Hi all, Thank you in advance for your help. i have users on a LDAP server and i want to make a vpn connection with one of my users using a vpn router. i can make a connection from a radius server to my LDAP server. But i don't now how i can do make a vpn connection with one of my users who is located on an LDAP server. Will you help me please Sorry for my english uness
Post radiusd -X output from the users request. Ivan Kalik Kalik Informatika ISP Dana 5/6/2008, "youness hsina" <youness.hsina@gmail.com> piše:
Hi all, Thank you in advance for your help. i have users on a LDAP server and i want to make a vpn connection with one of my users using a vpn router. i can make a connection from a radius server to my LDAP server. But i don't now how i can do make a vpn connection with one of my users who is located on an LDAP server. Will you help me please Sorry for my english uness
thank you for your response . radius# radiusd -X -A & Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = yes proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = "10.0.0.3" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "cn=Manager,dc=iut-velizy,dc=uvsq,dc=fr" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "secret" ldap: basedn = "dc=iut-velizy,dc=uvsq,dc=fr" ldap: filter = "(uid=%u)" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "radiusProfileDn" ldap: password_header = "(null)" ldap: password_attribute = "userPassword" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x2840f290 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/serveur.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/serveur.pem" tls: CA_file = "/usr/local/etc/raddb/certs/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "%{User-Name}" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in eap.conf rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) radiusd.conf Auth-Type eap already configured - skipping Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:51289, id=177, length=58 User-Name = "yhsina" User-Password = "yhsina" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "yhsina", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for yhsina radius_xlat: '(uid=yhsina)' radius_xlat: 'dc=iut-velizy,dc=uvsq,dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.0.3:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=iut-velizy,dc=uvsq,dc=fr/secret to 10.0.0.3:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=iut-velizy,dc=uvsq,dc=fr, with filter (uid=yhsina) rlm_ldap: Added password {MD5}QB7nzyDzMgbAjyOoeKTjAg== in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user yhsina authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall[authorize]: module "pap" returns updated for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type pap auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 0 rlm_pap: login attempt with password yhsina rlm_pap: Using MD5 encryption. rlm_pap: Normalizing MD5-Password from base64 encoding rlm_pap: User authenticated successfully modcall[authenticate]: module "pap" returns ok for request 0 modcall: leaving group PAP (returns ok) for request 0 Sending Access-Accept of id 177 to 127.0.0.1 port 51289 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... uness
Sending Access-Accept of id 177 to 127.0.0.1 <http://127.0.0.1> port 51289
Finished request 0
Going to the next request
Great, then you've been authenticated by the LDAP server and the RAdius server is sending an Access-Accept message to you VPN server. As far as FreeRadius is concerned everything is ok. it seems that your VPN server may be expecting more from the Radius server in order to establish the VPN connection, please check the documentation of this NAS. For instance, it may be expecting the Radius server to send the IP address of the client in a Framed-IP-Address attribute (if your NAS is setup to serve an IP pool). Hope this helps, Thibault PS: by the way your LDAP encrypted password has been sent to the mailinglist as an MD5 hash. If this is not a test paswword you should consider changing it. SAme for the password used to search entries in your LDAP direcotry (ldap: identity = "cn=Manager,dc=iut-velizy,dc=uvsq,dc=fr"), but I guess this one is really a test password.
rad_recv: Access-Request packet from host 127.0.0.1:51289, id=177, length=58
User-Name = "yhsina"
User-Password = "yhsina"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
..
rlm_ldap: Added password {MD5}QB7nzyDzMgbAjyOoeKTjAg== in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user yhsina authorized to use remote access
..
Sending Access-Accept of id 177 to 127.0.0.1 port 51289
So, it works fine. But that looks like a radtest, not VPN request to me. Ivan Kalik Kalik Informatika ISP
For Thibault : thank you for your reponse. For Ivan : not a vpn request ! it's a radtest request that i have made. i can make a vpn connection using a name of groupe and password which are configured in my router vpn not in my ldap server. the problem is : i don't know how to configure my router vpn or the radius server in order to use login/password which is located in my ldap server. thank you very much for your help ! 2008/6/5 Ivan Kalik <tnt@kalik.net>:
rad_recv: Access-Request packet from host 127.0.0.1:51289, id=177, length=58
User-Name = "yhsina"
User-Password = "yhsina"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
..
rlm_ldap: Added password {MD5}QB7nzyDzMgbAjyOoeKTjAg== in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user yhsina authorized to use remote access
..
