Excellent, it's all working now. Thanks Hugh. Do you have any documentation for configuring the users file?
-----Original Message----- From: Hugh Irvine [mailto:[email protected]] Sent: Tuesday, 29 May 2012 3:02 PM To: Howe, Brendan Cc: Heikki Vatiainen; [email protected] Subject: Re: [RADIATOR] Assign static IP to users based on Source address Hello Brendan - Your users file is not correct - it should look like this (with comma's): mikem User-Password=fred Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address-VPN0 = 10.1.1.1, Framed-IP-Address-VPN1 = 10.2.2.2, Framed-IP-Address-VPN2 = 10.3.3.3, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP That is why the debug shows the confused value for Framed-Protocol. regards Hugh On 29 May 2012, at 14:47, Howe, Brendan wrote: > Hi Heikki, > > I have tried your PostAuthHook suggestion as per below, however it seem to be > assigning all the Framed-IP-Addresses in the use file instead of selecting > the correct one. It looks like the PostAuthHook isn't passing the identifier > to the userfile. > > I have included the radius.cfg, userfile and log output. > > Radius.cfg: > > <Client 10.0.1.100> > Identifier VPN0 > Secret mysecret > DupInterval 0 > </Client> > > <Client 10.0.1.101> > Secret mysecret > DupInterval 0 > Identifier VPN1 > </Client> > > <Client 10.0.1.102> > Secret mysecret > DupInterval 0 > Identifier VPN2 > </Client> > > <Handler> > <AuthBy FILE> > Filename %D/test > </AuthBy> > PostAuthHook sub { my ($p, $rp) = (${$_[0]}, ${$_[1]}); \ > my ($ip, @to_delete); \ > foreach (@{$rp->{Attributes}}) { \ > my ($name, $value) = @$_; \ > $ip = $value if $name eq 'Framed-IP-Address-' . \ > $p->{Client}->{Identifier}; \ > push (@to_delete, $name) if $name =~ /^Framed-IP-Address-/; \ > } \ > $rp->add_attr('Framed-IP-Address', $ip) if $ip; \ > map {$rp->delete_attr($_)} @to_delete; \ } </Handler> > > # Authenticate all realms with this > #<Realm DEFAULT> > # Look up user details in a flat file > # <AuthBy FILE> > # %D is replaced by DbDir above > # Filename %D/test0 > # </AuthBy> > > # Log accounting to a detail file. %D is replaced by DbDir above > # AcctLogFileName %D/detail > #</Realm> > AuthPort 5555 > > Userfile: > > mikem User-Password=fred > Service-Type = Framed-User, > Framed-Protocol = PPP > Framed-IP-Address-VPN0 = 10.1.1.1 > Framed-IP-Address-VPN1 = 10.2.2.2 > Framed-IP-Address-VPN2 = 10.3.3.3 > Framed-IP-Netmask = 255.255.255.255, > Framed-Routing = None, > Framed-MTU = 1500, > Framed-Compression = Van-Jacobson-TCP-IP > > Log output: > > *** Received from 10.0.1.102 port 45146 .... > Code: Access-Request > Identifier: 132 > Authentic: <18>8<150><14><206><238><140>x<149><197>/f<175><180><226>+ > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Identifier = "203.63.154.1" > NAS-Port = 1234 > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > NAS-Port-Type = Async > User-Password = > <233><156><207>=<21><135><129>p<207>U<220>.0<182>u; > > Tue May 29 14:42:04 2012: DEBUG: Handling request with Handler '', Identifier > '' > Tue May 29 14:42:04 2012: DEBUG: Deleting session for mikem, > 203.63.154.1, 1234 Tue May 29 14:42:04 2012: DEBUG: Handling with > Radius::AuthFILE: > Tue May 29 14:42:04 2012: DEBUG: Reading users file /etc/radiator/test > Tue May 29 14:42:04 2012: DEBUG: Radius::AuthFILE looks for match with > mikem [mikem] Tue May 29 14:42:04 2012: DEBUG: Radius::AuthFILE > ACCEPT: : mikem [mikem] Tue May 29 14:42:04 2012: DEBUG: AuthBy FILE > result: ACCEPT, Tue May 29 14:42:04 2012: DEBUG: Access accepted