You could use an external script in post-auth to convert this value for
you. Here is one in php, note you'd need php cli installed on your
radius server, could just as easily use perl if you have it.
in modules section
exec getip {
wait = yes
program = "/usr/local/etc/raddb/test/getip.php"
input_pairs = reply
output_pairs = reply
packet_type = Access-Accept
}
in post-auth section add the getip module
post-auth {
getip
}
Then your script.
#!/usr/local/bin/php
<?
$int = $_ENV['FRAMED_IP_ADDRESS'];
if (!preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/',
$int)) {
$ip = long2ip($int);
echo "Framed-IP-Address := $ip";
} else {
exit;
}
?>
The script will take the Framed-IP-Address environmental variable that is
passed to it and if it doesn't match an IP format, then it will convert to
an IP address. If it does match an IP format, then it will do nothing.
This is just a quick hack, could probably be written differently. Perl
has a similar function to convert that, I think its called inet_aton or
ntoa or something.
On Wed, 12 Jan 2005 [EMAIL PROTECTED] wrote:
> well, i got this:
> freeradius -X
>
> Sending Access-Accept of id 252 to 10.72.33.93:32768
> Framed-IP-Address = -1407490193
>
> and the radtest gets an Framed-IP-Address = 255.255.255.255
>
> i recorded with tcpdump that the freeradius sends this:
>
> Access Accept (2), id: 0xff, Authenticator:
> 17a1e40da579e4dbbde5cf54d0987873
> Framed IP Address Attribute (8), length: 6, Value: User Selected
> 0x0000: ffff ffff
> everytime there is a negativ value it is send as ffffffff.
>
> so i guess that this is os specific :-( i use freeradius1.1.0-pre0 on
> intel/debian sarge
>
> I think the best way is to open a featurerequest that freeradius converts
> signed integers to unsigned integers.
>
> > -----Urspr�ngliche Nachricht-----
> > Von: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Im
> > Auftrag von Dustin Doris
> > Gesendet: Dienstag, 11. Januar 2005 18:19
> > An: [email protected]
> > Betreff: Re: AW: Obtain IP Address from AD/LDAP
> >
> >
> > I think it should be OK. I just did a basic test with
> > radclient. Here is what radiusd -X showed me.
> >
> > Sending Access-Accept of id 52 to 127.0.0.1:2673
> > Framed-IP-Address = -1407490193
> >
> > Here is what radclient showed me.
> >
> > Received response ID 52, code 2, length = 26
> > Framed-IP-Address = 172.27.103.111
> >
> > What does radiusd -X show you?
> >
> >
> >
> > On Tue, 11 Jan 2005 [EMAIL PROTECTED] wrote:
> >
> > > Next Problem,
> > >
> > > MS AD saves the IP Address as signed INT32 so i didnt get an IP
> > > Address back, some ideas how i can convert such a thing? As
> > Example:
> > > 172.27.103.111 is saved as -1407490193
> > >
> > > Markus
> > > > -----Urspr�ngliche Nachricht-----
> > > > Von: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] Im
> > Auftrag von
> > > > Dustin Doris
> > > > Gesendet: Montag, 10. Januar 2005 15:08
> > > > An: [email protected]
> > > > Betreff: Re: Obtain IP Address from AD/LDAP
> > > >
> > > >
> > > >
> > > > > Hello and Happy new Year,
> > > > >
> > > > > here is my prob, hope someone can help me.
> > > > > I use freeradius to authenticate users against MS Active
> > > > > directory. Most of my users obtain their Ips from ippool within
> > > > radius, but some
> > > > > should obtain their Address from AD. Who do i get the
> > > > Address out of
> > > > > the AD and can assign it to my user?
> > > > >
> > > > > Regards
> > > > >
> > > > > Markus
> > > > >
> > > >
> > > > Find the ldap attribute in AD with their IP address and netmask.
> > > > Lets say its msipaddr and msipmask. Edit ldap.attrmap
> > and point the
> > > > correct radius attributes to the correct ad ldap attributes.
> > > >
> > > > eg
> > > >
> > > > replyItem Framed-IP-Address msipaddr
> > > > replyItem Framed-IP-Netmask msipmask
> > > >
> > > > In your ippool configuration, make sure you have the following
> > > >
> > > > override = no
> > > >
> > > > Restart radius.
> > > >
> > > > Now when the user is authorized it will search for reply
> > items. It
> > > > will look for msipaddr and msipmask and make those values the
> > > > framed-ip-address and framed-ip-netmask. The override = no, will
> > > > tell rlm_ippool not to override those values. So, if those are
> > > > already set, then rlm_ippool won't give that user an IP.
> > > >
> > > > -Dusty Doris
> > > >
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > > >
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