Sending Access-Accept of id 177 to 127.0.0.1 port 51289
So, it works fine. But that looks like a radtest, not VPN request to me.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- HSINA Youness Etudiant R&T - IUT--Velizy 78140 Tél : 06.28.73.76.75
There is nothing to configure ie. it's already configured. You need to add the router to clients.conf and configure the vpn router to send requests to radius server. Ivan Kalik Kalik Informatika ISP Dana 5/6/2008, "youness hsina" <youness.hsina@gmail.com> piše:
For Thibault : thank you for your reponse.
For Ivan : not a vpn request ! it's a radtest request that i have made. i can make a vpn connection using a name of groupe and password which are configured in my router vpn not in my ldap server. the problem is : i don't know how to configure my router vpn or the radius server in order to use login/password which is located in my ldap server. thank you very much for your help !
2008/6/5 Ivan Kalik <tnt@kalik.net>:
rad_recv: Access-Request packet from host 127.0.0.1:51289, id=177, length=58
User-Name = "yhsina"
User-Password = "yhsina"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
..
rlm_ldap: Added password {MD5}QB7nzyDzMgbAjyOoeKTjAg== in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user yhsina authorized to use remote access
..
Sending Access-Accept of id 177 to 127.0.0.1 port 51289
So, it works fine. But that looks like a radtest, not VPN request to me.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- HSINA Youness Etudiant R&T - IUT--Velizy 78140 Tél : 06.28.73.76.75
i have already add my vpn router to my client.conf file like this : [...] client 10.0.0.0/8 { secret = root shortname = cisco vpn nastype = cisco } [...] the router also is already configured. here it is the configuration : Building configuration... Current configuration : 1809 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname vpn ! boot-start-marker boot-end-marker ! ! memory-size iomem 10 aaa new-model ! ! aaa authentication login default local line aaa authentication login userauthen group radius aaa authentication ppp default group radius aaa authorization console aaa authorization exec default local aaa authorization network VPN-REMOTE-ACCESS local aaa accounting delay-start aaa accounting update periodic 180 aaa accounting network default start-stop group radius aaa session-id common ip subnet-zero ! ! ip cef ! ! ! ! ! ! ! ! ! ! ! ! ! username root password 0 root ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp keepalive 20 10 ! crypto isakmp client configuration group VPN-REMOTE-ACCESS key test123 dns 192.168.33.240 192.168.33.239 pool REMOTE-POOL ! ! crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac no crypto ipsec nat-transparency udp-encaps ! crypto dynamic-map DYNMAP 1 set transform-set VPNTRANSFORM reverse-route ! ! crypto map CLIENTMAP client authentication list userauthen crypto map CLIENTMAP isakmp authorization list VPN-REMOTE-ACCESS crypto map CLIENTMAP client configuration address respond crypto map CLIENTMAP 65535 ipsec-isakmp dynamic DYNMAP ! ! ! ! interface Ethernet0/0 ip address 10.0.0.1 255.255.255.0 full-duplex ! interface Ethernet1/0 ip address 192.168.33.31 255.255.255.0 full-duplex crypto map CLIENTMAP ! ip local pool REMOTE-POOL 10.0.0.10 10.0.0.15 ip http server no ip http secure-server ip classless ! ! ! ! radius-server configure-nas radius-server host 10.0.0.2 auth-port 1812 acct-port 1813 radius-server key root ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 ! ! end i have made a test on my router to request the radius server : routerVPN# test aaa group login password radius new-code and it works correctly ! to make a vpn connection with a client i'm usinf the "UGent Vpn" software. i saw in documentation on the site of cisco that i'm must configure "cisco-av-pair" in the radius server but i don't know and i don't have a graphic mode here it is the cisco web site : http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_examp... thank you very much for your reponses ;-) uness
i saw in documentation on the site of cisco that i'm must configure "cisco-av-pair" in the radius server but i don't know and i don't have a graphic mode
I have no idea what would graphic mode have to do with this. You might need to add Cisco-AVPair to ldap.attrmap and just add those attributes into the user ldap configuration. Since there are multiple attributes you will need to use += as the operator in order to get them all into the reply. Ivan Kalik Kalik Informatika ISP
thank you very much for your help . i'll do this. Best regards uness 2008/6/5 Ivan Kalik <tnt@kalik.net>:
i saw in documentation on the site of cisco that i'm must configure "cisco-av-pair" in the radius server but i don't know and i don't have a graphic mode
I have no idea what would graphic mode have to do with this. You might need to add Cisco-AVPair to ldap.attrmap and just add those attributes into the user ldap configuration. Since there are multiple attributes you will need to use += as the operator in order to get them all into the reply.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- HSINA Youness Etudiant R&T - IUT--Velizy 78140 Tél : 06.28.73.76.75
participants (3)
-
Ivan Kalik -
Thibault Le Meur -
youness hsina