search

FreeRADIUS / pam_radius

This is the PAM to RADIUS authentication module. It allows any Linux, OSX or Solaris machine to become a RADIUS client for authentication and password change requests.
GNU General Public License v2.0
102 stars 90 forks source link

ocserv rewrite framed ip from radius #86

Closed nookeist closed 5 months ago

nookeist commented 5 months ago

Problem with set ip from Microsoft NPS to ocserv vpn user.

First time it

ocserv[25974]: main: Starting 1 instances of ocserv-sm ocserv[25974]: main: initialized OpenConnect VPN Server 1.2.5 ocserv[25976]: sec-mod: reading supplemental config from files ocserv[25976]: sec-mod: sec-mod initialized (socket: /var/run/ocserv-socket.40bec52d.0) ocserv[25976]: sec-mod: sec-mod instance 0 issue cookie ocserv[25976]: sec-mod: using 'pam' authentication to authenticate user (session: 8rNPYi) ocserv[25976]: pam_radius_auth: 2.0.1 (git #53c0cfff), built on Nov 2 2021 at 14:37:12 ocserv[25976]: pam_radius_auth: DEBUG: conf='/etc/pam_radius_auth.conf' use_first_pass=no try_first_pass=no skip_passwd=no retry=123 localifdown=no client_id='666' accounting_bug=no ruser=no prompt='Password: ' force_prompt=no prompt_attribute=no max_challenge=0 privilege_level=no ocserv[25976]: pam_radius_auth: Got user name: 'user' ocserv[25976]: pam_radius_auth: ignore last_pass, force_prompt set ocserv[25976]: pam_radius_auth: Sending RADIUS request code 1 (Access-Request) ocserv[25976]: pam_radius_auth: DEBUG: get_ipaddr(192.168.70.105) returned 0. ocserv[25976]: pam_radius_auth: Got RADIUS response code 2 (Access-Accept) ocserv[25976]: pam_radius_auth: Set PAM environment variable : Framed-IP-Address=10.10.1.44 ocserv[25976]: pam_radius_auth: authentication succeeded

But then

ocserv[25974]: main[user]:7.4.201.8:55202 new user session ocserv[25974]: main[user]:7.4.201.8:55202 user logged in ocserv[25980]: worker[user]: 7.4.201.8 suggesting DPD of 90 secs ocserv[25980]: worker[user]: 7.4.201.8 configured link MTU is 1500 ocserv[25980]: worker[user]: 7.4.201.8 peer's link MTU is 1500 ocserv[25980]: worker[user]: 7.4.201.8 sending IPv4 10.10.1.8 ocserv[25980]: worker[user]: 7.4.201.8 adding DNS 10.0.0.1 ocserv[25980]: worker[user]: 7.4.201.8 adding custom header 'X-My-Header: hi there' ocserv[25980]: worker[user]: 7.4.201.8 Link MTU is 1500 bytes ocserv[25976]: sec-mod: initiating session for user 'user' (session: 8rNPYi)

I was used many other ocserv pam config, but always the same result.

example

%PAM-1.0

auth [success=1 default=ignore] pam_radius_auth.so conf=/etc/pam_radius_auth.conf debug retry=123 auth requisite pam_deny.so auth required pam_permit.so auth required /usr/local/lib/security/pam_linotp.so debug url=https://192.168.0.1/validate/simplecheck nosslhostnameverify nosslcertverify session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so account required pam_nologin.so account include password-auth session include password-auth

How i can handle to proceed Framed-ip-address to user?

DimitriPapadopoulos commented 5 months ago

See openconnect/ocserv#595.

Maxim, pam_radius ≥ 2.0 (more precisely after https://github.com/FreeRADIUS/pam_radius/pull/47) sets a Framed-IP-Address environment variable. Therefore, this is not an issue with pam_radius, rather an issue with ocserv not harnessing that environment variable.

DimitriPapadopoulos commented 5 months ago

By the way, what about supporting the RADIUS attribute 97 Framed-IPv6-Prefix in addition to the RADIUS attribute 8 Framed-IP-Address?

See #87.