VyOS1.4 openconnect: can not set source address for radius authentication

Bugs
1

Hi,

it seems that source-address parameter does not work in openconnect configuration, despite that source address is set explicitly, system use it own address according to routing table.

accounting {
radius {
server 10.40.0.224 {
key xxxxxxxxxxxxxxxx
port 1813
}
}
}
authentication {
group RemoteAccess
mode {
radius
}
radius {
server 10.40.0.224 {
key xxxxxxxxxxxxxxxx
port 1812
}
source-address 10.40.73.50
timeout 15
}
}
listen-ports {
tcp 443
}
network-settings {
client-ip-settings {
subnet 10.172.1.0/24
}
name-server 10.40.28.20
split-dns anywhere.com
}
ssl {
ca-certificate ca2019
certificate zip50.2019
}

and this is tcpdump for authentication request:

zotov@zip70# sudo tcpdump -i any port 1812 -np
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
11:32:27.032621 tun002 Out IP 10.40.85.255.44654 > 10.40.0.224.1812: RADIUS, Access-Request (1), id: 0x03 length: 119
11:32:42.033767 tun002 Out IP 10.40.85.255.44654 > 10.40.0.224.1812: RADIUS, Access-Request (1), id: 0x03 length: 119

and this is generated configuration file /run/ocserv/radiusclient.conf:

generated by vpn_openconnect.py

nas-identifier VyOS

Accounting

Authentication

authserver 10.40.0.224:1812
radius_timeout 15
bindaddr *

servers /run/ocserv/radius_servers
dictionary /etc/radcli/dictionary
default_realm
radius_retries 3

vyos 1.4 built from git 20231130

2

Same problem in latest rolling release. Still not fixed. If I manually edit /run/ocserv/radiusclient.conf and change “bindaddr *” to “bindaddr x.x.x.x” (with address that I need) and then restart ocserv, then it works as expected.

3

Can you share config and version?

1 Like
4 
# run show version
Version:          VyOS 1.5-rolling-202409250007
Release train:    current
Release flavor:   generic

Built by:         [email protected]
Built on:         Wed 25 Sep 2024 00:07 UTC
Build UUID:       9b8b01ce-f96f-4af7-8116-68c8cd296cb7
Build commit ID:  fa50a5073b6d3f

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest
Secure Boot:      n/a (BIOS)

[edit vpn openconnect]
set authentication mode radius
set authentication radius groupconfig 'PPP'
set authentication radius server 192.168.0.58 key '**************'
set authentication radius source-address '10.150.1.16'
set authentication radius timeout '5'
set network-settings client-ip-settings subnet '192.168.89.0/25'
set network-settings name-server '192.168.0.7'
set network-settings name-server '192.168.0.10'
set network-settings name-server '192.168.0.169'
set network-settings push-route '192.168.0.0/16'
set ssl ca-certificate 'R11'
set ssl certificate 'ocvpn'

I have configured two GRE tunnels with load balancing. And requests to RADIUS server are sent with corresponding source addresses of tunX interfaces instead of 10.150.1.16 which is set in “authentication radius source-address” option.

10.150.1.16/32 is configured on loopback interface.

5

Can you test changing this line: vyos-1x/data/templates/ocserv/radius_conf.j2 at current · vyos/vyos-1x · GitHub
From:

{%     if source_address %}

To

{%     if authentication.radius.source_address is vyos_defined %}

File: /usr/share/vyos/templates/ocserv/radius_conf.j2

Then reboot, and test:
1- Config:

cat /run/ocserv/radiusclient.conf

2- tcpdump to double check.

6

It helped, thanks a lot! Source adress is correct now.

7

Thanks for confirming that the patch is working as expected.
I’ve created a bug report: ⚓ T6757 Openconnect - source address for Radius auth not working to apply a permanent solution soon.

8

And the fix was already merged.
You can upgrade to latest nightly-build, and this problem should not be there any more