Bug #8087


Provide Calling-Station-ID to RADIUS backed VPN connections

Added by Sunrunner20 20 over 6 years ago. Updated 2 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


I'm using Duo 2fa radius proxy to connect to the on board RADIUS server in PFsense and am not getting an IP or a username in the Duo Notifications. This is a much valued feature to validate that the request is coming from one of my machines (I'm not always there when secneg occurs). I do not know the RADIUS attribute for username.

Actions #1

Updated by Jim Pingle over 4 years ago

  • Category set to Authentication

Might not be possible to put the client address in there since I am not sure the auth system will see that from OpenVPN/IPsec, but it might be worth looking into.

There have been changes since this request was made, however. It does fill in the NAS-IP-Address (configurable in the auth server settings) and NAS-Identifier, which will show at least which firewall the request came through.

Actions #2

Updated by Viktor Gurov almost 4 years ago

Calling-Station-Id is already supported by EAP-RADIUS strongswan plugin, see

testing packet capture:

Attribute Value Pairs
    AVP: t=User-Name(1) l=6 val=test
    AVP: t=NAS-Port-Type(61) l=6 val=Virtual(5)
    AVP: t=Service-Type(6) l=6 val=Framed(2)
    AVP: t=NAS-Port(5) l=6 val=18
    AVP: t=NAS-Port-Id(87) l=12 val=con-mobile
    AVP: t=NAS-IP-Address(4) l=6 val=
    AVP: t=Called-Station-Id(30) l=19 val=[4500]
    AVP: t=Calling-Station-Id(31) l=20 val=[54552]
    AVP: t=EAP-Message(79) l=11 Last Segment[1]
    AVP: t=NAS-Identifier(32) l=12 val=strongSwan
    AVP: t=Message-Authenticator(80) l=18 val=e782d4fcf522e54f87db557dfb529a0f

in case of OpenVPN, the current implementation of do not support $clientid environment variable

Actions #3

Updated by Brandon Verkada over 1 year ago

Has there been any update on this? Ran into the same issue, pfSense OpenVPN not forwarding the Radius parameters to DUO.

Actions #4

Updated by Christian Ullrich over 1 year ago

OpenVPN makes the client's apparent address available in environment variables:

--- openvpn.auth-user.php.orig  2022-12-03 14:08:05.556382000 +0100
+++ openvpn.auth-user.php       2022-12-03 14:08:34.276103000 +0100
@@ -102,7 +102,7 @@
 $attributes = array("nas_identifier" => "openVPN",
     "nas_port_type" => RADIUS_VIRTUAL,
     "nas_port" => $_GET['nas_port'],
-    "calling_station_id" => get_interface_ip() . ":" . $_GET['nas_port']);
+    "calling_station_id" => getenv("untrusted_ip") . ":" . getenv("untrusted_port"));

 foreach ($authmodes as $authmode) {
     $authcfg = auth_get_authserver($authmode);
Actions #5

Updated by Brandon Verkada over 1 year ago

Christian Ullrich wrote in #note-4:

OpenVPN makes the client's apparent address available in environment variables:


Thanks Christian. I patched the openvpn.auth-user.php but had to change it a bit, skipping the untrusted_port part, otherwise DUO won't parse the IP parameter correctly. It may be a DUO-related issue only, not sure.
So what ended up working for me is replacing the whole line with:

"calling_station_id" => getenv("untrusted_ip"));
Actions #6

Updated by Marcos M over 1 year ago

The format itself is application-specific.

Actions #7

Updated by Brandon Verkada 2 months ago

Welp, even "my" last hack stopped working somewhere along the pfSense stable upgrade path, currently on "23.09.1-RELEASE (amd64)" and the `calling_station_id` doesn't get populated with `untrusted_ip` (although present when tcpduming the openvpn client stream), the `untrusted_port` does propagate correctly though. Weird.

"calling_station_id" => getenv("untrusted_ip") . ":" . getenv("untrusted_port"));

If anyone has a solution it would be much appreciated.


Also available in: Atom PDF