Page MenuHomeVyOS Platform

Add OpenConnect RADIUS Accounting support
Closed, ResolvedPublicFEATURE REQUEST

Description

OpenConnect supports sending accounting packets to a RADIUS server by adding the following line to ocserv.conf

acctserver {radius server ip}

I've tested this by manually editing vyos templates / ocserv config files and can confirm that it works e.g. when querying the RADIUS accounting database on the RADIUS server I get the following:

mysql> SELECT username, nasipaddress, acctstarttime, acctupdatetime, acctstoptime, acctinputoctets, acctoutputoctets, callingstationid, framedipaddress, connectinfo_start FROM radacct;
+----------+---------------+---------------------+---------------------+---------------------+-----------------+------------------+------------------+-----------------+-----------------------------------+
| username | nasipaddress  | acctstarttime       | acctupdatetime      | acctstoptime        | acctinputoctets | acctoutputoctets | callingstationid | framedipaddress | connectinfo_start                 |
+----------+---------------+---------------------+---------------------+---------------------+-----------------+------------------+------------------+-----------------+-----------------------------------+
| tester   | xxx.xx.xx.xxx | 2023-01-13 00:59:15 | 2023-01-13 00:59:21 | 2023-01-13 00:59:21 |           10606 |              152 | xxx.xxx.xxx.xx   | xx.x.xx.xx      | Open AnyConnect VPN Agent v8.05-1 |
+----------+---------------+---------------------+---------------------+---------------------+-----------------+------------------+------------------+-----------------+-----------------------------------+

I am currently on a contribution that is a work in progress at the moment to make this configurable via the VyOS CLI. I'm planning to submit a PR in the next few days.

My planned implementation will add a new config node for "accounting" as a child node of openconnect adjacent to "authentication". This way the feature to be compatible with both RADIUS and local authentication, and with a separate RADIUS server for authentication and accounting should someone need that level of flexibility.

Details

Difficulty level
Unknown (require assessment)
Version
1.4.x
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Event Timeline

PeppyH created this object in space S1 VyOS Public.
Viacheslav changed the task status from Open to In progress.Jan 26 2023, 10:31 AM
Viacheslav added a project: VyOS 1.4 Sagitta.
Viacheslav changed the subtype of this task from "Task" to "Feature Request".
PeppyH updated the task description. (Show Details)

In testing this I found that ocserv validates its config on startup and using radius accounting without radius authentication fails to validate and the service will not start. As a result i'm not treating OpenConnect accounting as dependant on the radius as the authentication mode.

PeppyH updated the task description. (Show Details)

Going to close this task as the PR has been merged into vyos-1x, and documentation has been merged also - https://docs.vyos.io/en/latest/configuration/vpn/openconnect.html#configuring-radius-accounting