running a strongswan server with radius on your VPS
Strongswan install
1. Prepare the environment:
1 |
apt-get install -Y build-essential libssl-dev libpam-dev |
2. Get the package:
1 |
wget http://download.strongswan.org/strongswan-5.2.1.tar.bz2 |
3. Install the package:
1 2 3 |
tar xjvf strongswan-5.2.1.tar.bz2 cd strongswan-5.2.1 ./configure --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-tools --disable-gmp --disable-static --enable-shared --enable-kernel-libipsec && make && make install |
Note: 1) If you use the OVZ based VPS, you must add –enable-kernel-libipsec, otherwise not.
2) 5.2.1 can be replaced by the other version.
Configuration of Strongswan
The default configuration is under:
1 |
/usr/local/etc/ |
1. ipsec.conf: It is the configuration of every client part. You can config it like the following below:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 |
config setup uniqueids=no conn iOS_cert keyexchange=ikev1 # strongswan version >= 5.0.2, compatible with iOS 6.0,6.0.1 fragmentation=yes left=%defaultroute leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=server.cert.pem right=%any rightauth=eap-radius rightauth2=xauth rightsourceip=10.0.0.0/24 rightcert=client.cert.pem auto=add dpdaction=clear # also supports iOS PSK and Shrew on Windows conn android_xauth_psk keyexchange=ikev1 left=%defaultroute leftauth=psk leftsubnet=0.0.0.0/0 right=%any rightauth=psk rightauth2=xauth-radius rightsourceip=10.0.0.0/24 dpdaction=clear ikelifetime=500h lifetime=200s auto=add # compatible with "strongSwan VPN Client" for Android 4.0+ # and Windows 7 cert mode. conn networkmanager-strongswan keyexchange=ikev2 left=%defaultroute leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=server.cert.pem right=%any rightauth=pubkey rightauth=pubkey rightsourceip=10.0.0.0/24 rightcert=client.cert.pem auto=add conn radius keyexchange=ikev2 left=%any leftsubnet=0.0.0.0/0 leftauth=pubkey leftcert=server.cert.pem right=%any rightsourceip=10.0.0.0/24 rightauth=eap-radius rightsendcert=never eap_identity=%any auto=add dpdaction=clear |
2. ipsec.secrects:
1 2 3 |
: RSA server.pem #this should be your ikev1 psk key : PSK "yourPSK" |
3. strongswan.conf:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
# strongswan.conf - strongSwan configuration file charon { # duplicheck.enable = no dns1 = 208.67.222.222 dns2 = 208.67.220.220 # for Windows only nbns1 = 208.67.222.222 nbns2 = 208.67.220.220 filelog { /var/log/strongswan.charon.log { time_format = %b %e %T default = 1 append = no flush_line = yes } } plugins { eap-radius { accounting = yes servers { radiusServer { secret = yoursecret address = radius.xxx.com auth_port = 1812 # default acct_port = 1813 # default } } dae { enable = yes # enable DAE extension listen = 0.0.0.0 # listen address, default to all port = 3799 # port to listen for requests, default secret = yoursecret # shared secret to verify/sign DAE messages } } } } |
Note:
1) radius.xxx.com is your radius server address/ip.
2) secret can be custom by yourself.
3) The two secret can be different.
