SoftEtherVPN integration with FreeRadius and FreeIPA

[techdanger]

Dear all,

Currently i have trouble to integrate SoftEther VPN to authenticate with FreeRadius with user from FreeIPA (LDAP).Below several test that i have did

1. Test from radius server it self ( IP addr 192.168.10.61 )

root@radcorp ~]# radtest infra1 infra1pwd 192.168.10.61 0 secret1
Sending Access-Request Id 59 from 0.0.0.0:51322 to 192.168.10.61:1812
User-Name = 'infra1'
User-Password = 'infra1pwd'
NAS-IP-Address = 192.168.10.61
NAS-Port = 0
Message-Authenticator = 0x00
Received Access-Accept Id 59 from 192.168.10.61:1812 to 192.168.10.61:51322 length 20

The above user and password are from the account of FreeIPA users...

Below the config of the client.conf of FreeRadius
client softethervpn {
ipaddr = 192.168.10.63/24
secret = secret1
}

FreeRadius -X debug output
--stripped-----
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap : --> (uid=infra1)
(0) ldap : EXPAND cn=users,cn=accounts,dc=company,dc=co,dc=id
(0) ldap : --> cn=users,cn=accounts,dc=company,dc=co,dc=id
(0) ldap : Performing search in 'cn=users,cn=accounts,dc=company,dc=co,dc=id' with filter '(uid=infra1)', scope 'sub'
(0) ldap : Waiting for search result...
(0) ldap : User object found at DN "uid=infra1,cn=users,cn=accounts,dc=company,dc=co,dc=id"
(0) ldap : Processing user attributes
(0) WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (4)
(0) [ldap] = ok
(0) if ((ok || updated ) && User-Password)
(0) if ((ok || updated ) && User-Password) -> TRUE
(0) if ((ok || updated ) && User-Password) {
(0) update {
(0) control:Auth-Type := LDAP
(0) } # update = noop
(0) } # if ((ok || updated ) && User-Password) = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = LDAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Auth-Type LDAP {
(0) ldap : Login attempt by "infra1"
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : Using user DN from request "uid=infra1,cn=users,cn=accounts,dc=company,dc=co,dc=id"
(0) ldap : Waiting for bind result...
(0) ldap : Bind successful
(0) ldap : Bind as user "uid=infra1,cn=users,cn=accounts,dc=company,dc=co,dc=id" was successful
rlm_ldap (ldap): Released connection (4)
(0) [ldap] = ok
(0) } # Auth-Type LDAP = ok
(0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(0) post-auth {
(0) [exec] = noop
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message)




2. Test from SoftEther VPN to radius server ( IP Addr 192.168.10.63 )

root@softethercorp:~# radtest infra1 infra1pwd 192.168.10.61 0 secret1
Sending Access-Request of id 136 to 192.168.10.61 port 1812
User-Name = "infra1"
User-Password = "infra1pwd"
NAS-IP-Address = 192.168.10.63
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.10.61 port 1812, id=136, length=20


From the SoftEtherVPN config i have add user * with Radius authentication to pass all of the authentication to the FreeRadius Server.But from SoftEther VPN client unable to authenticate...Kindy help...Thank you...

[moatazelmasry]

which vpn protocol are you using?

[techdanger]

moatazelmasry wrote:
> which vpn protocol are you using?

i;m using VPN over HTTPS...

[moatazelmasry]

Ok. One more idea:
When doing a radtest with specifying the authentication type "-t" then pap is used by default.
If you are on a windows machine, the method mschap will be used by default. Now it is possible that mschap is not enabled in radius. If all my assumptions are correct, then please enable mschap on freeradius and try the following:
" radtest -t mschap infra1 infra1pwd 192.168.10.61 0 secret1 "

In all cases, please have a look at the log files of SE and add here the server_log file

Cheers