Results 1 to 6 of 6
  1. #1
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,731

    Default RADIUS sending 127.0.0.1 NAS-IP-Address for IPSec connecitons

    I have a freeradius server doing authentication for our WiFi. I'd like to use that same server for Untangle to authenticate IPSec VPN connections.

    I have the basic setup done in Untangle and freeradius so that I'm able to connect from home, but I need to limit which Active Directory groups are able to use the VPN. If you're familiar with freeradius post-auth configs, I have something like this:
    Code:
    	
    	update request {
    		#These should evaluate to a noop. I'm using them in radius debug mode 
     		# to get log entries showing actual values on the wire.
    		Nas-Port-Type := "%{Nas-Port-Type}" 
    		#Calling-Station-Id := "%{Calling-Station-Id}" 
    		Nas-Identifier := "%{Nas-Identifier}" 
    		#Framed-IP-Address := "%{Framed-IP-Address}" 
    		Nas-IP-Address := "%{Nas-IP-Address}"
    		Service-Type := "%{Service-Type}"
    	}
    
    	# GROUP CHECKS FOR DOMAIN MEMBERS. 
    
    	#Check that users making vpn connections are in the VPNUSERS group:
    	# NOT SURE WHAT TO PUT FOR THE "if()" CONDITION YET
    	# Some ideas:
    	#if (Calling-Station-Id == L2TP) { if (Framed-Protocol == PPP) { if (Nas-IP-Address == "x.x.x.x") {
    	if (NAS-IP-Address == <withheld>) {
    		if(!(Group == "vpnusers@york.edu") ) {
    			update reply {
    				Reply-Message = "User not allowed to connect to the VPN"
    			}
    			reject
    		}
    	}
    If you can't understand that, the first section is just debug info so I can see the actual values used. The second section checks the group membership. Part of this is I only want to make the check for VPN requests. If you're a wifi user, any authenticated account should be permitted (at least at this point).

    So far I haven't been able to find anything that narrows this down to just untangle VPNs. Some of my internal WiFi packets use L2TP for some reason, so that's out. I tried looking at the Untangle server's IP, and this works if and only if I use the Radius Test button on the config screen. Using that button, I see my Untangle server's IP. If I actually go home and start a VPN connection, I see 127.0.0.1 instead.

    Is it possible to fix this so that Untangle will send it's internal IP to the radius server for both the test button and actual connections?
    Last edited by jcoehoorn; 04-07-2017 at 10:09 AM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.2.2 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Forgive me, my understanding of this stuff is pretty poor so my questions may make no sense.

    Where are you seeing 127.0.0.1? When you say "Seeing my Untangle server's IP"
    Is it included in the radius request or something?

    We use a different library for the UI test than the IPsec RADIUS which is done by the daemon itself.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,731

    Default

    Quote Originally Posted by dmorris View Post
    Forgive me, my understanding of this stuff is pretty poor
    Don't feel too bad. I didn't know a thing about any of this last week, either.
    Quote Originally Posted by dmorris View Post
    Where are you seeing 127.0.0.1? When you say "Seeing my Untangle server's IP"
    Is it included in the radius request or something?
    Yes, it's included in the Nas-IP-Address field of the request. The UI test sends the actual IP, but the daemon only sends 127.0.0.1.

    I'm checking this as part of the post-authentication step. At this point, I've already validated the user's credentials. Now I need to know if this user is authorized to use the VPN, but I only want to make that check for VPN authentication requests sent from Untangle. The same script processes normal wifi logins.
    Last edited by jcoehoorn; 04-07-2017 at 11:11 AM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.2.2 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  4. #4
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,731

    Default

    Hmm... maybe I could do this by having a completely separate "listen" directive in freeradius, and set Untangle to connect to freeradius on a different (non-standard) port than 1812. I'd like to avoid that, though.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.2.2 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  5. #5
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    we use the eap radius plugin for strongswan to do the radius with IPsec.


    according to this:
    https://wiki.strongswan.org/issues/1551
    "And the NAS-IP-ADDRESS sent by the eap-radius plugin is simply the address the daemon uses to communicate with a particular client. "

    which does not seem to be the case...
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,731

    Default

    That could make sense if there were two separate services involved within UT's operating system. In that case, they would communicate over 127.0.0.1. But my understanding is strongswan here is the daemon you referred to earlier.

    With that in mind, what I'm hearing from you is that it's likely a bug in strongswan, which is upstream from Untangle. It probably will be fixed eventually in strongswan, and that fix will then find it's way to Untangle, but not on a timeline that helps me for this project :/

    Of course, even that much is conjecture. In the meantime, I'm still looking at work-arounds. I may be able to twist this whole thing around and run the check for when the Nas-Port-Type != Wireless-802.11.
    Last edited by jcoehoorn; 04-07-2017 at 12:26 PM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.2.2 to protect 500Mbits for ~450 residential college students and associated staff and faculty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2