Community discussions

MikroTik App
 
mfischer
just joined
Topic Author
Posts: 7
Joined: Fri May 10, 2019 3:39 pm

Include Framed-IP-Address in Radius Accounting Packages

Mon Apr 25, 2022 5:38 pm

Hi!

Our current setup is the following:
UniFi WiFi AP does EAP-PEAP against a freeradius (user source is LDAP). Freeradius delivers VLAN und Class information to the UniFi System which then sends a radius accounting request including, besides others, User-Name, Classes and Framed-IP-Address to the freeradius server. The freeradius server forwards the accounting package to our Fortigate firewall und thus the Fortigate authorizes the user/IP-address and assigns a usergroup according to the Class attribute.

I want to replace UniFi by CAPsMAN. My test setup works well (VLANS assigned correctly, etc.), except that no Framed-IP-Address is included in the accounting package that CAPsMAN generates. Thus the Fortigate firewall cannot authorize the User/IP-Address combination.

Is this solvable?

Thanks, Mike
 
User avatar
floaty
Member
Member
Posts: 321
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: Include Framed-IP-Address in Radius Accounting Packages

Fri Aug 18, 2023 6:08 pm

same problem ...
tried to setup radius-sso for wireless-users in my firewall ... but without radius-attribute <Framed-IP-Address>, the user-status is not established.
since my dhcp-server is a mikrotik-device too, I used the radius-accounting function of the mikrotik-dhcp for a workaround.
now I see the mac-address of the endpoint as RSSO-username in my firewall ... problem solved ... but is this cozy ? ... not so much, it's radius-sso for a dhcp-pool ¯\_(ツ)_/¯
.
guess in your case should be possible to log-the dhcp-service and add the <Framed-IP-Address> with a freeradius-module to the accounting-packet ... should be a large wireless network to be worth the effort.
and since the ubnt-guys already answered to the problem ... first you wanted to change ... and then ... not : )
 
User avatar
floaty
Member
Member
Posts: 321
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: Include Framed-IP-Address in Radius Accounting Packages

Fri Aug 18, 2023 9:05 pm

: \
.
static-leases with static acc-proxy-rule, thats even more ugly ( just to show what a freerad-module should do )
.
... thought about syslog-sso ... but same predicament ... theres no log-message from the mt-device which contains username and IP
.
acc-proxy-rule.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
floaty
Member
Member
Posts: 321
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: Include Framed-IP-Address in Radius Accounting Packages

Fri Aug 18, 2023 10:40 pm

https://datatracker.ietf.org/doc/html/rfc2866#page-18

4.1. Accounting-Request

If the Accounting-Request packet includes a Framed-IP-Address,
that attribute MUST contain the IP address of the user. If the
Access-Accept used the special values for Framed-IP-Address
telling the NAS to assign or negotiate an IP address for the user,
the Framed-IP-Address (if any) in the Accounting-Request MUST
contain the actual IP address assigned or negotiated.

when "If" then "MUST"
.
but no "If" in MikroTik
.
... but it seems to be pretty standard in the industry ... Aruba, FortiAPs, Cisco ... even Watchguard-Wireless and the UBNT-men ... have this little parser implemented
.
RADIUS SSO Requirements
You can use RADIUS Single Sign-On with wireless access point or other RADIUS clients that include the required information in the RADIUS accounting messages. For RADIUS SSO to operate, the RADIUS accounting Start, Stop, and Interim-Update accounting messages sent by the RADIUS client must include these attributes:

User-Name — The name of the authenticated user
Framed-IP-Address — The client IP address of the authenticated user
WatchGuard AP devices that use the latest version of AP firmware meet these requirements. Other wireless access points that support these requirements should also operate correctly for RADIUS SSO.
.
guess this could swell to a feature request : ) ... do I hear a 'yay ... +1' ?
.
acc-framed-ip.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
floaty
Member
Member
Posts: 321
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: Include Framed-IP-Address in Radius Accounting Packages

Fri Aug 18, 2023 10:53 pm

.
while this result is made the ugly way ... it is still a very very nice to have ... and ... to use .. result !!
.
so I'm starting with a big fat "yay" +1
.
acc-proxy-result.png
You do not have the required permissions to view the files attached to this post.
 
mfischer
just joined
Topic Author
Posts: 7
Joined: Fri May 10, 2019 3:39 pm

Re: Include Framed-IP-Address in Radius Accounting Packages

Tue Oct 17, 2023 5:21 pm

I don't exactly understand what you are doing.

But I think I tried to achieve the goal in a similar way. I logged all leases on my ISC-DHCP-Server to a database - and tried to find an entry via the freeradius exec module when it received an accounting request - and updated it with the IP address found in the database. But that slowed freeradius down so much that it was not usable anymore...
 
mfischer
just joined
Topic Author
Posts: 7
Joined: Fri May 10, 2019 3:39 pm

Re: Include Framed-IP-Address in Radius Accounting Packages

Tue Oct 17, 2023 5:24 pm

Also - where are your screenshots from. Is that a fortinet firewall?
 
User avatar
floaty
Member
Member
Posts: 321
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: Include Framed-IP-Address in Radius Accounting Packages

Wed Oct 18, 2023 2:28 pm

sí ... it's a fortigate ...
... eventually ... instead of radius-sso, some kind of syslog-sso can do the job
... logging the radius-auth and the dhcp-request with swatch or similiar; then a script which merges the username from the rad-request and the ip from the dhcp-request and sending it back to an syslog-sso-connector ?!
... still ruminating about
.
https://help.mikrotik.com/docs/display/ ... properties
.
maybe we wake up one day ... and a "4" and a "6" joined "a" and "A" ...
... and after initial authentication, we find a v4 or a v6 IP-Address in the interim-updates ... seems this is what rfc2866 suggests

Who is online

Users browsing this forum: Bing [Bot], ips, lmeira, sjdurand and 26 guests