RADIUS + iroute (Client Specific Overrides)
-
Is it possible to set an iroute attribute for a client using RADIUS?
-
I tried the following RADIUS attribute for the VPN user, but did not seem to work … any ideas?
cisco-avpair += "ip:route=10.20.11.0 255.255.255.0",|
I believe V2.1 supports Cisco-AVPair for OpenVPN settings.
Andrew
-
Hello World!
Ok, got it working with a few lines of code - can someone verify it will not break things?
We need to look for Framed-Route attribute./etc/inc/radius.inc
under
case RADIUS_FRAMED_ROUTING: $this->attributes['framed_routing'] = radius_cvt_int($data); break;
add
case RADIUS_FRAMED_ROUTE: $this->attributes['framed_route'] = radius_cvt_string($data); break;
If the systems receives the Framed-Route attribute we can generate a CCD file based on the code below.
/etc/inc/openvpn.auth-user.php
undersyslog(LOG_NOTICE, "user '{$username}' authenticated\n");
add
if (isset($attributes['framed_route'])) { file_put_contents("{$g['varetc_path']}/openvpn-csc/{$username}", "iroute {$attributes['framed_route']}\n"); syslog(LOG_NOTICE, "'{$username}' iroute '{$attributes['framed_route']}' created\n"); }
-
I made some additional code changes to check the Framed-Route format to ensure it complies with the RFC.
/etc/inc/openvpn.auth-user.php
/** * Convert Framed-Route format to iroute for the CCD file */ function FramedRoute($cidr) { $baseip = substr($cidr,0,strpos($cidr, '/')); $prefix = substr($cidr, strpos($cidr, '/') + 1) * 1; $netmask = str_split(str_pad(str_pad('', $prefix, '1'), 32, '0'), 8); $ipLong = ip2long($baseip); if ( ( ($ipLong << $prefix) ^ 0) == true ) { foreach ($netmask as &$element) $element = bindec($element); return $baseip.' '.join('.', $netmask); } } if (isset($attributes['framed_route'])) { $iroute = FramedRoute($attributes['framed_route']); if (!empty($iroute)) { file_put_contents("{$g['varetc_path']}/openvpn-csc/{$username}", "iroute {$iroute}\n"); syslog(LOG_NOTICE, "user '{$username}' iroute '{$iroute}' created\n"); } }
I'm creating static openvpn-csc file that could cause issues in the future.
Should I be looking at,
-
deleting the created openvpn-csc on client disconnect
-
using the openvpn_resync_csc function
-