RADIUS + iroute (Client Specific Overrides)



  • Is it possible to set an iroute attribute for a client using RADIUS?



  • I tried the following RADIUS attribute for the VPN user, but did not seem to work … any ideas?

    cisco-avpair += "ip:route=10.20.11.0 255.255.255.0",|

    I believe V2.1 supports Cisco-AVPair for OpenVPN settings.

    Andrew



  • Hello World!

    Ok, got it working with a few lines of code - can someone verify it will not break things?
    We need to look for Framed-Route attribute.

    /etc/inc/radius.inc

    under

    
    case RADIUS_FRAMED_ROUTING:
    	$this->attributes['framed_routing'] = radius_cvt_int($data);
    	 break;
    
    

    add

    
    case RADIUS_FRAMED_ROUTE:
    	$this->attributes['framed_route'] = radius_cvt_string($data);
    	break;
    
    

    If the systems receives the Framed-Route attribute we can generate a CCD file based on the code below.

    /etc/inc/openvpn.auth-user.php
    under

    
    syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
    
    

    add

    
    if (isset($attributes['framed_route'])) {  
    	file_put_contents("{$g['varetc_path']}/openvpn-csc/{$username}", "iroute {$attributes['framed_route']}\n");  
    	syslog(LOG_NOTICE, "'{$username}' iroute '{$attributes['framed_route']}' created\n");
    
    }
    
    


  • I made some additional code changes to check the Framed-Route format to ensure it complies with the RFC.

    /etc/inc/openvpn.auth-user.php

    
    /**
     *  Convert Framed-Route format to iroute for the CCD file
     */
     function FramedRoute($cidr) {
        $baseip = substr($cidr,0,strpos($cidr, '/'));
        $prefix = substr($cidr, strpos($cidr, '/') + 1) * 1;
        $netmask = str_split(str_pad(str_pad('', $prefix, '1'), 32, '0'), 8);
        $ipLong = ip2long($baseip);
    
        if ( ( ($ipLong << $prefix) ^ 0) == true ) {
            foreach ($netmask as &$element) $element = bindec($element);
            return $baseip.' '.join('.', $netmask);
        }
    }
    
    if (isset($attributes['framed_route'])) {
            $iroute = FramedRoute($attributes['framed_route']);
            if (!empty($iroute)) {
                file_put_contents("{$g['varetc_path']}/openvpn-csc/{$username}", "iroute {$iroute}\n");
                syslog(LOG_NOTICE, "user '{$username}' iroute '{$iroute}' created\n");
            }
    }
    
    

    I'm creating static openvpn-csc file that could cause issues in the future.

    Should I be looking at,

    • deleting the created openvpn-csc on client disconnect

    • using the openvpn_resync_csc function