Issues authenticating using RADIUS

[technoeuan]

Software: Freeradius
OS: Ubuntu 14.04

I am attempting to connect via L2TP/IPSec with an android device, and the RADIUS server successfully authenticates the connection, yet it still fails:

Ready to process requests.
rad_recv: Access-Request packet from host 137.74.***.*** port 50096, id=31, length=123
User-Name = "Admin"
User-Password = "admin"
NAS-Identifier = "SoftEther VPN Server"
Service-Type = Framed-User
NAS-Port-Type = Virtual
Tunnel-Type:0 = PPTP
Tunnel-Medium-Type:0 = IPv4
Calling-Station-Id = "86.153.***.***"
Tunnel-Client-Endpoint:0 = "86.153.***.***"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "Admin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> Admin
[sql] sql_set_user escaped user --> 'Admin'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'Admin' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'Admin' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'Admin' ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "admin"
[pap] Using clear text password "admin"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> Admin
[sql] sql_set_user escaped user --> 'Admin'
[sql] expand: %{User-Password} -> admin
[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'Admin', 'admin', 'Access-Accept', '2017-01-08 16:45:37')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'Admin', 'admin', 'Access-Accept', '2017-01-08 16:45:37')
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 31 to 137.74.xxx.xxx port 50096
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 31 with timestamp +219
Ready to process requests.

I have added the user * with RADIUS authentication on the VPN.

Any ideas?

[moatazelmasry]

The radius log looks fine.
Please post SoftEther log

btw, are freeradius and SoftEther on the same machine?

[technoeuan]

moatazelmasry wrote:
> The radius log looks fine.
> Please post SoftEther log
>
> btw, are freeradius and SoftEther on the same machine?

It's okay, i figured it out... i had to disable the NAT of SecureNAT

Thanks anyway

[technoeuan]

Okay, now i've disabled NAT.. there is no network connection!?

[moatazelmasry]

Because you need to create a bridge.

I respectfully suggest to not just from one solution to the other like that. If you are using SecureNAT, then just keep using it for the moment and try to solve your problems one after the other.

Now please post your SE logfile

[technoeuan]

--

[moatazelmasry]

Is freeradius showing any errors?

Best if you start free radius using:
$ radiusd -X

[technoeuan]

Sorry i should've said, i tried that and the iOS device doesn't seem to be even reaching the radius server. I've only tested quickly but the issue seems to occur on windows as well...

[moatazelmasry]

The clients (windows, iOS etc..) do not attempt to reach radius. SoftEther connects to radius

How come you say that nothing is reaching Radius, while in a previous email you showed a radius log and an attempt to access it?

Please stick to one setup and one device, otherwise it is impossible to help.

So ground rules:
- Radius Server is working, and you can test it remotely using a tool like radtest
- You are testing from one client (let us say, L2TP on iOS)
- SE is using SecureNAT
- SE is working fine, when not using freeradius. Test that by creating a user on SE and see whether you can connect to it from iOS

Can you please test that