Solved: Auth Proxy on Ubuntu not passing nas_ip to external RADIUS server


#1

All,

I have a new install on Ubuntu 18.04, version 2.10.1. Authentication works with primary auth to RADIUS server, including passing A/V pairs back to NAS. RADIUS server sees NAS IP of Ubuntu server, even with conf file using nas_ip=x.x.x.x. I built the conf file without this value originally for testing and then added it to test NAS identification on the RADIUS Server. Service and server have been restarted.

Snip from conf file:

[radius_client]
host=10.0.0.100
secret=**********
pass_through_all=true
nas_ip=192.168.2.4
retry_wait=4

Snip from log file when service starts, which appears to show it parsing correctly:

2018-10-02T23:42:11+0000 [-] RADIUS Client Module Configuration:
2018-10-02T23:42:11+0000 [-] {'debug': 'True',
         'host': '10.0.0.100',
         'nas_ip': '192.168.2.4',
         'pass_through_all': 'true',
         'retry_wait': '9',
         'secret': '*****'}

From my AAA server (Cisco ISE) authentication log:

NAS IPv4 Address 10.0.0.206

Any thoughts? Am I missing something?

Thanks,
Mark


#2

Are you trying to preserve the nas ip passed in from the radius client request to the Duo authentication proxy? If so, be sure to set the pass through option in your [radius_server_auto] section as well.


#3

Thank you. That helped. I had pass_through_all on the RADIUS Client side for AV pairs being sent back in response, so those all worked. I did not have it in the RADIUS Automatic portion of the config for the request. Enabling this option and setting “true” started passing through attributes.

Unfortunately, based on a packet capture, my RADIUS server does not appear to be parsing attribute 4 (NAS-IP-ADDRESS) properly and is falling back to identify the NAS as the IP of the Duo Proxy. That means some digging on my side.

Thanks for the time.

Mark