Project

General

Profile

Feature #383

Is it posssible to get UNITY_SPLIT_INCLUDE and UNITY_LOCAL_LAN from RADIUS Access-Accept attributes?

Added by Maxim Izergin over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Tobias Brunner
Category:
libcharon
Target version:
5.1.1
Start date:
14.08.2013
Due date:
Estimated time:
Resolution:
Fixed

Description

I would like to move from attr-SQL to RADIUS.
It's possible to obtain IP and UNITY_BANNER from Radius Access-Accept attributes. The only things I'm missing for migration are UNITY_SPLIT_INCLUDE and UNITY_LOCAL_LAN attributes. They should be unique for each Class, so "attr" plug-in cannot be used in my case.
Is it posssible to get UNITY_SPLIT_INCLUDE and UNITY_LOCAL_LAN from RADIUS Access-Accept attributes?

Thank you in advance!

Associated revisions

Revision af22622a
Added by Tobias Brunner over 8 years ago

Merge branch 'radius-unity'

Adds support for Cisco Unity specific RADIUS attributes.

References #383.

History

#1 Updated by Tobias Brunner over 8 years ago

  • Tracker changed from Issue to Feature
  • Status changed from New to Feedback

As far as I can tell from the code, forwarding other kinds of RADIUS attributes should be possible quite easily.

The question is, though, what kind of attributes those would be. For UNITY_BANNER we currently forward CVPN3000-IPSec-Banner1(15) and CVPN3000-IPSec-Banner2(36), both defined within the ALTIGA PEN (0x000c04/3076), Cisco provides a list of the defined attributes.

For UNITY_DEF_DOMAIN we could use CVPN3000-IPSec-Default-Domain(28), for UNITY_SPLITDNS_NAME there is CVPN3000-IPSec-Split-DNS-Names(29), but for UNITY_SPLIT_INCLUDE and UNITY_LOCAL_LAN there doesn't seem to be a ready to use attribute.

Well, there is CVPN3000-IPSec-Split-Tunnel-List(27) and CVPN3000-IPSec-Split-Tunneling-Policy(55) but those don't exactly correspond to the UNITY attributes. Apparently, split-tunnel-policy can take the values tunnelall(0), tunnelspecified(1), excludespecified(2). And from the Cisco docs it looks like split-tunnel-network-list takes the name of an ACL and not a list of subnets. Which seems to limit the flexibility quite a bit, that is, defining UNITY_SPLIT_INCLUDE and UNITY_LOCAL_LAN seems not possible, all addresses in the ACL are sent in either one of those ModeConfig attributes, depending on the defined policy.

I suppose we could redefine the meaning of the contents of a CVPN3000-IPSec-Split-Tunnel-List attribute to our liking (e.g. as a list of subnets, optionally with a ! before or after a subnet to send it in UNITY_LOCAL_LAN instead of UNITY_SPLIT_INCLUDE) but that wouldn't be compatible with a Cisco setup. Alternatively, we could actually implement something like ACLs (but with more flexibility), for instance:

charon {
    plugins {
        eap-radius {
            unity-acls {
                acl1 {
                    include = <subnets>
                    exclude = <subnets>
                }
                acl2 {
                    include = <subnets>
                }
            }
        }
    }    
}

But that's very IKEv1/Cisco specific and might be overkill.

Of course, we could also define our own attributes in the ITA PEN (0x00902a/36906) namespace, but I don't know if that's preferable.

#2 Updated by Maxim Izergin over 8 years ago

Hi Tobias,
Thank you very much for detailed answer.
Simultaneous usage of UNITY_SPLIT_INCLUDE and UNITY_LOCAL_LAN is not supported by Cisco clients, that is correct. Server should send either UNITY_SPLIT_INCLUDE or UNITY_LOCAL_LAN.
As for solution, I would prefer combination of CVPN3000-IPSec-Split-Tunnel-List attribute as a list of subnets, and CVPN3000-IPSec-Split-Tunneling-Policy as a "direction" option: 1 sends UNITY_LOCAL_LAN to the client and 2 sends UNITY_SPLIT_INCLUDE to the client.
Radius Access-Accept may look like this:

Sending Access-Accept of id 110 to 172.17.18.2 port 42221
        Class = 0x31306d626974
        CVPN3000-IPSec-Banner1 = "" 
        CVPN3000-IPSec-Split-Tunnel-List = "172.20.10.0/255.255.255.240" 
        CVPN3000-IPSec-Split-Tunneling-Policy = 1
        Framed-IP-Address = 10.175.63.254
Thu Aug 15 11:11:32 2013 : Info: Finished request 0.