for mikem > Framed-IP-Netmask = 255.255.255.255 for attribute Framed-Protocol. > Using 0. > Tue May 29 14:42:04 2012: DEBUG: Packet dump: > *** Sending to 10.0.1.102 port 45146 .... > Code: Access-Accept > Identifier: 132 > Authentic: <163>2<140><22><182><187><31><135>Bu5<201><144><183><243>z > Attributes: > Service-Type = Framed-User > Framed-Protocol = PPP<13> Framed-IP-Address-VPN0 = > 10.1.1.1<13><9>Framed-IP-Address-VPN1 = 10.2.2.2<13><9>Framed-IP-Address-VPN2 > = 10.3.3.3<13> Framed-IP-Netmask = 255.255.255.255 > Framed-Routing = None > Framed-MTU = 1500 > Framed-Compression = Van-Jacobson-TCP-IP > > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Heikki Vatiainen > Sent: Monday, 21 May 2012 7:33 PM > To: [email protected] > Subject: Re: [RADIATOR] Assign static IP to users based on Source > address > > On 05/21/2012 03:20 AM, Howe, Brendan wrote: > >> I am in the process of evaluating Radiator and would like to know if >> it is possible to assign a static IP address to clients based on the >> source IP address radiator sees the connection from. I would like to >> implement this using a single user file. > > File does not offer that kind of flexibility, but you could consider a hook > to do a fixup after a lookup from the file. > >> ATM I have configured the Radiator radius.cfg using 3 client IP >> addresses each with their own Identifier. I then use 3x "Handler >> Client-Identifier=xxx" to define separate AuthBy FILE filenames. >> Each users file is exactly the same, except for the "Framed-IP-Address". >> This configuration works and the user is assigned a different static >> IP address dependant on their source address. The problem is I then >> need to maintain 3 separate user files all with the same usernames and >> passwords. > > Your current approach is correct, but I see it can be a bit problematic to > maintain. > >> Is it possible to implement this setup using a single user file that >> has a "Framed-IP-Address" for each Identifier or is there a better >> way to do this? > > If you need stay with AuthBy FILE, you could consider having something like > this for each user in the users file: > > hvn User-Password = password > Framed-IP-Address-Client1 = 10.10.10.10, > Framed-IP-Address-Client2 = 10.20.20.20, > Framed-IP-Address-Client3 = 10.30.30.30 > > For the Handler, use something like below for PostAuthHook. The hook tries to > match the Client's Identifier with Framed-IP-Address-* attributes, and picks > the IP from the one that matches. The rest are deleted, so that they do not > cause complaints in the log about unknown attributes. > > The IP from the matching attribute is added as Framed-IP-Address. If it can > not match anything with Client's Identifier, no Framed-IP-Address is added. > > <Handler> > <AuthBy FILE> > Filename %D/users > </AuthBy> > PostAuthHook sub { my ($p, $rp) = (${$_[0]}, ${$_[1]}); \ > my ($ip, @to_delete); \ > foreach (@{$rp->{Attributes}}) { \ > my ($name, $value) = @$_; \ > $ip = $value if $name eq 'Framed-IP-Address-' . > $p->{Client}->{Identifier}; \ > push (@to_delete, $name) if $name =~ /^Framed-IP-Address-/; \ > } \ > $rp->add_attr('Framed-IP-Address', $ip) if $ip; \ > map {$rp->delete_attr($_)} @to_delete; \ } </Handler> > > > -- > Heikki Vatiainen <[email protected]> > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, > PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full > source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine [email protected] Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
