SoftEther VPN User Forum

Hi there -

I have a working free radius server that works fine except for when I try to hook my softether server into it.

I have the server correctly configured in softether admin, but when I attempt to log into the softether server it appears to not connect to the radius server at all. (Using radius -X to debug).

This does not appear to be a firewall issue, as I temporarily disabled firewall on both radius and softether boxes to test.

Does anyone have a working freeradius setup?

You only need to make one change to your clients.conf file and it should work.

Hello,

i have the same problem as gavstah. I set up freeradius (in a vm) with ldap (in an other vm), that communicates fine and i installed softether vpn server (in a vm) and vpn client (in an other vm), so that i have four vms now. As the logs of vpn server and vpn client show, the communication is established, the authentication type ist external and failes code 9. But it seems that the radius server recieves no request from the vpn server. By RadiusServerGet i see that the radius server is set up correctly. The clients.conf is also set up correctly, the ip address an the secret is given. I have used tcpdump and there seems to be no traffic between the vpn server and the radius server.
@gavstah: Did you solve the problem? If so, how didi you get it?

Anyone who could help?

In theory, yes. In practice, no.

I have a working FreeRadius server set up that other clients are having no problem authenticating against. When I point my softether server to the radius server (and yes, the softether server has an entry in clients.conf on the radius server), it's not even hitting it. Authentication just fails with "Authentication error".

The softether logs show:

Connection "CID-14" terminated by the cause "User authentication failed."

The thing is, the failure happens so quickly that it's almost like the softether server isn't even reaching out to the radius server. Which is borne out by the fact that I'm on the free radius box running

radiusd -X

Just crickets there when I try to connect to the softether server.


theodisbutler wrote:
> You only need to make one change to your clients.conf file and it should
> work.

DOH! Got the softether setup figured out for the most part.

Key is to RTFM first.

When using Radius, you must create the user on the server with the username * - yes, just a single asterisk, and select RADIUS authentication for that user.

This will pass all auth requests to the radius server.

Now the only problem is the FreeRadius server is throwing this error when authenticating (see screenshot)

http://screencast.com/t/ptlUsmutHnS

My password is just a simple string of letters and numbers, so it seems like the softether server is sending the password along with some funky stuff added. Or does free radius need to be set with a particular kind of encryption of the pass? The manual doesn't mention anything.

As suggested, I did check the shared secret for the client/server, so that's all set.

PEBKAC strikes again . . . DOH!

Everything now resolved and radius auth is working fine!

Best wishes to those who posted suggestions.

Thank you, gavstah, for your information. The paragraph with the asterisk as user name I have read perhaps tree times and was sure that I am right in what I was doing. So RTFM is sometimes not enough. For me that means R and understand TFM and then think about it ;-)
Now everything works fine.

Thank you ones again

gavstah wrote:
> DOH! Got the softether setup figured out for the most part.
>
> Key is to RTFM first.
>
> When using Radius, you must create the user on the server with the username
> * - yes, just a single asterisk, and select RADIUS authentication for that
> user.
>
> This will pass all auth requests to the radius server.
>
> Now the only problem is the FreeRadius server is throwing this error when
> authenticating (see screenshot)
>
> http://screencast.com/t/ptlUsmutHnS
>
> My password is just a simple string of letters and numbers, so it seems
> like the softether server is sending the password along with some funky
> stuff added. Or does free radius need to be set with a particular kind of
> encryption of the pass? The manual doesn't mention anything.
>
> As suggested, I did check the shared secret for the client/server, so
> that's all set.


To solve that issue

Edit /etc/raddb/sites-available/default and uncomment the line containing 'sql' in the authorize{} section. The best place to put it is just after the 'files' entry. Indeed, if you'll just be using SQL, and not falling back to text files, you could comment out or delete the 'files' entry altogether.

Darkanoid, this does not solve that issue. Anyone has a solution? Seems like SoftEther is adding something else along with the password before sending it out.

Yeah - that had nothing to do with the problems I was having.

Make sure that the pass for this client in /etc/raddb/clients.conf on your radius machine matches the pass you put into the radius auth section of the softether setup. I had mistakenly put the wrong pass in the softether setup - once I corrected that, everything started working as expected.

PM me if you need any help setting it up - I can help troubleshoot it.



CateFul wrote:
> Darkanoid, this does not solve that issue. Anyone has a solution? Seems
> like SoftEther is adding something else along with the password before
> sending it out.

Sorry, it helped me with the same issue since radius was not configured properly in combination with mysql. After that authentication worked well.

I sorted it. In my case though it was because the random pass was too long for the radius server to handle. 16 chars worked fine. Still waiting on radius accounting.

gavstah wrote:
> Yeah - that had nothing to do with the problems I was having.
>
> Make sure that the pass for this client in /etc/raddb/clients.conf on your radius
> machine matches the pass you put into the radius auth section of the softether setup.
> I had mistakenly put the wrong pass in the softether setup - once I corrected that,
> everything started working as expected.
>
> PM me if you need any help setting it up - I can help troubleshoot it.
>
>
>
> CateFul wrote:
> > Darkanoid, this does not solve that issue. Anyone has a solution? Seems
> > like SoftEther is adding something else along with the password before
> > sending it out.

I have a similar issue, but it is only with softether.

I used Windows NPS Radius Server for many things and it didn't work with softether and I gave it up for Freeradius 2 ( an add-on package on pfsense Firewall)
Unfortunately I have the same issue.
I am trying to setup only authentication not yet accounting not anything else. but no luck.
I tested the Freeradius2 itself works fin, but again like the windows server Radius it only doesn't work with SoftEther.
any suggestions?

In my case: freeradius 3.0, SE(by git + make, ...)
I do the following, and it works.

#uncomment the following in /etc/freeradius/3.0/sites-enabled/default
#important!!!
vi /etc/freeradius/3.0/sites-enabled/default

Auth-Type LDAP {
ldap
}

#restart the freeradius
sudo service freeradius restart
#or debug it
sudo service freeradius debug