Pass radius attributes to connect-script
curiousemeric at rotacioskapa.com
curiousemeric at rotacioskapa.com
Thu Oct 6 08:37:21 PDT 2016
Hi,
We at the university (which cannot be named) would like to deploy a new
vpn solution next to our existing one.
I know this sounds crazy, but all of our users have real globally
route-able ipv4 vpn addresses.
This is for historical and licensing reasons.
The current l2tp/ipsec vpn uses /32 routes and addresses which it
receives from a radius server.
Now as far as i know the tun/tap device can at minimum use /30 routes.
(for windows compability).
What I would like to ask; Is there a way for the "up" and "down" script
to get the framed-ip-address sent by radius?
My plan is to add the /32 route to the loopback interface so the running
dynamic routing daemon can pick it up,
ip route add $FRAMEDIP/255.255.255.255 dev lo
Then do something like this
iptables -t nat -I POSTROUTING -s $IP_REMOTE -j SNAT --to $FRAMEDIP
regards,
Emeric
PS:
I remember in the golden days pppd with radiusclient stored attribute
files for logged in users in /var/run/ppp<num>.attr files,
but radcli doesn't.
More information about the openconnect-devel
mailing list