Bug #8087
open
Provide Calling-Station-ID to RADIUS backed VPN connections
Added by Sunrunner20 20 about 7 years ago.
Updated 9 months ago.
Description
I'm using Duo 2fa radius proxy to connect to the on board RADIUS server in PFsense and am not getting an IP or a username in the Duo Notifications. This is a much valued feature to validate that the request is coming from one of my machines (I'm not always there when secneg occurs). I do not know the RADIUS attribute for username.
- Category set to Authentication
Might not be possible to put the client address in there since I am not sure the auth system will see that from OpenVPN/IPsec, but it might be worth looking into.
There have been changes since this request was made, however. It does fill in the NAS-IP-Address (configurable in the auth server settings) and NAS-Identifier, which will show at least which firewall the request came through.
Calling-Station-Id is already supported by EAP-RADIUS strongswan plugin, see https://wiki.strongswan.org/projects/strongswan/wiki/EAPRadius#Attributes-sent-to-RADIUS-servers
testing packet capture:
Attribute Value Pairs
AVP: t=User-Name(1) l=6 val=test
AVP: t=NAS-Port-Type(61) l=6 val=Virtual(5)
AVP: t=Service-Type(6) l=6 val=Framed(2)
AVP: t=NAS-Port(5) l=6 val=18
AVP: t=NAS-Port-Id(87) l=12 val=con-mobile
AVP: t=NAS-IP-Address(4) l=6 val=192.168.3.4
AVP: t=Called-Station-Id(30) l=19 val=192.168.3.4[4500]
AVP: t=Calling-Station-Id(31) l=20 val=192.168.3.3[54552]
AVP: t=EAP-Message(79) l=11 Last Segment[1]
AVP: t=NAS-Identifier(32) l=12 val=strongSwan
AVP: t=Message-Authenticator(80) l=18 val=e782d4fcf522e54f87db557dfb529a0f
in case of OpenVPN, the current implementation of openvpn-plugin-auth-script.so do not support $clientid environment variable
Has there been any update on this? Ran into the same issue, pfSense OpenVPN not forwarding the Radius parameters to DUO.
OpenVPN makes the client's apparent address available in environment variables:
--- openvpn.auth-user.php.orig 2022-12-03 14:08:05.556382000 +0100
+++ openvpn.auth-user.php 2022-12-03 14:08:34.276103000 +0100
@@ -102,7 +102,7 @@
$attributes = array("nas_identifier" => "openVPN",
"nas_port_type" => RADIUS_VIRTUAL,
"nas_port" => $_GET['nas_port'],
- "calling_station_id" => get_interface_ip() . ":" . $_GET['nas_port']);
+ "calling_station_id" => getenv("untrusted_ip") . ":" . getenv("untrusted_port"));
foreach ($authmodes as $authmode) {
$authcfg = auth_get_authserver($authmode);
Christian Ullrich wrote in #note-4:
OpenVPN makes the client's apparent address available in environment variables:
[...]
Thanks Christian. I patched the openvpn.auth-user.php but had to change it a bit, skipping the untrusted_port part, otherwise DUO won't parse the IP parameter correctly. It may be a DUO-related issue only, not sure.
So what ended up working for me is replacing the whole line with:
"calling_station_id" => getenv("untrusted_ip"));
The format itself is application-specific.
Welp, even "my" last hack stopped working somewhere along the pfSense stable upgrade path, currently on "23.09.1-RELEASE (amd64)" and the `calling_station_id` doesn't get populated with `untrusted_ip` (although present when tcpduming the openvpn client stream), the `untrusted_port` does propagate correctly though. Weird.
"calling_station_id" => getenv("untrusted_ip") . ":" . getenv("untrusted_port"));
If anyone has a solution it would be much appreciated.
Also available in: Atom
PDF
Updated by 
Updated by Viktor Gurov 
Updated by 
Updated by 
Updated by