Hi everyone,
I realise that this maybe somewhat a limitation of the PAM Radius Plugin for
OpenVPN but have searched around for a week now to find a solution.
The problem I am having is that I have an OpenVPN proxy hub that has 3
external IP addresses. I am using huntgroups to distinguish if a user can
authenticate against an IP address and if so they receive an IP default Gw to
a front end proxy (each front end proxy is located in a separate country). The
idea is that a user of a specific group can only connect to an interface that
he is a group memeber of. The authentication uses the pam radius plugin against
a backend SQL / radius server. If I connect to int1 then the requests sent by
the Radius plugin to the backend radius server has a source IP of int1. This
works well and the user is authenticated and is provided a default GW to the
front end proxy. However if the user connects to INT2 the NAS requset still has
the source IP address of INT1 and therefore the user is rejected because he is
not a member of the INT1 grouping.
Is it possible to have multiple instances of the radius plugin each binding to
a different interface so that the request seen by the Radius server via the PAM
plugin has the correct source address? Is it possible to get the NAS to
Distinguish between the interfaces?
Cheers to all in advance (,)
Cj
_
New Windows 7: Find the right PC for you. Learn more.
http://windows.microsoft.com/shop-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html