Hello Brendan -
Your users file is not correct - it should look like this (with comma's):
mikem User-Password=fred
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address-VPN0 = 10.1.1.1,
Framed-IP-Address-VPN1 = 10.2.2.2,
Framed-IP-Address-VPN2 = 10.3.3.3,
Framed-IP-Netmask = 255.255.255.255,
Framed-Routing = None,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
That is why the debug shows the confused value for Framed-Protocol.
regards
Hugh
On 29 May 2012, at 14:47, Howe, Brendan wrote:
> Hi Heikki,
>
> I have tried your PostAuthHook suggestion as per below, however it seem to be
> assigning all the Framed-IP-Addresses in the use file instead of selecting
> the correct one. It looks like the PostAuthHook isn't passing the identifier
> to the userfile.
>
> I have included the radius.cfg, userfile and log output.
>
> Radius.cfg:
>
> <Client 10.0.1.100>
> Identifier VPN0
> Secret mysecret
> DupInterval 0
> </Client>
>
> <Client 10.0.1.101>
> Secret mysecret
> DupInterval 0
> Identifier VPN1
> </Client>
>
> <Client 10.0.1.102>
> Secret mysecret
> DupInterval 0
> Identifier VPN2
> </Client>
>
> <Handler>
> <AuthBy FILE>
> Filename %D/test
> </AuthBy>
> PostAuthHook sub { my ($p, $rp) = (${$_[0]}, ${$_[1]}); \
> my ($ip, @to_delete); \
> foreach (@{$rp->{Attributes}}) { \
> my ($name, $value) = @$_; \
> $ip = $value if $name eq 'Framed-IP-Address-' . \
> $p->{Client}->{Identifier}; \
> push (@to_delete, $name) if $name =~ /^Framed-IP-Address-/; \
> } \
> $rp->add_attr('Framed-IP-Address', $ip) if $ip; \
> map {$rp->delete_attr($_)} @to_delete; \
> }
> </Handler>
>
> # Authenticate all realms with this
> #<Realm DEFAULT>
> # Look up user details in a flat file
> # <AuthBy FILE>
> # %D is replaced by DbDir above
> # Filename %D/test0
> # </AuthBy>
>
> # Log accounting to a detail file. %D is replaced by DbDir above
> # AcctLogFileName %D/detail
> #</Realm>
> AuthPort 5555
>
> Userfile:
>
> mikem User-Password=fred
> Service-Type = Framed-User,
> Framed-Protocol = PPP
> Framed-IP-Address-VPN0 = 10.1.1.1
> Framed-IP-Address-VPN1 = 10.2.2.2
> Framed-IP-Address-VPN2 = 10.3.3.3
> Framed-IP-Netmask = 255.255.255.255,
> Framed-Routing = None,
> Framed-MTU = 1500,
> Framed-Compression = Van-Jacobson-TCP-IP
>
> Log output:
>
> *** Received from 10.0.1.102 port 45146 ....
> Code: Access-Request
> Identifier: 132
> Authentic: <18>8<150><14><206><238><140>x<149><197>/f<175><180><226>+
> Attributes:
> User-Name = "mikem"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password = <233><156><207>=<21><135><129>p<207>U<220>.0<182>u;
>
> Tue May 29 14:42:04 2012: DEBUG: Handling request with Handler '', Identifier
> ''
> Tue May 29 14:42:04 2012: DEBUG: Deleting session for mikem, 203.63.154.1,
> 1234
> Tue May 29 14:42:04 2012: DEBUG: Handling with Radius::AuthFILE:
> Tue May 29 14:42:04 2012: DEBUG: Reading users file /etc/radiator/test
> Tue May 29 14:42:04 2012: DEBUG: Radius::AuthFILE looks for match with mikem
> [mikem]
> Tue May 29 14:42:04 2012: DEBUG: Radius::AuthFILE ACCEPT: : mikem [mikem]
> Tue May 29 14:42:04 2012: DEBUG: AuthBy FILE result: ACCEPT,
> Tue May 29 14:42:04 2012: DEBUG: Access accepted for mikem
> Framed-IP-Netmask = 255.255.255.255 for attribute Framed-Protocol.
