am Dienstag, 14. Juni 2011, um 20:18:41 schrieb Stuart Stevenson:
> > > > Not quite sure what you mean by this.
> > > >
> > > > What I would like to happen is for the accounting update packets, or
> > > > the accounting stop packets to contain the correct Framed-IP-Address.
> > > >
> > > > On a CLIENT_CONNECT, the ENVP output shows:
> > > > Tue Jun 14 19:01:45 2011 us=737790 bob/192.168.10.8:49121
> > > > ENVP[3] =
> > > >
> > > > 'ifconfig_pool_remote_ip=10.8.0.2'
> > > >
> > > > Which is actually incorrect, but from what you are saying, this is a
> > > > conflict between my client-connect script and the client configs file
> > > > the radius plugin creates?
> > > >
> > > > However, on a CLIENT_DISCONNECT, ENVP shows the correct
> > > > ifconfig_pool_remote_ip, which I would like to be entered into my
> > >
> > > database.
> > >
> > > > But the problem I have is that the radius plugin must still be
> > > > sending the old ifconfig_pool_remote_ip from the initial
> > > > CLIENT_CONNECT.
> > > >
> > > > Tue Jun 14 19:02:10 2011 us=362334 ENVP[6] =
> > > >
> > > > 'ifconfig_pool_remote_ip=10.8.0.209'
> > > >
> > > > I assume this is because of radiusplugin.cpp, Line 465:
> > > > if (get_env ( "ifconfig_pool_remote_ip", envp ) !=NULL)
> > > > {
> > > >
> > > > newuser->setFramedIp ( string ( get_env (
> > >
> > > "ifconfig_pool_remote_ip",
> > >
> > > > envp ) ) );
> > > >
> > > > }
> > > >
> > > > The setFramedIp method is never called again during the
> > > > CLIENT_DISCONNECT stage, so I assume this is why the
> > > > Framed-IP-Address that is updated in to my database is incorrect? I
> > > > haven't tested this myself yet, but I would hazard a guess that the
> > > > addition of the above code snippet into radiusplugin.cpp above Line
> > > > 563 would solve this for me?
> > > >
> > > > Thanks,
> > > > Stuart.
> > > >
> > > > -----Original Message-----
> > > > From: Ralf Lübben [mailto:address@hidden
> > > > Sent: 14 June 2011 18:00
> > > > To: address@hidden
> > > > Cc: Stuart Stevenson
> > > > Subject: Re: [Radiusplugin-users] Framed-IP-Address problem
> > > >
> > > > Hi,
> > > >
> > > > the plugin just writes the Framed-IP address to the client config
> > > > file (maybe as your client config script does) if it gets one from
> > > > the radius server.
> > > >
> > > > One option could be not to send to the Framed IP option another
> > > > option could be to do the address selection at the radius.
> > > >
> > > > Overall, I think the behavior of a script and a plugin a very
> > > > similar.
> > > >
> > > > If you have further question please let me know.
> > > >
> > > > Ralf
> > > >
> > > > Am Dienstag, 14. Juni 2011, um 18:38:35 schrieb Stuart Stevenson:
> > > > > Hi,
> > > > >
> > > > >
> > > > >
> > > > > I'm trying to get the correct Framed-IP-Address stored into the
> > > > > database, but it won't update with the new value.
> > > > >
> > > > >
> > > > >
> > > > > First, I connect to OpenVPN, and by default, it tries to assign an
> > > > > IP from the range 10.8.0.0/24 (hence the 10.8.0.2) the
> > > > > RADIUS-PLUGIN sees
> > > >
> > > > below:
> > > > > Tue Jun 14 17:23:09 2011 RADIUS-PLUGIN: FOREGROUND:
> > > > > OPENVPN_PLUGIN_CLIENT_CONNECT is called.
> > > > >
> > > > > Tue Jun 14 17:23:09 2011 RADIUS-PLUGIN: FOREGROUND: Key:
> > > > > 192.168.10.8:47386.
