Hi Heikki,
I have tried your PostAuthHook suggestion as per below, however it seem to be
assigning all the Framed-IP-Addresses in the use file instead of selecting the
correct one. It looks like the PostAuthHook isn't passing the identifier to
the userfile.
I have included the radius.cfg, userfile and log output.
Radius.cfg:
<Client 10.0.1.100>
Identifier VPN0
Secret mysecret
DupInterval 0
</Client>
<Client 10.0.1.101>
Secret mysecret
DupInterval 0
Identifier VPN1
</Client>
<Client 10.0.1.102>
Secret mysecret
DupInterval 0
Identifier VPN2
</Client>
<Handler>
<AuthBy FILE>
Filename %D/test
</AuthBy>
PostAuthHook sub { my ($p, $rp) = (${$_[0]}, ${$_[1]}); \
my ($ip, @to_delete); \
foreach (@{$rp->{Attributes}}) { \
my ($name, $value) = @$_; \
$ip = $value if $name eq 'Framed-IP-Address-' . \
$p->{Client}->{Identifier}; \
push (@to_delete, $name) if $name =~ /^Framed-IP-Address-/; \
} \
$rp->add_attr('Framed-IP-Address', $ip) if $ip; \
map {$rp->delete_attr($_)} @to_delete; \
}
</Handler>
# Authenticate all realms with this
#<Realm DEFAULT>
# Look up user details in a flat file
# <AuthBy FILE>
# %D is replaced by DbDir above
# Filename %D/test0
# </AuthBy>
# Log accounting to a detail file. %D is replaced by DbDir above
# AcctLogFileName %D/detail
#</Realm>
AuthPort 5555
Userfile:
mikem User-Password=fred
Service-Type = Framed-User,
Framed-Protocol = PPP
Framed-IP-Address-VPN0 = 10.1.1.1
Framed-IP-Address-VPN1 = 10.2.2.2
Framed-IP-Address-VPN2 = 10.3.3.3
Framed-IP-Netmask = 255.255.255.255,
Framed-Routing = None,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
Log output:
*** Received from 10.0.1.102 port 45146 ....
Code: Access-Request
Identifier: 132
Authentic: <18>8<150><14><206><238><140>x<149><197>/f<175><180><226>+
Attributes:
User-Name = "mikem"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = <233><156><207>=<21><135><129>p<207>U<220>.0<182>u;
Tue May 29 14:42:04 2012: DEBUG: Handling request with Handler '', Identifier ''
Tue May 29 14:42:04 2012: DEBUG: Deleting session for mikem, 203.63.154.1, 1234
Tue May 29 14:42:04 2012: DEBUG: Handling with Radius::AuthFILE:
Tue May 29 14:42:04 2012: DEBUG: Reading users file /etc/radiator/test
Tue May 29 14:42:04 2012: DEBUG: Radius::AuthFILE looks for match with mikem
[mikem]
Tue May 29 14:42:04 2012: DEBUG: Radius::AuthFILE ACCEPT: : mikem [mikem]
Tue May 29 14:42:04 2012: DEBUG: AuthBy FILE result: ACCEPT,
Tue May 29 14:42:04 2012: DEBUG: Access accepted for mikem
Framed-IP-Netmask = 255.255.255.255 for attribute Framed-Protocol.
Using 0.
Tue May 29 14:42:04 2012: DEBUG: Packet dump:
*** Sending to 10.0.1.102 port 45146 ....
Code: Access-Accept
Identifier: 132
Authentic: <163>2<140><22><182><187><31><135>Bu5<201><144><183><243>z
Attributes:
Service-Type = Framed-User
Framed-Protocol = PPP<13> Framed-IP-Address-VPN0 =
10.1.1.1<13><9>Framed-IP-Address-VPN1 = 10.2.2.2<13><9>Framed-IP-Address-VPN2 =
10.3.3.3<13> Framed-IP-Netmask = 255.255.255.255
Framed-Routing = None
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Heikki Vatiainen
Sent: Monday, 21 May 2012 7:33 PM
To: [email protected]
Subject: Re: [RADIATOR] Assign static IP to users based on Source address
On 05/21/2012 03:20 AM, Howe, Brendan wrote:
> I am in the process of evaluating Radiator and would like to know if
> it is possible to assign a static IP address to clients based on the
> source IP address radiator sees the connection from. I would like to
> implement this using a single user file.
File does not offer that kind of flexibility, but you could consider a hook to
do a fixup after a lookup from the file.
> ATM I have configured the Radiator radius.cfg using 3 client IP
> addresses each with their own Identifier. I then use 3x "Handler
> Client-Identifier=xxx" to define separate AuthBy FILE filenames. Each
> users file is exactly the same, except for the "Framed-IP-Address".
> This configuration works and the user is assigned a different static
> IP address dependant on their source address. The problem is I then
> need to maintain 3 separate user files all with the same usernames and
> passwords.
Your current approach is correct, but I see it can be a bit problematic to
maintain.
> Is it possible to implement this setup using a single user file that
> has a "Framed-IP-Address" for each Identifier or is there a better way
> to do this?
If you need stay with AuthBy FILE, you could consider having something like
this for each user in the users file:
hvn User-Password = password
Framed-IP-Address-Client1 = 10.10.10.10,
Framed-IP-Address-Client2 = 10.20.20.20,
Framed-IP-Address-Client3 = 10.30.30.30
For the Handler, use something like below for PostAuthHook. The hook tries to
match the Client's Identifier with Framed-IP-Address-* attributes, and picks
the IP from the one that matches. The rest are deleted, so that they do not
cause complaints in the log about unknown attributes.
The IP from the matching attribute is added as Framed-IP-Address. If it can not
match anything with Client's Identifier, no Framed-IP-Address is added.
<Handler>
<AuthBy FILE>
Filename %D/users
</AuthBy>
PostAuthHook sub { my ($p, $rp) = (${$_[0]}, ${$_[1]}); \
my ($ip, @to_delete); \
foreach (@{$rp->{Attributes}}) { \
my ($name, $value) = @$_; \
$ip = $value if $name eq 'Framed-IP-Address-' .
$p->{Client}->{Identifier}; \
push (@to_delete, $name) if $name =~ /^Framed-IP-Address-/; \
} \
$rp->add_attr('Framed-IP-Address', $ip) if $ip; \
map {$rp->delete_attr($_)} @to_delete; \
}
</Handler>
--
Heikki Vatiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server anywhere.
SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside,
TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX,
RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix,
Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
