OPNsense Forum

I'm using latest version of OPNsense which is 19.7 and I have configured openvpn with radius to authenticate users but the Framed-IP-Address attribute doesn't work at all. I'm using windows radius and the system->access->tester shows the radius can pass the attribute to OPNsense.
Does anyone know what's wrong?

Framed-Netmask missing?

In windows there is an option Framed-IP-Netmask which I have it in my radius server attributes. Unfortunately the result was same.

OpenVPN needs Framed-IP-Address and Framed-IP-Netmask ... what do you have in openvpn.log?

I have configured both. this is what the opnsense tester shows.

User: user authenticated successfully.
This user is a member of these groups:

Attributes received from server:
Framed-IP-Netmask => 255.255.255.0
Framed-IP-Address => 192.168.248.101

and the openvpn.log as follow

Jul 23 22:14:45 FW01 openvpn[83584]: 1.1.1.1:13724 peer info: IV_VER=2.4.7
Jul 23 22:14:45 FW01 openvpn[83584]: 1.1.1.1:13724 peer info: IV_PLAT=win
Jul 23 22:14:45 FW01 openvpn[83584]: 1.1.1.1:13724 peer info: IV_PROTO=2
Jul 23 22:14:45 FW01 openvpn[83584]: 1.1.1.1:13724 peer info: IV_NCP=2
Jul 23 22:14:45 FW01 openvpn[83584]: 1.1.1.1:13724 peer info: IV_LZ4=1
Jul 23 22:14:45 FW01 openvpn[83584]: 1.1.1.1:13724 peer info: IV_LZ4v2=1
Jul 23 22:14:45 FW01 openvpn[83584]: 1.1.1.1:13724 peer info: IV_LZO=1
Jul 23 22:14:45 FW01 openvpn[83584]: 1.1.1.1:13724 peer info: IV_COMP_STUB=1
Jul 23 22:14:45 FW01 openvpn[83584]: 1.1.1.1:13724 peer info: IV_COMP_STUBv2=1
Jul 23 22:14:45 FW01 openvpn[83584]: 1.1.1.1:13724 peer info: IV_TCPNL=1
Jul 23 22:14:45 FW01 openvpn[83584]: 1.1.1.1:13724 peer info: IV_GUI_VER=Viscosity_1.7.16_1616
Jul 23 22:14:45 FW01 openvpn: user 'user' authenticated using 'RADIUS'
Jul 23 22:14:45 FW01 openvpn[83584]: 1.1.1.1:13724 [user] Peer Connection Initiated with [AF_INET]1.1.1.1:13724
Jul 23 22:14:45 FW01 openvpn[83584]: user/1.1.1.1:13724 MULTI_sva: pool returned IPv4=10.10.9.6, IPv6=(Not enabled)

and this is captured packet from radius ( the forum editor automatically convert attribute number 8 to cool emoji !!! )