Install the certificates
1 2 3 4 5 6 7 8 9 10 11 12 |
ipsec pki --gen --outform pem > ca.pem ipsec pki --self --in ca.pem --dn "C=CN, O=Alipay, CN=singapo.kiritostudio.com" --ca --outform pem >ca.cert.pem ipsec pki --gen --outform pem > server.pem ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=CN, O=Alipay, CN=singapo.kiritostudio.com" --san="singapo.kiritostudio.com" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem ipsec pki --gen --outform pem > client.pem ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=CN, O=Alipay, CN=singapo.kiritostudio.com" --outform pem > client.cert.pem openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "singapo.kiritostudio.com" -out client.cert.p12 cp -r ca.cert.pem /usr/local/etc/ipsec.d/cacerts/ cp -r server.cert.pem /usr/local/etc/ipsec.d/certs/ cp -r server.pem /usr/local/etc/ipsec.d/private/ cp -r client.cert.pem /usr/local/etc/ipsec.d/certs/ cp -r client.pem /usr/local/etc/ipsec.d/private/ |
Here is the a simpler command to install the certs, but you should replace yourdomain to your host domain:
1 |
ipsec pki --gen --outform pem > ca.pem && ipsec pki --self --in ca.pem --dn "C=CN, O=Alipay, CN=yourdomain" --ca --outform pem >ca.cert.pem && ipsec pki --gen --outform pem > server.pem && ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=CN, O=Alipay, CN=yourdomain" --san="yourdomain" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem && ipsec pki --gen --outform pem > client.pem && ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=CN, O=Alipay, CN=yourdomain" --outform pem > client.cert.pem && openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "yourdomain" -out client.cert.p12 && cp -r ca.cert.pem /usr/local/etc/ipsec.d/cacerts/ && cp -r server.cert.pem /usr/local/etc/ipsec.d/certs/ && cp -r server.pem /usr/local/etc/ipsec.d/private/ && cp -r client.cert.pem /usr/local/etc/ipsec.d/certs/ && cp -r client.pem /usr/local/etc/ipsec.d/private/ |
Configuration for the network(router)
1 2 3 4 5 6 |
#not openvz: iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE #openvz: iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o venet0 -j SNAT --to-source ?.?.?.? iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward |
Note: ?.?.?.? is the Strongswan server ip address.
Now the Strongswan part is finished.
Install the FreeRadius
1 2 3 4 5 6 |
wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.2.5.tar.gz tar zxvf freeradius-server-2.2.5.tar.gz cd freeradius-server-2.2.5/ ./configure --with-mysql-dir=/usr/share/mysql/ --with-mysql-lib-dir=/usr/lib/mysql/ make make install |
If you met the heart bleed warning, you should do the following steps:
1 2 3 4 5 6 7 8 9 |
openssl version -a apt-get purge openssl apt-get autoremove && apt-get autoclean tar xzvf openssl-1.0.1g.tar.gz cd opemssl-1.0.1g ./config make make install cp /usr/local/ssl/bin/openssl /usr/bin/ |
After that, change the /usr/local/etc/raddb/radiusd.conf from “allow_vulnerable_openssl = no” to “allow_vulnerable_openssl = yes”
Configuration of FreeRadius
The directory of the freeRadius is under:
1 |
/usr/local/etc/raddb/ |
1) Add the following line to the dictionary file:
1 2 |
ATTRIBUTE Max-Monthly-Traffic 3003 integer ATTRIBUTE Monthly-Traffic-Limit 3004 integer |
2) sites-enabled/default: Comment the line with unix and files, delete the comment flag for the sql
3) radiusd.conf: Delete the comment flag for the “include sql.conf”
4) clients.conf: Change the secret = testing123 under localhost section.
5) sql.conf: Change the following code as your database configuration in the sql section:
1 2 3 4 5 6 7 8 9 |
database = "mysql" driver = "rlm_sql_${database}" server = "localhost" #port = 3306 login = "root" password = "yourpass" # Database table configuration for everything except Oracle radius_db = "radius" |
6) sql/mysql/dialup.conf: Add the following line and comment other sql_user_name line
1 |
sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}" |
Uncomment the simul_query_check line.
