FreeRADIUS/pam_radius

ocserv rewrite framed ip from radius

nookeist opened this issue · 2 comments

Problem with set ip from Microsoft NPS to ocserv vpn user.

First time it

ocserv[25974]: main: Starting 1 instances of ocserv-sm
ocserv[25974]: main: initialized OpenConnect VPN Server 1.2.5
ocserv[25976]: sec-mod: reading supplemental config from files
ocserv[25976]: sec-mod: sec-mod initialized (socket: /var/run/ocserv-socket.40bec52d.0)
ocserv[25976]: sec-mod: sec-mod instance 0 issue cookie
ocserv[25976]: sec-mod: using 'pam' authentication to authenticate user (session: 8rNPYi)
ocserv[25976]: pam_radius_auth: 2.0.1 (git #53c0cfff), built on Nov 2 2021 at 14:37:12
ocserv[25976]: pam_radius_auth: DEBUG: conf='/etc/pam_radius_auth.conf' use_first_pass=no try_first_pass=no skip_passwd=no retry=123 localifdown=no client_id='666' accounting_bug=no ruser=no prompt='Password: ' force_prompt=no prompt_attribute=no max_challenge=0 privilege_level=no
ocserv[25976]: pam_radius_auth: Got user name: 'user'
ocserv[25976]: pam_radius_auth: ignore last_pass, force_prompt set
ocserv[25976]: pam_radius_auth: Sending RADIUS request code 1 (Access-Request)
ocserv[25976]: pam_radius_auth: DEBUG: get_ipaddr(192.168.70.105) returned 0.
ocserv[25976]: pam_radius_auth: Got RADIUS response code 2 (Access-Accept)
ocserv[25976]: pam_radius_auth: Set PAM environment variable : Framed-IP-Address=10.10.1.44 ocserv[25976]: pam_radius_auth: authentication succeeded

But then

ocserv[25974]: main[user]:7.4.201.8:55202 new user session
ocserv[25974]: main[user]:7.4.201.8:55202 user logged in
ocserv[25980]: worker[user]: 7.4.201.8 suggesting DPD of 90 secs
ocserv[25980]: worker[user]: 7.4.201.8 configured link MTU is 1500
ocserv[25980]: worker[user]: 7.4.201.8 peer's link MTU is 1500
ocserv[25980]: worker[user]: 7.4.201.8 sending IPv4 10.10.1.8
ocserv[25980]: worker[user]: 7.4.201.8 adding DNS 10.0.0.1
ocserv[25980]: worker[user]: 7.4.201.8 adding custom header 'X-My-Header: hi there'
ocserv[25980]: worker[user]: 7.4.201.8 Link MTU is 1500 bytes ocserv[25976]: sec-mod: initiating session for user 'user' (session: 8rNPYi)

I was used many other ocserv pam config, but always the same result.

example

#%PAM-1.0
auth [success=1 default=ignore] pam_radius_auth.so conf=/etc/pam_radius_auth.conf debug retry=123
auth requisite pam_deny.so
auth required pam_permit.so
auth required /usr/local/lib/security/pam_linotp.so debug url=https://192.168.0.1/validate/simplecheck nosslhostnameverify nosslcertverify
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
account required pam_nologin.so
account include password-auth
session include password-auth

How i can handle to proceed Framed-ip-address to user?

See openconnect/ocserv#595.

Maxim, pam_radius ≥ 2.0 (more precisely after #47) sets a Framed-IP-Address environment variable. Therefore, this is not an issue with pam_radius, rather an issue with ocserv not harnessing that environment variable.

By the way, what about supporting the RADIUS attribute 97 Framed-IPv6-Prefix in addition to the RADIUS attribute 8 Framed-IP-Address?

See #87.