FreeRADIUS simultaneous connection not working for OpenVPN

MacUsers

Hi again!
I use the RADIUS (v3) authentication for one of the OpenVPN servers and two of the users on that VPN need multiple connections from the same a/c. So, under FreeRADIUS > Users > theUser I set Number of Simultaneous Connections to 2 and then for the IP Address I used the following settings:

and that + sign at the end seems causing the RADIUS service to be crashed and stopped. If I don't provide any IP at all, the user gets the same IP for both of his sessions, which is causing a different issue on the client side. What am I doing wrong here?
My main goal is to provide two separate IPs for two simultaneous sessions from the same account. any idea how do I do that?

-San

NogBadTheBad

There is no mention of the + here:-

https://freeradius.org/rfc/rfc2865.html#Framed-IP-Address

I'm wondering if its valid.

I'd be tempted to create an account for each user, if one of them does something you would be able to tie it down to a specific user.

MacUsers

I already have individual a/c per user and that's not the problem. One of the users needs to connect to the VPN from two places at the same time and I want him to connect with two different IPs - that's the issue.

NogBadTheBad

@MacUsers

Give them an account with the same password per machine, just tack on the machine name after the user id.

Not ideal I know but it will work.

MacUsers

@NogBadTheBad,
okay, I understand now what you mean. and yeah, not ideal at all. That also means, for me, managing two certs, two MFA etc. for the same user. I'm doing a bit more reading to see if I'm missing anything. In one of the posts, I see someone have mentioned it needs accounting enabled, which I already have.
Also hard to believe pfSense has that things so wrong, for such a long time.

-S

NogBadTheBad

I spent a few hours trying to get it to work and couldn't, in the freeradius documentation ippool is mentioned, it might help ?

https://wiki.freeradius.org/modules/Rlm_ippool

https://wiki.freeradius.org/guide/Ippool-and-radius-client

I was just trying to split my /24 into 2 x /25, the first /25 having access to everything and the last /25 access ti the internet only.

It's a bit of a PITA having to define a unique ip address for each user.

MacUsers

Can anyone from the pfSense team confirm if the format of the continues IP address format (e.g. 10.0.51.5+), as suggest, is correct or not? It's still hard for me to believe that it's flawed and overlooked for such a long time, versions after version. Any one?

-San

Pippin

You need to take into account how OpenVPN works.
It assigns an IP based on common name.
Maybe the following diagrams can shed some light on this:
https://community.openvpn.net/openvpn/wiki/AvoidRoutingConflicts
https://community.openvpn.net/openvpn/wiki/HowPacketsFlow

Also look at --duplicate-cn in the manual:
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

jimp

This has nothing to do with RADIUS and everything to do with OpenVPN not wanting you to connect with the same user+cert multiple times.

In the OpenVPN server settings, check the box to allow duplicate connections.

MacUsers

@jimp said in FreeRADIUS simultaneous connection not working for OpenVPN:

This has nothing to do with RADIUS and everything to do with OpenVPN not wanting you to connect with the same user+cert multiple times.

In the OpenVPN server settings, check the box to allow duplicate connections.

if you mean this:
then its already there. And you probably miss in my 1st post that OVPN connection wise it's absolutely fine, if I keep the IP address field empty. But both of the sessions get the same IP, which is a problem on the client side network.

As I also said, if I follow what is suggested in-line for the simultaneous connection settings, freeRADIUS fails to start. Don't think it's a fair to say that nothing to do with [pfSense implementation of] RADIUS, IMO.

-San

MacUsers

@Pippin said in FreeRADIUS simultaneous connection not working for OpenVPN:

Also look at --duplicate-cn in the manual:
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

I think --duplicate-cn is the same thing that @jimp suggested above? I already have that checked and hence I can make two connections, I believe??

-San

NogBadTheBad

@jimp said in FreeRADIUS simultaneous connection not working for OpenVPN:

This has nothing to do with RADIUS and everything to do with OpenVPN not wanting you to connect with the same user+cert multiple times.

In the OpenVPN server settings, check the box to allow duplicate connections.

How about IPsec?

stephenw10

Hmm, almost impossible to find any reference to that notation in Radius. The only thing I can see is from the GNU Radius manual:

 If this attribute is present in the RHS and has the value of Yes, then the value of NAS-Port-Id attribute from the authentication request will be added to the value of Framed-IP-Address attribute from the RHS, and resulting value will be returned in Framed-IP-Address attribute to the NAS.

This provides the simplest form of organizing IP address pools.

This attribute is implicitly added to the RHS when the value of a Framed-IP-Address attribute ends with `+' sign. For example the following:

            Framed-IP-Address = 10.10.0.1+

is equivalent to

            Framed-IP-Address = 10.10.0.1,
            Add-Port-To-IP-Address = Yes

I'm guessing that is no longer supported. Hard to see how it would ever have been in the context of that comment.
It might also not be relevant to the OpenVPN plugin, PPPoE may work with that for example. I have not tried. And by the looks of it hardly anyone has since, as you say, that comment has been there for a long while.

Steve

MacUsers

@stephenw10
I think, I also tried the same thing a yr. or so ago and filed but that time I carried on with some other important things. Now, this time I really need to do some thing about it. Any thing else can you think of to supply two different IPs (dedicated or otherwise) for two simultaneous sessions from the same user, other than creating two a/c for the same user, as @NogBadTheBad suggested?
Anyone can think of any other trick(s)?

-San

Pippin

Setup another server instance for those two users, check duplicate-cn and do not use CSO for that server.

NogBadTheBad

@Pippin said in FreeRADIUS simultaneous connection not working for OpenVPN:

Setup another server instance for those two users, check duplicate-cn and do not use CSO for that server.

You can't have two instance of an IPsec VPN can you ?

stephenw10

You can't have two mobile IPSec servers, no. But this is OpenVPN, you can have as many instances as you have ports/resources.