FW
igb0   09:23:04.200739 00:10:f3:48:8b:48 > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 129: (tos 0x0, ttl 64, id 47302, offset 0, flags [none], proto UDP (17), length 115)
    x.x.x.x.36079 > y.y.y.y.1812: [udp sum ok] RADIUS, length: 87
    y.y.y.y.1812 > x.x.x.x.36079: [udp sum ok] RADIUS, length: 144
    y.y.y.y.1812 > x.x.x.x.36079: [udp sum ok] RADIUS, length: 144
FW
igb0      Access-Request (1), id: 0x44, Authenticator: b418e7ddf712179455496510bbbbbbbb
FW
igb0        User-Name Attribute (1), length: 10, Value: user
FW
igb0          0x0000:  6d2e 6173 6761 7269
FW
igb0        Service-Type Attribute (6), length: 6, Value: Login
FW
igb0          0x0000:  0000 0001
FW
igb0        Framed-Protocol Attribute (7), length: 6, Value: #15
FW
igb0          0x0000:  0000 000f
FW
igb0        NAS-Identifier Attribute (32), length: 15, Value: 5d2d4bc3201dc
FW
igb0          0x0000:  3564 3264 3462 6333 3230 3164 63
FW
igb0        NAS-Port Attribute (5), length: 6, Value: 0
FW
igb0          0x0000:  0000 0000
FW
igb0        NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
FW
igb0          0x0000:  0000 000f
FW
igb0        User-Password Attribute (2), length: 18, Value:
FW
igb0          0x0000:  e791 dd59 4e8c eece 482f bc7b 00ca 1536
FW
igb0   09:23:04.213550 00:50:56:9b:28:d6 > 00:10:f3:48:8b:48, ethertype IPv4 (0x0800), length 186: (tos 0x0, ttl 126, id 38837, offset 0, flags [none], proto UDP (17), length 172)
FW
igb0      Access-Accept (2), id: 0x44, Authenticator: 43e59d3b995895826d512439ccccccc
FW
igb0        Framed-IP-Netmask Attribute (9), length: 6, Value: 255.255.255.0
FW
igb0          0x0000:  ffff ff00
FW
igb0        Framed-Protocol Attribute (7), length: 6, Value: PPP
FW
igb0          0x0000:  0000 0001
FW
igb0        Idle-Timeout Attribute (28), length: 6, Value: 30:00 min
FW
igb0          0x0000:  0000 0708
FW
igb0        Service-Type Attribute (6), length: 6, Value: Framed
FW
igb0          0x0000:  0000 0002
FW
igb0        Framed-IP-Address Attribute (8), length: 6, Value: 192.168.248.101
FW
igb0          0x0000:  c0a8 f865
FW
igb0        Class Attribute (25), length: 46, Value: I...
FW
igb0          0x0000:  4986 0492 0000 0137 0001 0200 ac10 0a0a
FW
igb0          0x0010:  0000 0000 0000 0000 0000 0000 01d5 409b
FW
igb0          0x0020:  2104 9ec8 0000 0000 0000 004a
FW
igb0        Vendor-Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311)
FW
igb0          Vendor Attribute: 14, Length: 4, Value: ...2
FW
igb0          0x0000:  0000 0137 0e06 0000 0032
FW
igb0        Vendor-Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311)
FW
igb0          Vendor Attribute: 15, Length: 4, Value: ...x
FW
igb0          0x0000:  0000 0137 0f06 0000 0078
FW
igb0        Vendor-Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311)
FW
igb0          Vendor Attribute: 7, Length: 4, Value: ....
FW
igb0          0x0000:  0000 0137 0706 0000 0002
FW
igb0        Vendor-Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311)
FW
igb0          Vendor Attribute: 8, Length: 4, Value: ....
FW
igb0          0x0000:  0000 0137 0806 0000 000e
FW
igb0   09:23:04.213580 00:50:56:9b:28:d6 > 00:10:f3:48:8b:48, ethertype IPv4 (0x0800), length 186: (tos 0x0, ttl 126, id 50014, offset 0, flags [none], proto UDP (17), length 172)
FW
igb0      Access-Accept (2), id: 0x44, Authenticator: 43e59d3b995895826d512439eeeeeeee
FW
igb0        Framed-IP-Netmask Attribute (9), length: 6, Value: 255.255.255.0
FW
igb0          0x0000:  ffff ff00
FW
igb0        Framed-Protocol Attribute (7), length: 6, Value: PPP
FW
igb0          0x0000:  0000 0001
FW
igb0        Idle-Timeout Attribute (28), length: 6, Value: 30:00 min
FW
igb0          0x0000:  0000 0708
FW
igb0        Service-Type Attribute (6), length: 6, Value: Framed
FW
igb0          0x0000:  0000 0002
FW
igb0        Framed-IP-Address Attribute (8), length: 6, Value: 192.168.248.101
FW
igb0          0x0000:  c0a8 f865
FW
igb0        Class Attribute (25), length: 46, Value: I...
FW
igb0          0x0000:  4986 0492 0000 0137 0001 0200 ac10 0a0a
FW
igb0          0x0010:  0000 0000 0000 0000 0000 0000 01d5 409b
FW
igb0          0x0020:  2104 9ec8 0000 0000 0000 004a
FW
igb0        Vendor-Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311)
FW
igb0          Vendor Attribute: 14, Length: 4, Value: ...2
FW
igb0          0x0000:  0000 0137 0e06 0000 0032
FW
igb0        Vendor-Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311)
FW
igb0          Vendor Attribute: 15, Length: 4, Value: ...x
FW
igb0          0x0000:  0000 0137 0f06 0000 0078
FW
igb0        Vendor-Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311)
FW
igb0          Vendor Attribute: 7, Length: 4, Value: ....
FW
igb0          0x0000:  0000 0137 0706 0000 0002
FW
igb0        Vendor-Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311)
FW
igb0          Vendor Attribute: 8, Length: 4, Value: ....
FW
igb0          0x0000:  0000 0137 0806 0000 000e

Why is the tunnel network and radius IP in different networks? Can you test when both are same?

That was just for demonstrating the issue. I tested the same tunnel address in first place with same result.

any suggestion ?