Page MenuHomeVyOS Platform
Create Task
Maniphest T828

Specify RADIUS source ip for PPP and L2TP connections
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

RADIUS servers could be hardened by only allowing certain IP addresses to connect. As of now the radius client used e.g. for L2TP VPN auth will bind to address *. Incoming connections to the freeradius server will use the nearest interface IP address pointing to the radius server - making it error prone on OSPF networks when a link fails.

Instead of allowing all IPs from a router to connect to the RADIUS server, we should implement support for a source-ip node.

Freeradius-client used in VyOS 1.2 supports binding to an IP address:

# local address from which radius packets have to be sent
bindaddr *

Cisco uses something similar in IOS:

BR1.xxx(config)#ip radius ?
  source-interface  Specify interface for source address in RADIUS packets

BR1.xxx(config)# ip radius source-interface loopback0

https://github.com/FreeRADIUS/freeradius-client/blob/master/etc/radiusclient.conf.in#L83-L84

Details

Difficulty level
Easy (less than an hour)
Version
-
Why the issue appeared?
Will be filled on close

Related Objects

Event Timeline

c-po created this task.Sep 4 2018, 5:49 AM
syncer triaged this task as Normal priority.Sep 25 2018, 2:07 PM
pasik added a subscriber: pasik.Oct 1 2018, 9:50 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc4); removed VyOS 1.2 Crux.Oct 13 2018, 10:09 AM
syncer moved this task from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.0-rc4) board.Oct 13 2018, 5:47 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc5); removed VyOS 1.2 Crux (VyOS 1.2.0-rc4).Oct 24 2018, 4:40 PM
syncer moved this task from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.0-rc5) board.
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc6); removed VyOS 1.2 Crux (VyOS 1.2.0-rc5).Oct 29 2018, 6:16 PM
syncer moved this task from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.0-rc6) board.
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc7); removed VyOS 1.2 Crux (VyOS 1.2.0-rc6).Nov 6 2018, 12:58 AM
syncer moved this task from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.0-rc7) board.
c-po closed this task as Resolved.Nov 9 2018, 3:09 PM
c-po claimed this task.
c-po changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
c-po mentioned this in T987: Unclutter L2TP/IPSec RADIUS configuration nodes.Nov 9 2018, 3:51 PM
syncer moved this task from Backlog to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc7) board.Nov 13 2018, 3:49 AM
syncer added a project: VyOS-1.2.0-GA.Jan 25 2019, 2:38 PM
c-po renamed this task from Specify RADIUS source ip to Specify RADIUS source ip for PPP and L2TP connections.Apr 18 2019, 3:17 PM
c-po mentioned this in T1344: Unclutter "system login radius" configuration nodes.
c-po mentioned this in T1345: Specify RADIUS source IP for system login command.Apr 18 2019, 3:19 PM
c-po mentioned this in T1546: accel-ppp/L2TP radius-source address is not honored.Jul 26 2019, 5:44 PM
c-po mentioned this in T1547: accel-ppp/L2TP restructure CLI.Jul 26 2019, 6:05 PM