NAS-IP-Address Is Always The DUO Proxy IP

sd_dbray · ‎08-01-2019

I’ve seen similar issues posted, but no solutions provided. Seems that primary RADIUS server (CentOS 7 with freeradius-3.0.13-10.el7_6.x86_64) always sees the NAS-IP-Address attribute as the IP of the DUO Proxy server IP, not the actual client, even with pass through configured properly:

[main]
debug=true

[radius_client]
host=192.168.10.1
pass_through_all=true

[radius_server_auto]
radius_ip_1=192.168.10.0/24
radius_secret_1=freeradiussecret
failmode=safe
client=radius_client
port=1812
pass_through_all=true
delimiter=;

IP of the DUO proxy server: 192.168.10.5
IP of the server/app I’m authenticating to: 192.168.10.6

Authentication works just fine, but when I look at the Freeradius debug logs, I see this:

Thu Aug  1 15:38:30 2019
    Packet-Type = Access-Request
    NAS-Identifier = "DUO Testing Profile"
    User-Name = "admin"
    NAS-IP-Address = 192.168.10.5
    Event-Timestamp = "Aug  1 2019 15:38:30 UTC"
    Timestamp = 1564673910

I was expecting to see NAS-IP-Address = 192.168.0.6

Am I missing something simple?

DuoKristina · ‎08-02-2019

The Duo proxy won’t pass through the value for NAS-IP-Address. The proxy will either use its own IP or one that you can specify. Take a look at the description of the nas_ip config option for radius_client.

Duo, not DUO.

sd_dbray · ‎08-02-2019

Thank you for your response. I’m confused though, because I thought the option of pass_through_all would be “all RADIUS attributes”. Without the target device IP being passed through, then how can we limit (via RADIUS) who can login to what device? Typically, within the RADIUS configs we have rules like:

if ( (Ldap-Group == "CN=SpecialGroup,OU=Groups,DC=domain,DC=local") && \
            ( (NAS-IP-Address == "192.168.10.11") || \
            (NAS-IP-Address == "192.168.10.123") || \
            (NAS-IP-Address == "192.168.10.25") ) ) {
        update reply {
            &Reply-Message = "Hello Team Member, you have access to this device"
        }

So, without the NAS-IP-Address of the target, this won’t work.

DuoKristina · ‎08-02-2019

It’s not exactly ALL, which is why the nas_ip option is there with that extra bit of explanation.

That is true, which is why I mentioned the feature request for supporting passing through that attribute.

Do your clients send Calling-Station-Id? That attribute would get passed through by the proxy (and is what gets reported to Duo as the client IP in the authentication logs).

Duo, not DUO.

sd_dbray · ‎08-02-2019

Unfortunately, it does not. Here’s from a Cisco 6504 SUP 2T:

    Access-Request (1), id: 0x31, Authenticator: b1a0c0zasdasdasdasc027
      User-Name Attribute (1), length: 9, Value: admin                                                                                                                    0x0000:  7277 6164 6d69 6e
      User-Password Attribute (2), length: 66, Value:                                                                                                                       
      NAS-Port Attribute (5), length: 6, Value: 2
        0x0000:  0000 0002
      NAS-Port-Id Attribute (87), length: 6, Value: tty2
        0x0000:  7474 7932
      NAS-Port-Type Attribute (61), length: 6, Value: Virtual
        0x0000:  0000 0005
      NAS-IP-Address Attribute (4), length: 6, Value: 192.168.10.1
        0x0000:  ac1e 3601

I’ve checked a few other commonly used switches and routers, all do the same. I even checked a Palo Alto firewall, and it sends the same thing, only NAS-IP-Address. Seems to be that is the default attribute.