Hi Paul,
I’m trying to make it possible to use the frame_ip_address from
pam_radius_auth, right now i set the framed_ip_address as an environment
variable.
Do you thing that libreswan could use this variable and set this IP address for
the authenticate user?
This is my log:
Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25:
XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0)
Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25:
XAUTH: PAM authentication method requested to authenticate user 'user'
Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: Got user name user
Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: ignore last_pass,
force_prompt set
Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: Sending RADIUS
request code 1
Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: DEBUG:
get_ipaddr(127.0.0.1) returned 0.
Mar 24 03:46:38 commsmundi radiusd[3081]: (14) Login OK: [user/1234] (from
client nas01 port 13754 cli 192.168.10.188)
Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: Got RADIUS response
code 2
Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: Set PAM environment
variable : Framed-IP-Address=192.168.20.2
Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: authentication
succeeded
Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25: PAM:
#25: completed for user 'user' with status SUCCESSS
Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25:
XAUTH: User user: Authentication Successful
Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25:
XAUTH: xauth_inR1(STF_OK)
Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY
cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25:
modecfg_inR0(STF_OK)
Thanks,
António
> On 15 Nov 2015, at 10:49, Paul Wouters <[email protected]> wrote:
>
> On Fri, 13 Nov 2015, François wrote:
>
>> Do you think it is possible with a tweak in current PAM authentication (not
>> sure if PAM can send back parameters received by RADIUS), or would it
>> require Libreswan to support RADIUS?
>>
>> Not sure how all this works, but I'm willing to try to make a patch for that
>> if it's not too complex!
>
> I guess it might be possible with pam_radius support? If you can figure
> out those parts, we can help with getting the IP address from the pam
> module back into the connection instance.
>
> Paul
> _______________________________________________
> Swan mailing list
> [email protected]
> https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
