You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[x] I have searched the existing issues and I'm convinced that mine is new.
tl;dr
I‘d like OpenVPN to support RADIUS accounting.
Use case
I want to do authentication/authorization for OpenVPN in the following manner:
User starts VPN
opnsense sends auth request to RADIUS
RADIUS responds with an IP from a IP pool (one pool per authorization group)
With the IP the firewall can determine the access rights of the authenticated user
This approach works fine so far, the only problem is that the ip pool must operate blindly. Without support for accounting RADIUS will never know when an IP gets released what can then lead to IP collisions.
I‘m happy to contribute myself, but would need some advice on how it would best fit into the current architecture.
The text was updated successfully, but these errors were encountered:
A good starting point could be to check how the other connector you found (https://github.com/brainly/openvpn-auth-radius) handles accounting, there workflow probably is different than ours, but maybe we can collect some ideas from it.
Since there are more authentication options possible per server, there might be a small challenge in finding out where to send the messages, but maybe you should start simple and try to send accounting messages to all supported authentication servers using data received from openvpn.
Guidelines
[x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
[x] I have searched the existing issues and I'm convinced that mine is new.
tl;dr
I‘d like OpenVPN to support RADIUS accounting.
Use case
I want to do authentication/authorization for OpenVPN in the following manner:
This approach works fine so far, the only problem is that the ip pool must operate blindly. Without support for accounting RADIUS will never know when an IP gets released what can then lead to IP collisions.
I‘m happy to contribute myself, but would need some advice on how it would best fit into the current architecture.
The text was updated successfully, but these errors were encountered: