Re: [Openvpn-devel] Re: Radius support (Authentification, Authorization and Accounting)

[Torge Szczepanek]

Am Dienstag, den 17.05.2005, 23:39 +0400 schrieb Ralf Lübben:
>   Or are there great advantages if every user gets his own tun
>   interface? 

No. This is not really necessary.

>   To Torge Szczepanek: Which radius server do you use?
>         I use freeradius and I think I can only set

I am also using FreeRadius.

>         a static IP addres as "Framed IP Address".

Static IP-Addresses don't need the NAS-Port Parameter to be set. 

>         I don't know how dynamic ip assigment works
>         on a radius server. But I will implement the 
>         radius attributes NAS-Port, NAS-IP-Adress, NAS_Identifier

Dynamic IP Pools are implemented using the ippool directive in the
radiusd.conf file (in FreeRadius).

Example from my config:

        ippool mainpool {
                name = mainpool
                #  range-start,range-stop: The start and end ip
                #  addresses for the ip pool
                range-start = x.y.72.10
                range-stop = x.y.79.255

                #  netmask: The network mask used for the ip's
                netmask = 255.255.255.255

                #  cache-size: The gdbm cache size for the db
                #  files. Should be equal to the number of ip's
                #  available in the ip pool
                cache-size = 2048

                # session-db: The main db file used to allocate ip's to
clients
                session-db = ${raddbdir}/db.ippool

                # ip-index: Helper db index file used in multilink
                ip-index = ${raddbdir}/db.ipindex

                # override: Will this ippool override a
Framed-IP-Address already set
                override = no
        }

In post-auth you then specify mainpool, to let the client receive a IP
through radius.:

post-auth {
        #  Get an address from the IP Pool.
        mainpool
[...]

In the accounting section you can (but must not) define an entry, where
the IP is returned to the pool, when the server is seeing a stop record:

accounting {
[...]
        #  Return an address to the IP Pool when we see a stop record.
        mainpool
}

In the Users File (or somewhere else) you have to specify a Pool-Name
attribute:

DEFAULT Pool-Name := mainpool


I can test the dynamic IP stuff, when you have created the Radius patch

>         and Service-Type="Framed" in the ACCEPT-REQUEST.
>         Are these all attributes?

I think that these are all necessary attributes. If I do a tcpdump on my
PPTP Server setup I see an additional Attribute, which is
Framed_proto{PPP}. But for OpenVPN this is obviously not correct. 

As one can see in
http://www.freeradius.org/rfc/rfc2865.html#Framed-Protocol there is no
corresponding Framed-Protocol available.

-- 
Torge Szczepanek <openvpn-de...@szczepanek.de>