This should be transformed into 

UNITY_LOCAL_LAN = 172.20.10.0/255.255.255.240

and send to device.

Response

Sending Access-Accept of id 96 to 172.17.18.2 port 51848
        Class = 0x31306d626974
        CVPN3000-IPSec-Banner1 = "" 
        CVPN3000-IPSec-Split-Tunnel-List = "172.20.10.0/255.255.255.240" 
        CVPN3000-IPSec-Split-Tunneling-Policy = 2
        Framed-IP-Address = 10.175.63.254
Thu Aug 15 11:18:17 2013 : Info: Finished request 6.

should be transformed into
UNITY_SPLIT_INCLUDE = 172.20.10.0/255.255.255.240

and send to device.

#3 Updated by Tobias Brunner over 8 years ago

  • Category set to libcharon
  • Assignee set to Tobias Brunner

As for solution, I would prefer combination of CVPN3000-IPSec-Split-Tunnel-List attribute as a list of subnets, and CVPN3000-IPSec-Split-Tunneling-Policy as a "direction" option: 1 sends UNITY_LOCAL_LAN to the client and 2 sends UNITY_SPLIT_INCLUDE to the client.

That would be a possibility. I implemented this in the radius-unity branch of our repository. But I reversed the interpretation of the policy value, that is, tunnelspecified(1) sends UNITY_SPLIT_INCLUDE and excludespecified(2) sends UNITY_LOCAL_LAN. It is still a bit less flexible than e.g. the sql-attr plugin, which allows assigning both kinds of attributes to clients.

Multiple subnets can be separated with a comma (not sure if a space would be better), and are currently sent in a single configuration payload (perhaps I change that as it is not compatible with releases before 5.1.0).

#4 Updated by Maxim Izergin over 8 years ago

Thank you very much, Tobias!
Patch is tested successfully:

# cd strongswan-5.1.0/
# wget http://wiki.strongswan.org/projects/strongswan/repository/revisions/99b6363f01496b971670c52ffb17c7af3bec36e8/diff/src/libcharon/plugins/eap_radius/eap_radius.c?format=diff
# mv eap_radius.c\?format\=diff eap_radius.patch
# patch -p1 < eap_radius.patch
# make
# ipsec stop
# make install
# ipsec start
# rm eap_radius.patch

Here is device log

Aug 16 18:00:24 iPhone-Maximus configd[47] <Notice>: IPSec Network Configuration started.
Aug 16 18:00:24 iPhone-Maximus configd[47] <Notice>: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 10.175.48.2.
Aug 16 18:00:24 iPhone-Maximus configd[47] <Notice>: IPSec Network Configuration: INTERNAL-IP4-DNS = 8.8.8.8.
Aug 16 18:00:24 iPhone-Maximus configd[47] <Notice>: IPSec Network Configuration: LOCAL-LAN[0] = destination 10.175.48.2/8 -> gateway 10.175.48.2/32.
Aug 16 18:00:24 iPhone-Maximus configd[47] <Notice>: IPSec Network Configuration: LOCAL-LAN[0] = destination 10.175.48.2/16 -> gateway 10.175.48.2/32.
Aug 16 18:00:24 iPhone-Maximus configd[47] <Notice>: IPSec NetworkConfiguration: DEFAULT-ROUTE = local-address 10.175.48.2/32.
Aug 16 18:00:24 iPhone-Maximus configd[47] <Notice>: IPSec Phase2 starting.
Aug 16 18:00:24 iPhone-Maximus configd[47] <Notice>: IPSec Network Configuration established.
Aug 16 18:00:24 iPhone-Maximus configd[47] <Notice>: IPSec Phase1 established

I'm ready for migration from sql-attr to radius. :-)

Thank you!

#5 Updated by Maxim Izergin over 8 years ago

Hi Tobias,

I found that INTERNAL_IP4_NETMASK is also important for me. It should be set to 255.255.255.255 in my setup, while default value is not 255.255.255.255.
Could you please support "Framed-IP-Netmask" (9) parameter from RADIUS?

#6 Updated by Tobias Brunner over 8 years ago

  • Target version set to 5.1.1

Could you please support "Framed-IP-Netmask" (9) parameter from RADIUS?

I pushed another commit to that branch that adds support for this.

#7 Updated by Maxim Izergin over 8 years ago

Thank you, Tobias!

#8 Updated by Tobias Brunner over 8 years ago

  • Status changed from Feedback to Closed
  • Resolution set to Fixed

Also available in: Atom PDF