> Using 0.
> Tue May 29 14:42:04 2012: DEBUG: Packet dump:
> *** Sending to 10.0.1.102 port 45146 ....
> Code: Access-Accept
> Identifier: 132
> Authentic: <163>2<140><22><182><187><31><135>Bu5<201><144><183><243>z
> Attributes:
> Service-Type = Framed-User
> Framed-Protocol = PPP<13> Framed-IP-Address-VPN0 =
> 10.1.1.1<13><9>Framed-IP-Address-VPN1 = 10.2.2.2<13><9>Framed-IP-Address-VPN2
> = 10.3.3.3<13> Framed-IP-Netmask = 255.255.255.255
> Framed-Routing = None
> Framed-MTU = 1500
> Framed-Compression = Van-Jacobson-TCP-IP
>
>
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On
> Behalf Of Heikki Vatiainen
> Sent: Monday, 21 May 2012 7:33 PM
> To: [email protected]
> Subject: Re: [RADIATOR] Assign static IP to users based on Source address
>
> On 05/21/2012 03:20 AM, Howe, Brendan wrote:
>
>> I am in the process of evaluating Radiator and would like to know if
>> it is possible to assign a static IP address to clients based on the
>> source IP address radiator sees the connection from. I would like to
>> implement this using a single user file.
>
> File does not offer that kind of flexibility, but you could consider a hook
> to do a fixup after a lookup from the file.
>
>> ATM I have configured the Radiator radius.cfg using 3 client IP
>> addresses each with their own Identifier. I then use 3x "Handler
>> Client-Identifier=xxx" to define separate AuthBy FILE filenames. Each
>> users file is exactly the same, except for the "Framed-IP-Address".
>> This configuration works and the user is assigned a different static
>> IP address dependant on their source address. The problem is I then
>> need to maintain 3 separate user files all with the same usernames and
>> passwords.
>
> Your current approach is correct, but I see it can be a bit problematic to
> maintain.
>
>> Is it possible to implement this setup using a single user file that
>> has a "Framed-IP-Address" for each Identifier or is there a better way
>> to do this?
>
> If you need stay with AuthBy FILE, you could consider having something like
> this for each user in the users file:
>
> hvn User-Password = password
> Framed-IP-Address-Client1 = 10.10.10.10,
> Framed-IP-Address-Client2 = 10.20.20.20,
> Framed-IP-Address-Client3 = 10.30.30.30
>
> For the Handler, use something like below for PostAuthHook. The hook tries to
> match the Client's Identifier with Framed-IP-Address-* attributes, and picks
> the IP from the one that matches. The rest are deleted, so that they do not
> cause complaints in the log about unknown attributes.
>
> The IP from the matching attribute is added as Framed-IP-Address. If it can
> not match anything with Client's Identifier, no Framed-IP-Address is added.
>
> <Handler>
> <AuthBy FILE>
> Filename %D/users
> </AuthBy>
> PostAuthHook sub { my ($p, $rp) = (${$_[0]}, ${$_[1]}); \
> my ($ip, @to_delete); \
> foreach (@{$rp->{Attributes}}) { \
> my ($name, $value) = @$_; \
> $ip = $value if $name eq 'Framed-IP-Address-' .
> $p->{Client}->{Identifier}; \
> push (@to_delete, $name) if $name =~ /^Framed-IP-Address-/; \
> } \
> $rp->add_attr('Framed-IP-Address', $ip) if $ip; \
> map {$rp->delete_attr($_)} @to_delete; \
> }
> </Handler>
>
>
> --
> Heikki Vatiainen <[email protected]>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS,
> PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full
> source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> _______________________________________________
> radiator mailing list
> [email protected]
> http://www.open.com.au/mailman/listinfo/radiator
> _______________________________________________
> radiator mailing list
> [email protected]
> http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
[email protected]
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
