[Swan] xauth with radius framed-ip-address

Paul Wouters paul at nohats.ca
Tue Mar 24 15:45:38 UTC 2020 

Not currently but maybe it is possible to incorporate this. It seems you have done half the work ? 
We would need to get the variable content back into pluto and we could use it after storing it in the struct state 

Sent from my iPhone

> On Mar 24, 2020, at 06:25, António Silva <asilva at wirelessmundi.com> wrote:
> 
> Hi Paul,
> 
> I’m trying to make it possible to use the frame_ip_address from pam_radius_auth, right now i set the framed_ip_address as an environment variable.
> Do you thing that libreswan could use this variable and set this IP address for the authenticate user?
> 
> This is my log:
> Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25: XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0)
> Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25: XAUTH: PAM authentication method requested to authenticate user 'user'
> Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: Got user name user
> Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: ignore last_pass, force_prompt set
> Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: Sending RADIUS request code 1
> Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: DEBUG: get_ipaddr(127.0.0.1) returned 0.
> Mar 24 03:46:38 commsmundi radiusd[3081]: (14) Login OK: [user/1234] (from client nas01 port 13754 cli 192.168.10.188)
> Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: Got RADIUS response code 2
> Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: Set PAM environment variable : Framed-IP-Address=192.168.20.2
> Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: authentication succeeded
> Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25: PAM: #25: completed for user 'user' with status SUCCESSS
> Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25: XAUTH: User user: Authentication Successful
> Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25: XAUTH: xauth_inR1(STF_OK)
> Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
> Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25: modecfg_inR0(STF_OK)
> 
> 
> Thanks,
> António
> 
> 
>> On 15 Nov 2015, at 10:49, Paul Wouters <paul at nohats.ca> wrote:
>> 
>>> On Fri, 13 Nov 2015, François wrote:
>>> 
>>> Do you think it is possible with a tweak in current PAM authentication (not sure if PAM can send back parameters received by RADIUS), or would it require Libreswan to support RADIUS?
>>> 
>>> Not sure how all this works, but I'm willing to try to make a patch for that if it's not too complex!
>> 
>> I guess it might be possible with pam_radius support? If you can figure
>> out those parts, we can help with getting the IP address from the pam
>> module back into the connection instance.
>> 
>> Paul
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200324/e9a57e45/attachment-0001.html>

More information about the Swan mailing list