SoftEtherVPN integration with FreeRadius and FreeIPA
Posted: Fri Oct 14, 2016 10:26 am
Dear all,
Currently i have trouble to integrate SoftEther VPN to authenticate with FreeRadius with user from FreeIPA (LDAP).Below several test that i have did
1. Test from radius server it self ( IP addr 192.168.10.61 )
root@radcorp ~]# radtest infra1 infra1pwd 192.168.10.61 0 secret1
Sending Access-Request Id 59 from 0.0.0.0:51322 to 192.168.10.61:1812
User-Name = 'infra1'
User-Password = 'infra1pwd'
NAS-IP-Address = 192.168.10.61
NAS-Port = 0
Message-Authenticator = 0x00
Received Access-Accept Id 59 from 192.168.10.61:1812 to 192.168.10.61:51322 length 20
The above user and password are from the account of FreeIPA users...
Below the config of the client.conf of FreeRadius
client softethervpn {
ipaddr = 192.168.10.63/24
secret = secret1
}
FreeRadius -X debug output
--stripped-----
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap : --> (uid=infra1)
(0) ldap : EXPAND cn=users,cn=accounts,dc=company,dc=co,dc=id
(0) ldap : --> cn=users,cn=accounts,dc=company,dc=co,dc=id
(0) ldap : Performing search in 'cn=users,cn=accounts,dc=company,dc=co,dc=id' with filter '(uid=infra1)', scope 'sub'
(0) ldap : Waiting for search result...
(0) ldap : User object found at DN "uid=infra1,cn=users,cn=accounts,dc=company,dc=co,dc=id"
(0) ldap : Processing user attributes
(0) WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (4)
(0) [ldap] = ok
(0) if ((ok || updated ) && User-Password)
(0) if ((ok || updated ) && User-Password) -> TRUE
(0) if ((ok || updated ) && User-Password) {
(0) update {
(0) control:Auth-Type := LDAP
(0) } # update = noop
(0) } # if ((ok || updated ) && User-Password) = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = LDAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Auth-Type LDAP {
(0) ldap : Login attempt by "infra1"
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : Using user DN from request "uid=infra1,cn=users,cn=accounts,dc=company,dc=co,dc=id"
(0) ldap : Waiting for bind result...
(0) ldap : Bind successful
(0) ldap : Bind as user "uid=infra1,cn=users,cn=accounts,dc=company,dc=co,dc=id" was successful
rlm_ldap (ldap): Released connection (4)
(0) [ldap] = ok
(0) } # Auth-Type LDAP = ok
(0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(0) post-auth {
(0) [exec] = noop
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message)
2. Test from SoftEther VPN to radius server ( IP Addr 192.168.10.63 )
root@softethercorp:~# radtest infra1 infra1pwd 192.168.10.61 0 secret1
Sending Access-Request of id 136 to 192.168.10.61 port 1812
User-Name = "infra1"
User-Password = "infra1pwd"
NAS-IP-Address = 192.168.10.63
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.10.61 port 1812, id=136, length=20
From the SoftEtherVPN config i have add user * with Radius authentication to pass all of the authentication to the FreeRadius Server.But from SoftEther VPN client unable to authenticate...Kindy help...Thank you...
Currently i have trouble to integrate SoftEther VPN to authenticate with FreeRadius with user from FreeIPA (LDAP).Below several test that i have did
1. Test from radius server it self ( IP addr 192.168.10.61 )
root@radcorp ~]# radtest infra1 infra1pwd 192.168.10.61 0 secret1
Sending Access-Request Id 59 from 0.0.0.0:51322 to 192.168.10.61:1812
User-Name = 'infra1'
User-Password = 'infra1pwd'
NAS-IP-Address = 192.168.10.61
NAS-Port = 0
Message-Authenticator = 0x00
Received Access-Accept Id 59 from 192.168.10.61:1812 to 192.168.10.61:51322 length 20
The above user and password are from the account of FreeIPA users...
Below the config of the client.conf of FreeRadius
client softethervpn {
ipaddr = 192.168.10.63/24
secret = secret1
}
FreeRadius -X debug output
--stripped-----
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap : --> (uid=infra1)
(0) ldap : EXPAND cn=users,cn=accounts,dc=company,dc=co,dc=id
(0) ldap : --> cn=users,cn=accounts,dc=company,dc=co,dc=id
(0) ldap : Performing search in 'cn=users,cn=accounts,dc=company,dc=co,dc=id' with filter '(uid=infra1)', scope 'sub'
(0) ldap : Waiting for search result...
(0) ldap : User object found at DN "uid=infra1,cn=users,cn=accounts,dc=company,dc=co,dc=id"
(0) ldap : Processing user attributes
(0) WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (4)
(0) [ldap] = ok
(0) if ((ok || updated ) && User-Password)
(0) if ((ok || updated ) && User-Password) -> TRUE
(0) if ((ok || updated ) && User-Password) {
(0) update {
(0) control:Auth-Type := LDAP
(0) } # update = noop
(0) } # if ((ok || updated ) && User-Password) = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = LDAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Auth-Type LDAP {
(0) ldap : Login attempt by "infra1"
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : Using user DN from request "uid=infra1,cn=users,cn=accounts,dc=company,dc=co,dc=id"
(0) ldap : Waiting for bind result...
(0) ldap : Bind successful
(0) ldap : Bind as user "uid=infra1,cn=users,cn=accounts,dc=company,dc=co,dc=id" was successful
rlm_ldap (ldap): Released connection (4)
(0) [ldap] = ok
(0) } # Auth-Type LDAP = ok
(0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(0) post-auth {
(0) [exec] = noop
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message)
2. Test from SoftEther VPN to radius server ( IP Addr 192.168.10.63 )
root@softethercorp:~# radtest infra1 infra1pwd 192.168.10.61 0 secret1
Sending Access-Request of id 136 to 192.168.10.61 port 1812
User-Name = "infra1"
User-Password = "infra1pwd"
NAS-IP-Address = 192.168.10.63
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.10.61 port 1812, id=136, length=20
From the SoftEtherVPN config i have add user * with Radius authentication to pass all of the authentication to the FreeRadius Server.But from SoftEther VPN client unable to authenticate...Kindy help...Thank you...