Provide Calling-Station-ID to RADIUS backed VPN connections
I'm using Duo 2fa radius proxy to connect to the on board RADIUS server in PFsense and am not getting an IP or a username in the Duo Notifications. This is a much valued feature to validate that the request is coming from one of my machines (I'm not always there when secneg occurs). I do not know the RADIUS attribute for username.
#1 Updated by Jim Pingle 12 months ago
- Category set to Authentication
Might not be possible to put the client address in there since I am not sure the auth system will see that from OpenVPN/IPsec, but it might be worth looking into.
There have been changes since this request was made, however. It does fill in the NAS-IP-Address (configurable in the auth server settings) and NAS-Identifier, which will show at least which firewall the request came through.
#2 Updated by Viktor Gurov 2 months ago
Calling-Station-Id is already supported by EAP-RADIUS strongswan plugin, see https://wiki.strongswan.org/projects/strongswan/wiki/EAPRadius#Attributes-sent-to-RADIUS-servers
testing packet capture:
Attribute Value Pairs AVP: t=User-Name(1) l=6 val=test AVP: t=NAS-Port-Type(61) l=6 val=Virtual(5) AVP: t=Service-Type(6) l=6 val=Framed(2) AVP: t=NAS-Port(5) l=6 val=18 AVP: t=NAS-Port-Id(87) l=12 val=con-mobile AVP: t=NAS-IP-Address(4) l=6 val=192.168.3.4 AVP: t=Called-Station-Id(30) l=19 val=192.168.3.4 AVP: t=Calling-Station-Id(31) l=20 val=192.168.3.3 AVP: t=EAP-Message(79) l=11 Last Segment AVP: t=NAS-Identifier(32) l=12 val=strongSwan AVP: t=Message-Authenticator(80) l=18 val=e782d4fcf522e54f87db557dfb529a0f
in case of OpenVPN, the current implementation of openvpn-plugin-auth-script.so do not support $clientid environment variable