08-01-2019 08:42 AM
I’ve seen similar issues posted, but no solutions provided. Seems that primary RADIUS server (CentOS 7 with freeradius-3.0.13-10.el7_6.x86_64) always sees the NAS-IP-Address attribute as the IP of the DUO Proxy server IP, not the actual client, even with pass through configured properly:
[main]
debug=true
[radius_client]
host=192.168.10.1
pass_through_all=true
[radius_server_auto]
radius_ip_1=192.168.10.0/24
radius_secret_1=freeradiussecret
failmode=safe
client=radius_client
port=1812
pass_through_all=true
delimiter=;
IP of the DUO proxy server: 192.168.10.5
IP of the server/app I’m authenticating to: 192.168.10.6
Authentication works just fine, but when I look at the Freeradius debug logs, I see this:
Thu Aug 1 15:38:30 2019
Packet-Type = Access-Request
NAS-Identifier = "DUO Testing Profile"
User-Name = "admin"
NAS-IP-Address = 192.168.10.5
Event-Timestamp = "Aug 1 2019 15:38:30 UTC"
Timestamp = 1564673910
I was expecting to see NAS-IP-Address = 192.168.0.6
Am I missing something simple?
08-02-2019 07:18 AM
The Duo proxy won’t pass through the value for NAS-IP-Address. The proxy will either use its own IP or one that you can specify. Take a look at the description of the nas_ip
config option for radius_client
.
08-02-2019 07:50 AM
Thank you for your response. I’m confused though, because I thought the option of pass_through_all would be “all RADIUS attributes”. Without the target device IP being passed through, then how can we limit (via RADIUS) who can login to what device? Typically, within the RADIUS configs we have rules like:
if ( (Ldap-Group == "CN=SpecialGroup,OU=Groups,DC=domain,DC=local") && \
( (NAS-IP-Address == "192.168.10.11") || \
(NAS-IP-Address == "192.168.10.123") || \
(NAS-IP-Address == "192.168.10.25") ) ) {
update reply {
&Reply-Message = "Hello Team Member, you have access to this device"
}
So, without the NAS-IP-Address of the target, this won’t work.
08-02-2019 08:15 AM
It’s not exactly ALL, which is why the nas_ip
option is there with that extra bit of explanation.
That is true, which is why I mentioned the feature request for supporting passing through that attribute.
Do your clients send Calling-Station-Id
? That attribute would get passed through by the proxy (and is what gets reported to Duo as the client IP in the authentication logs).
08-02-2019 11:37 AM
Unfortunately, it does not. Here’s from a Cisco 6504 SUP 2T:
Access-Request (1), id: 0x31, Authenticator: b1a0c0zasdasdasdasc027
User-Name Attribute (1), length: 9, Value: admin 0x0000: 7277 6164 6d69 6e
User-Password Attribute (2), length: 66, Value:
NAS-Port Attribute (5), length: 6, Value: 2
0x0000: 0000 0002
NAS-Port-Id Attribute (87), length: 6, Value: tty2
0x0000: 7474 7932
NAS-Port-Type Attribute (61), length: 6, Value: Virtual
0x0000: 0000 0005
NAS-IP-Address Attribute (4), length: 6, Value: 192.168.10.1
0x0000: ac1e 3601
I’ve checked a few other commonly used switches and routers, all do the same. I even checked a Palo Alto firewall, and it sends the same thing, only NAS-IP-Address. Seems to be that is the default attribute.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide