Closed nookeist closed 5 months ago
Maxim, pam_radius ≥ 2.0 (more precisely after https://github.com/FreeRADIUS/pam_radius/pull/47) sets a Framed-IP-Address
environment variable. Therefore, this is not an issue with pam_radius, rather an issue with ocserv not harnessing that environment variable.
By the way, what about supporting the RADIUS attribute 97 Framed-IPv6-Prefix
in addition to the RADIUS attribute 8 Framed-IP-Address
?
See #87.
Problem with set ip from Microsoft NPS to ocserv vpn user.
First time it
ocserv[25974]: main: Starting 1 instances of ocserv-sm ocserv[25974]: main: initialized OpenConnect VPN Server 1.2.5 ocserv[25976]: sec-mod: reading supplemental config from files ocserv[25976]: sec-mod: sec-mod initialized (socket: /var/run/ocserv-socket.40bec52d.0) ocserv[25976]: sec-mod: sec-mod instance 0 issue cookie ocserv[25976]: sec-mod: using 'pam' authentication to authenticate user (session: 8rNPYi) ocserv[25976]: pam_radius_auth: 2.0.1 (git #53c0cfff), built on Nov 2 2021 at 14:37:12 ocserv[25976]: pam_radius_auth: DEBUG: conf='/etc/pam_radius_auth.conf' use_first_pass=no try_first_pass=no skip_passwd=no retry=123 localifdown=no client_id='666' accounting_bug=no ruser=no prompt='Password: ' force_prompt=no prompt_attribute=no max_challenge=0 privilege_level=no ocserv[25976]: pam_radius_auth: Got user name: 'user' ocserv[25976]: pam_radius_auth: ignore last_pass, force_prompt set ocserv[25976]: pam_radius_auth: Sending RADIUS request code 1 (Access-Request) ocserv[25976]: pam_radius_auth: DEBUG: get_ipaddr(192.168.70.105) returned 0. ocserv[25976]: pam_radius_auth: Got RADIUS response code 2 (Access-Accept) ocserv[25976]: pam_radius_auth: Set PAM environment variable : Framed-IP-Address=10.10.1.44 ocserv[25976]: pam_radius_auth: authentication succeeded
But then
ocserv[25974]: main[user]:7.4.201.8:55202 new user session ocserv[25974]: main[user]:7.4.201.8:55202 user logged in ocserv[25980]: worker[user]: 7.4.201.8 suggesting DPD of 90 secs ocserv[25980]: worker[user]: 7.4.201.8 configured link MTU is 1500 ocserv[25980]: worker[user]: 7.4.201.8 peer's link MTU is 1500 ocserv[25980]: worker[user]: 7.4.201.8 sending IPv4 10.10.1.8 ocserv[25980]: worker[user]: 7.4.201.8 adding DNS 10.0.0.1 ocserv[25980]: worker[user]: 7.4.201.8 adding custom header 'X-My-Header: hi there' ocserv[25980]: worker[user]: 7.4.201.8 Link MTU is 1500 bytes ocserv[25976]: sec-mod: initiating session for user 'user' (session: 8rNPYi)
I was used many other ocserv pam config, but always the same result.
example
%PAM-1.0
auth [success=1 default=ignore] pam_radius_auth.so conf=/etc/pam_radius_auth.conf debug retry=123 auth requisite pam_deny.so auth required pam_permit.so auth required /usr/local/lib/security/pam_linotp.so debug url=https://192.168.0.1/validate/simplecheck nosslhostnameverify nosslcertverify session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so account required pam_nologin.so account include password-auth session include password-auth
How i can handle to proceed Framed-ip-address to user?