Project

General

Profile

Actions

Bug #12076

open

OpenVPN + Radius + Framed-Ip-Address + Cisco-AVPair: clientip != framedip

Added by Florian Lourdault about 1 month ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Category:
OpenVPN
Target version:
Start date:
06/23/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
21.09
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

Current OpenVPN script implemented to trigger Cisco-AVPair ACL in PF chains allows the {clientip} syntax to match IP address of the client initiating the VPN connection.

The script (/usr/local/sbin/openvpn.attributes.sh) relies on ${ifconfig_pool_remote_ip} variable passed from OpenVPN to generate a PF rule (temporary file) to later insert in PF running configuration.

For some reason the IP address returned by the OpenVPN pool is not the same as the Framed-IP-Address indicated by Radius (see screenshots). I also dumped variables passed by OpenVPN to the script and none contains the Framed-IP-Address.

The workaround I implemented on my pfsense was to replace the {clientip} substitution pattern while processing /etc/inc/util.inc if a framed_ip is set in attribute.


Files

pfsense_ovpn-radius-framedip.png (57.5 KB) pfsense_ovpn-radius-framedip.png Connection logs from OpenVPN client and server Florian Lourdault, 06/23/2021 03:35 PM
pfsense_ovpn-radius-framedip2.png (13.6 KB) pfsense_ovpn-radius-framedip2.png Framed-IP-Address configured for user (AD / NPS) Florian Lourdault, 06/23/2021 04:21 PM
Actions #2

Updated by Renato Botelho about 1 month ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho

PR has been merged. Thanks!

Actions #3

Updated by Renato Botelho about 1 month ago

  • Target version set to 2.6.0
  • Plus Target Version set to 21.09
Actions

Also available in: Atom PDF