pam_radius_auth with Framed-IP-Address

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

pam_radius_auth with Framed-IP-Address

Users mailing list
Hi,

How to get the "Framed-IP-Address" attribute from the Access-Accept
replay from the radius server?

Is it possible?



Thanks.


note: not sure if this is the right mailing to ask this question, sorry
if is not..

--
Saludos / Regards / Cumprimentos
António Silva

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: pam_radius_auth with Framed-IP-Address

Alan DeKok-2
On Oct 8, 2019, at 8:17 PM, António Silva via Freeradius-Users <[hidden email]> wrote:
> How to get the "Framed-IP-Address" attribute from the Access-Accept replay from the radius server?

  To do what?

  The PAM framework doesn't assign or track IP addresses.  So I'm not sure what the goal is here.

> Is it possible?

  Modify the source code to pam_radius_auth.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: pam_radius_auth with Framed-IP-Address

Users mailing list
Hi Alan,

On 09/10/2019 13:24, Alan DeKok wrote:
> On Oct 8, 2019, at 8:17 PM, António Silva via Freeradius-Users <[hidden email]> wrote:
>> How to get the "Framed-IP-Address" attribute from the Access-Accept replay from the radius server?
>    To do what?
>
>    The PAM framework doesn't assign or track IP addresses.  So I'm not sure what the goal is here.

is to use with libreswan to authenticate the user and set and static ip
address to that user. Probably other services can use other reply
attributes...

>
>> Is it possible?
>    Modify the source code to pam_radius_auth.
sure, i'm looking into it.
>
>    Alan DeKok.
>
--
Saludos / Regards / Cumprimentos
António Silva

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: pam_radius_auth with Framed-IP-Address

Alan DeKok-2
On Mar 6, 2020, at 11:50 AM, António Silva via Freeradius-Users <[hidden email]> wrote:
>>
>>   The PAM framework doesn't assign or track IP addresses.  So I'm not sure what the goal is here.
>
> is to use with libreswan to authenticate the user and set and static ip address to that user. Probably other services can use other reply attributes...

  That isn't what PAM does.

  PAM authenticates user names / passwords.  That's about it.  It doesn't do DHCP, or assign IP addresses to systems.

>>> Is it possible?
>>   Modify the source code to pam_radius_auth.
> sure, i'm looking into it.

  It's very likely impossible.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: pam_radius_auth with Framed-IP-Address

Users mailing list
Hi Alan,

I notice that the the attribute is present in the response message, could we do the same as for the attribute MANAGEMENT_PRIVILEGE_LEVEL and exported it as environment variable, this way libreswan could use it.

Do you think that is possible?

This is the code where is set it:

diff --git a/src/pam_radius_auth.c b/src/pam_radius_auth.c
index ad7cda0..8571e3b 100644
--- a/src/pam_radius_auth.c
+++ b/src/pam_radius_auth.c
@@ -1411,6 +1411,24 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,CONST c
                        }
                }
 
+               attribute_t *attr_fip;
+               if ((attr_fip = find_attribute(response, PW_FRAMED_ADDRESS))) {
+                       char frameip[100];
+                       struct in_addr ip_addr;
+
+                       ip_addr.s_addr = *(int*) attr_fip->data;
+
+                       sprintf(frameip, "Framed-IP-Address=%s", inet_ntoa(ip_addr));
+                       retval = pam_putenv(pamh, frameip);
+                       if(retval != PAM_SUCCESS) {
+                               _pam_log(LOG_ERR, "unable to set PAM environment variable : Framed-IP-Address");
+                       }
+                       else {
+                               _pam_log(LOG_DEBUG, "Set PAM environment variable : %s", frameip);
+                       }
+               }
+
+
        } else {
                retval = PAM_AUTH_ERR;  /* authentication failure */
        }


DO you thing that it should be an option to enable this behaviour?




> On 6 Mar 2020, at 23:10, Alan DeKok <[hidden email]> wrote:
>
> On Mar 6, 2020, at 11:50 AM, António Silva via Freeradius-Users <[hidden email]> wrote:
>>>
>>>  The PAM framework doesn't assign or track IP addresses.  So I'm not sure what the goal is here.
>>
>> is to use with libreswan to authenticate the user and set and static ip address to that user. Probably other services can use other reply attributes...
>
>  That isn't what PAM does.
>
>  PAM authenticates user names / passwords.  That's about it.  It doesn't do DHCP, or assign IP addresses to systems.
>
>>>> Is it possible?
>>>  Modify the source code to pam_radius_auth.
>> sure, i'm looking into it.
>
>  It's very likely impossible.
>
>  Alan DeKok.
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: pam_radius_auth with Framed-IP-Address

Alan DeKok-2
On Mar 24, 2020, at 8:03 AM, António Silva <[hidden email]> wrote:
> I notice that the the attribute is present in the response message, could we do the same as for the attribute MANAGEMENT_PRIVILEGE_LEVEL and exported it as environment variable, this way libreswan could use it.
>
> Do you think that is possible?

  Sure.  Please open a pull request.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: pam_radius_auth with Framed-IP-Address

Users mailing list
Done:

https://github.com/FreeRADIUS/pam_radius/pull/47 <https://github.com/FreeRADIUS/pam_radius/pull/47>

Thanks.

> On 24 Mar 2020, at 13:47, Alan DeKok <[hidden email]> wrote:
>
> On Mar 24, 2020, at 8:03 AM, António Silva <[hidden email]> wrote:
>> I notice that the the attribute is present in the response message, could we do the same as for the attribute MANAGEMENT_PRIVILEGE_LEVEL and exported it as environment variable, this way libreswan could use it.
>>
>> Do you think that is possible?
>
>  Sure.  Please open a pull request.
>
>  Alan DeKok.
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html