Topic: Radius Authentication

[si_blakely]

I'm working on getting SoftEther VPN (SSL, L2TP and OpenVPN compatible opensource VPN) working on SME9. It works well, although there is no Linux-side configuration (the Windows server manager is pretty good.

The next thing is to get Radius Authentication working for local users on SME. Can anyone give me some pointers on the sorts of settings I need to make the SME Radius service respond to requests (which will be coming from the self IP).

Simon

[Stefano]

http://forums.contribs.org/index.php/topic,48355.msg243094.html#msg243094

HTH

[CharlieBrady]

I'm working on getting SoftEther VPN (SSL, L2TP and OpenVPN compatible opensource VPN) working on SME9.

Are you planning to share your work with others?

The next thing is to get Radius Authentication working for local users on SME. Can anyone give me some pointers on the sorts of settings I need to make the SME Radius service respond to requests (which will be coming from the self IP).

I think the 'devinfo' mailing list is likely a better place to seek guidance on how to develop contribs.

[si_blakely]

Stefano,

I had read that thread - it isn't very clear, and didn't actually provide any clarity to me. I'd prefer to use LDAP, but SoftEther only does ActiveDirectory and not LDAP directly.

CharlieBrady,

I do hope to share this, once I get my head around creating some RPMs that don't seem to already exist in a recognised repository (OpenVSwitch, SoftEtherVPN) and the SME wrapping needed. However, I do need to run my own 9.0 upgrade.

Simon

[Stefano]

Stefano,

I had read that thread - it isn't very clear, and didn't actually provide any clarity to me. I'd prefer to use LDAP, but SoftEther only does ActiveDirectory and not LDAP directly.

mmmhhh...

on SME side:

Code: [Select]

db hosts set radius.yourdomain.tld host RadiusKey ULTRASECRETPASSWORD
signal-event remoteaccess-update

on SoftEtherVPN side:

There are software based and hardware based RADIUS servers (authentication server that supports RADIUS protocol), both of which are widely used. Thus companies and Internet service providers that have RADIUS based authentication service can conduct user authentication by RADIUS server.

If users set to use RADIUS authentication conduct user authentication, the authentication data sent by the user (encrypted by SSL) is sent from the SoftEther VPN Server to the RADIUS server set in advance. Users that pass user authentication by the RADIUS server are permitted by the SoftEther VPN Server to connect. In any other case, permission will be denied (if user authentication fails or if RADIUS server cannot be accessed).

If using RADIUS authentication, the IP address of the SoftEther VPN Server is registered on the RADIUS server side, and after a password called "shared secret" is decided, Virtual Hub settings are changed. The RADIUS server to be used can be set for each Virtual Hub, and security settings of Virtual Hubs are independent of each other. The following 3 items are required to set RADIUS server settings for a Virtual Hub.

    Host name and IP address of RADIUS server to be used
    UDP port number of RADIUS server to be used
    Shared secret decided in advance

This information can be obtained from the RADIUS server administrator. The RADIUS server to be used must be set to enable use of Password Authentication Protocol (PAP).

radius listens on 1812 udp

Code: [Select]

[root@fileserver ~]$ netstat -nap| grep 1812
udp        0      0 0.0.0.0:1812                0.0.0.0:*                               28046/radiusd

what else do you need? what did you try? did you get any error?

[CharlieBrady]

I do hope to share this, once I get my head around creating some RPMs that don't seem to already exist in a recognised repository (OpenVSwitch, SoftEtherVPN) and the SME wrapping needed.

You'll get more help if you post what you are doing, and what is working for you and what not working.

And I think you'll get more help on devinfo than you will get posting here.

[si_blakely]

Had far too many delays in getting back to this ...

My expectation is that I should be able to initially verify Radius Authentication locally by using ...

Code: [Select]

radtest <username> <password> localhost 10 <radius_secret>
as the default configuration from /etc/radiusd/client.conf contains ...

Code: [Select]

client localhost {
secret = <radius_secret>
shortname = localhost
nastype = other
}

I get the response ...

Code: [Select]

Sending Access-Request of id 96 to 127.0.0.1 port 1812
        User-Name = "<username"
        User-Password = "<password>"
        NAS-IP-Address = 192.168.1.102
        NAS-Port = 10
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=96, length=20
So I tried adding ...

Code: [Select]

db hosts set home.<domain> host RadiusKey <radius_secret> HostType Local InternalIP 192.168.1.102
signal-event remoteaccess-update
Which gives

Code: [Select]

client localhost {
secret = <radius_secret>
shortname = localhost
nastype = other
}
client 192.168.1.102 {
secret = <radius_secret>
shortname = home
nastype = other
}
but still no joy...

[idp_qbn]

Moderator,
Should this be moved to General Discussion?

si_blakely
Please do what Charlie says -  Take it to the devinfo mailing list. 

Good luck with what you are trying.
Ian

[Stefano]

Moving to General Discussion as requested

[si_blakely]

Not wanting to start any battles here but ...

Radiusd is a core SME9 delivered service, and wanting to know how it can/should be used is (I thought) pretty straightforward. This is why it was posted where it was (SME9)

I guess I hoped someone else may have tested this for some other purpose, and could give me pointers.

Looks like I'm the bleeding edge ...

Si

[CharlieBrady]

Radiusd is a core SME9 delivered service...

Not really.  It's something that's there to allow PPTP password authentication to work.

As I said before (and Ian also suggested), if you want to talk to people who can help you, the devinfo mailing list is likely to be more productive than here.

[si_blakely]

Ok, your call. I have subscribed to the devinfo mailing list, so I will raise further issues there.

I have now made it work to some degree (enough to get SoftEther VPN authenticating, which was a win for me) ...

But I had to do some serious massaging of /etc/raddb/users to make it work in any way.

I'll raise bug reports if I think there are fundamental problems with radiusd.

Si

[Stefano]

Radiusd is a core SME9 delivered service

radiusd is part of SME8 too (see Charlie's answer) and I got it running on SME7 too..
since your question is about using Radius and it is not strictly bound to SME9, this is the right place to post.. a  better one is bugzilla

[guest22]

FYI: https://wiki.contribs.org/SoftEther_VPN#Radius_authentication