We configured radius authentication and set packets to originate from the router’s loopback IP with the following command:
set system login radius source-address 192.0.2.55
RADIUS logs detail the submitted nas-ip as however being the loopback IP (127.0.0.1):
Tue Jan 28 12:04:18 2020 : Auth: Login OK: [davidh] (from client isp_core port 11982 cli 10.10.10.80) nas-ip:127.0.1.1 nas-id:sshd
Makes it difficult to find authentication sessions from VyOS in central logs.
Could someone point me in the right direction with regards to possibly changing this to use the configured source IP?
Many thanks, we’re running VyOS 1.3 rolling from the 20th of January 2020 and RADIUS authentication is working but very slow due to there being additional lines in the config file.
I see /etc/hosts gets generated by /usr/libexec/vyos/services/vyos-hostsd which hard codes a loopback IP of 127.0.1.1, is there anything that relies on this mapping or could the script be updated to store the loopback IP in it’s place (possibly even simply referencing the radius source-address).
The additional lines in /etc/pam_radius_auth.conf I’m referring to are:
Jan 28 15:35:49 testing sshd[12553]: Accepted password for davidh from 10.10.10.80 port 43512 ssh2
Jan 28 15:35:51 testing sshd[12553]: pam_radius_auth: RADIUS server 192.0.2.224 failed to respond
Jan 28 15:35:51 testing sshd[12553]: pam_radius_auth: Failed looking up IP address for RADIUS server priv-lvl (errcode=9)
Jan 28 15:35:51 testing sshd[12553]: pam_radius_auth: Failed looking up IP address for RADIUS server mapped_priv_user (errcode=9)
Jan 28 15:35:54 testing sshd[12553]: pam_radius_auth: All RADIUS servers failed to respond.
Jan 28 15:35:54 testing sshd[12553]: pam_unix(sshd:session): session opened for user davidh by (uid=0)