Table of Contents

How to Set Up Framed IP Using Active Directory and the msRADIUSFramedIPAddress Attribute

Overview

PhenixID Authentication Service (PAS) supports integration with all major user stores, including Microsoft Active Directory (AD). This guide focuses on retrieving the msRADIUSFramedIPAddress attribute from AD and converting it into a format suitable for use as the Framed-IP-Address (RADIUS attribute 8) in RADIUS responses.

This configuration is commonly used for assigning static IP addresses to RADIUS clients.

Configuration Steps

This guide uses a RADIUS username and password scenario, but the setup can be adapted for other scenarios.

Retrieve the msRADIUSFramedIPAddress Attribute

To collect the msRADIUSFramedIPAddress attribute from AD, update the LDAPSearchValve in your scenario's "Execution Flow." Add the following configuration:

{
  "name": "LDAPSearchValve",
  "config": { 
    "connection_ref": "<Your connection ref>",
    "base_dn": "dc=example,dc=com",
    "scope": "SUB",
    "size_limit": "0",
    "filter": "sAMAccountName={{request.User-name}}",
    "attributes": "msRADIUSFramedIPAddress" 
  }
}
  • connection_ref: Reference to your AD connection.
  • base_dn: The base distinguished name of your AD tree (e.g., dc=example,dc=com).
  • filter: Filters the search to match the provided username (sAMAccountName).
  • attributes: Specifies the msRADIUSFramedIPAddress attribute to retrieve.

Convert msRADIUSFramedIPAddress to a Usable Format

The msRADIUSFramedIPAddress attribute in AD is stored as an integer. To convert it to a human-readable IP address format, use a ScriptEvalValve.

Add the following ScriptEvalValve to your scenario:

{
  "name": "ScriptEvalValve",
  "enabled": "true",
  "config": {
    "mime_type": "application/javascript",
    "script": "var IP = parseInt(flow.items().get(0).getPropertyValue('msRADIUSFramedIPAddress')); var part1 = IP & 255; var part2 = ((IP >> 8) & 255); var part3 = ((IP >> 16) & 255); var part4 = ((IP >> 24) & 255); var realIP = part4 + '.' + part3 + '.' + part2 + '.' + part1; flow.items().get(0).addProperty('myip', realIP);"
  }
}

How It Works:

  1. Retrieve the msRADIUSFramedIPAddress value:
    • The script accesses the first item in the flow and retrieves the msRADIUSFramedIPAddress attribute.
  2. Convert the integer to IP format:
    • Each part of the IP address is calculated by bit-shifting and masking the integer.
  3. Store the converted IP:
    • The script creates a new property, myip, containing the human-readable IP address (e.g., 192.168.1.10).

Return the IP Address in the RADIUS Response

After the IP address is converted and stored in the myip property, return it as RADIUS Attribute 8 (Framed-IP-Address).

  1. Navigate to the Advanced tab in your scenario.
  2. Add a response attribute to map the myip property to the Framed-IP-Address attribute.

Example Script for IP Conversion

Below is a more formatted view of the script used in the ScriptEvalValve:

// Retrieve the msRADIUSFramedIPAddress attribute
var IP = parseInt(flow.items().get(0).getPropertyValue('msRADIUSFramedIPAddress'));

// Convert the integer into its IP address components
var part1 = IP & 255;
var part2 = (IP >> 8) & 255;
var part3 = (IP >> 16) & 255;
var part4 = (IP >> 24) & 255;

// Construct the readable IP address
var realIP = part4 + "." + part3 + "." + part2 + "." + part1;

// Add the converted IP address to the flow as 'myip'
flow.items().get(0).addProperty('myip', realIP);

Visual Guide

To add the 8=myip property as a resp_attributes in the Advanced tab, configure the scenario as shown below:

{
  "name": "UsernamePasswordAndOTPAuthenticator",
  "config": {
    "uid_pwd_pipe": "7c4a7e32-8a63-44c8-b771-9950609146e2",
    "validate_otp_pipe": "542a1385-1474-4fc7-a2dc-1d21932a90df",
    "clientIP": "192.168.0.23,192.168.0.39",
    "client_character_encoding": "Windows-1252",
    "ar_attributes": "",
    "resp_attributes": "8=myip",
    "ac_attributes": "",
    "secret": "{enc}qG6skItdiLREr3/OfjTRI0YbACXeRTvPI2aLRAa9S/8=",
    "radius_config": "ecc7e094-236e-4568-9b99-d6e3bb0c9d97",
    "remove_ad_domain": "false",
    "session_ttl": "4",
    "alias_ttl": "3",
    "impersonation_check": "true",
    "safe_mode": "false",
    "challenge_message": "",
    "retry_challenge_message": ""
  },
  "created": "2021-10-25T09:15:26.806Z",
  "id": "0da1ccf3-f574-4a33-b40e-88b50f8ef3f4"
},

Summary

By following this guide, you can:

  1. Retrieve the msRADIUSFramedIPAddress attribute from Active Directory.
  2. Convert the stored integer into a usable IP address format.
  3. Return the converted IP as RADIUS Attribute 8 (Framed-IP-Address) in the response.

This setup ensures proper integration with AD for scenarios requiring static IP assignments to RADIUS clients.

RADIUS Script Active Directory