> > > > >
> > > > > Tue Jun 14 17:23:09 2011 RADIUS-PLUGIN: FOREGROUND: Set FramedIP to
> > > > > the IP
> > > > > (10.8.0.2) OpenVPN assigned to the user bob
> > > > >
> > > > >
> > > > >
> > > > > However, I have a client-connect script which pulls a random IP
> > > > > from the
> > > > > 10.8.0.0/24 range and puts the random Framed-IP-Address into this
> > > > > dynamic config file. As can be seen below, OpenVPN recognises this
> > > > > and updates according (including in the status file):
> > > > >
> > > > >
> > > > >
> > > > > Tue Jun 14 17:23:09 2011 us=553408 bob/192.168.10.8:47386 OPTIONS
> > >
> > > IMPORT:
> > > > > reading client specific options from:
> > > > > /tmp/openvpn/ifconfig/openvpn_cc_3745795b4223cfddef61f0260b52ec84.t
> > > > > m p
> > > > >
> > > > > Tue Jun 14 17:23:09 2011 us=742109 bob/192.168.10.8:47386 OPTIONS
> > >
> > > IMPORT:
> > > > > reading client specific options from:
> > > > > /tmp/openvpn/ifconfig/openvpn_cc_eb3789928b91000666b54c31ecbcc26b.t
> > > > > m p
> >
> > > > > Tue Jun 14 17:23:09 2011 us=742409 bob/192.168.10.8:47386 MULTI:
> > Learn:
> > > > > 10.8.0.211 -> bob/192.168.10.8:47386
> > > > >
> > > > > Tue Jun 14 17:23:09 2011 us=742449 bob/192.168.10.8:47386 MULTI:
> > > > > primary virtual IP for bob/192.168.10.8:47386: 10.8.0.211
> > > > >
> > > > >
> > > > >
> > > > > My problem is that the RADIUS-PLUGIN does not pick up on the fact
> > > > > that there is an updated Framed-IP-Address, and still updates the
> > > > > database with the old Framed-IP-Address. Even with accounting
> > > > > updates like below, (not knowing C/C++ well enough to make sense of
> > > > > the source code), I would assume that when the plugin reads the
> > > > > status file, it would update any new information, including the
> > > > > updated Framed-IP-Address, but it still updated the database with
> > >
> > > 10.8.0.2.
> > >
> > > > > Tue Jun 14 17:27:09 2011 RADIUS-PLUGIN: BACKGROUND ACCT: Scheduler:
> > > > > Read Statusfile.
> > > > >
> > > > > Tue Jun 14 17:27:09 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Get
> > > > > ACCOUNTING_RESPONSE-Packet.
> > > > >
> > > > > Tue Jun 14 17:27:09 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Scheduler:
> > > > > Update packet for User bob was send.
> > > > >
> > > > >
> > > > >
> > > > > Perhaps I am just doing something wrong, or maybe the plugin just
> > > > > isn't written to pull and update the Framed-IP-Address from the
> > > > > status file on every accounting update?
> > > > >
> > > > >
> > > > >
> > > > > Regards,
> > > > >
> > > > > Stuart.
- [Radiusplugin-users] Framed-IP-Address problem, Stuart Stevenson, 2011/06/14
- Re: [Radiusplugin-users] Framed-IP-Address problem, Ralf Lübben, 2011/06/14
- Re: [Radiusplugin-users] Framed-IP-Address problem, Stuart Stevenson, 2011/06/14
- Re: [Radiusplugin-users] Framed-IP-Address problem, Ralf Lübben, 2011/06/14
- Re: [Radiusplugin-users] Framed-IP-Address problem, Stuart Stevenson, 2011/06/14
- Re: [Radiusplugin-users] Framed-IP-Address problem, Ralf Lübben, 2011/06/14
- Re: [Radiusplugin-users] Framed-IP-Address problem, Stuart Stevenson, 2011/06/14
- Re: [Radiusplugin-users] Framed-IP-Address problem, Ralf Lübben, 2011/06/15
- Re: [Radiusplugin-users] Framed-IP-Address problem, Stuart Stevenson, 2011/06/15
- Re: [Radiusplugin-users] Framed-IP-Address problem,
Ralf Lübben <=