Create database
1 2 3 4 5 6 7 |
/usr/local/mysql/bin/mysql -uroot -p create database radius; grant all privileges on radius.* to radius@localhost identified by "radiuspassword"; flush privileges; use radius; source /usr/local/etc/raddb/sql/mysql/schema.sql; exit; |
Create the base information in db:
1 2 3 4 5 6 7 |
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Auth-Type',':=','Local'); INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Service-Type',':=','Framed-User'); INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Framed-IP-Address',':=','255.255.255.255'); INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Framed-IP-Netmask',':=','255.255.255.0'); INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Acct-Interim-Interval',':=','600'); -- traffic count time INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Max-Monthly-Traffic',':=','5368709120'); -- 5G INSERT INTO radgroupcheck (groupname,attribute,op,VALUE) VALUES ('user','Simultaneous-Use',':=','1'); -- online device count |
After finished, it is better to have a local test, Now we add the test user:
1 2 |
INSERT INTO radcheck (username,attribute,op,VALUE) VALUES ('test','Cleartext-Password',':=','test'); INSERT INTO radusergroup (username,groupname) VALUES ('test','user'); |
Test code like the following below:
1 2 3 |
/etc/init.d/freeradius stop radiusd -X & radtest test test localhost 1649 testing123 |
If you receive “Access-Accept”, and your local configuration is ok.
Add NAS clients
NAS is your strongswan client.
You only need to change the clients.conf file only, and just add the section like the following below:
1 2 3 4 5 6 7 8 9 |
client singapo { ipaddr = NAS ip netmask = 32 secret = yoursecret nastype = other shortname = singapo with_ntdomain_hack = yes coa_server = coa1 } |
You can also add a coa_server in proxy.conf and add the following codes:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 |
home_server coa1 { type = coa # # Note that a home server of type "coa" MUST be a real NAS, # with an ipaddr or ipv6addr. It CANNOT point to a virtual # server. # ipaddr = strongswan_client_ip port = 3799 # This secret SHOULD NOT be the same as the shared # secret in a "client" section. secret = kiritoauth # CoA specific parameters. See raddb/proxy.conf for details. coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } #you must need a pre-proxy and a post-proxy server kiritostudio.com { pre-proxy { update proxy-request { NAS-IP-Address = 127.0.0.1 } } # # Handle the responses here. # post-proxy { switch "%{proxy-reply:Packet-Type}" { case CoA-ACK { ok } case CoA-NAK { # the NAS didn't like the CoA request ok } case Disconnect-ACK { ok } case Disconnect-NAK { # the NAS didn't like the Disconnect request ok } # Invalid packet type. This shouldn't happen. case { fail } } # # These methods are run when there is NO response # to the request. # Post-Proxy-Type Fail-CoA { ok } Post-Proxy-Type Fail-Disconnect { ok } } } |
If you set the Coa, and the kik user function is also be enabled. But the traffic have not been set yet, now we should do it with modifying sites-enabled/default:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 |
###################################################################### # # As of 2.0.0, FreeRADIUS supports virtual hosts using the # "server" section, and configuration directives. # # Virtual hosts should be put into the "sites-available" # directory. Soft links should be created in the "sites-enabled" # directory to these files. This is done in a normal installation. # # If you are using 802.1X (EAP) authentication, please see also # the "inner-tunnel" virtual server. You wll likely have to edit # that, too, for authentication to work. # # $Id: 520ccbc90f3a09cd6a80e1e3b16000b7ba94d884 $ # ###################################################################### # # Read "man radiusd" before editing this file. See the section # titled DEBUGGING. It outlines a method where you can quickly # obtain the configuration you want, without running into # trouble. See also "man unlang", which documents the format # of this file. # # This configuration is designed to work in the widest possible # set of circumstances, with the widest possible number of # authentication methods. This means that in general, you should # need to make very few changes to this file. # # The best way to configure the server for your local system # is to CAREFULLY edit this file. Most attempts to make large # edits to this file will BREAK THE SERVER. Any edits should # be small, and tested by running the server with "radiusd -X". # Once the edits have been verified to work, save a copy of these # configuration files somewhere. (e.g. as a "tar" file). Then, # make more edits, and test, as above. # # There are many "commented out" references to modules such # as ldap, sql, etc. These references serve as place-holders. # If you need the functionality of that module, then configure # it in radiusd.conf, and un-comment the references to it in # this file. In most cases, those small changes will result # in the server being able to connect to the DB, and to # authenticate users. # ###################################################################### # # In 1.x, the "authorize", etc. sections were global in # radiusd.conf. As of 2.0, they SHOULD be in a server section. # # The server section with no virtual server name is the "default" # section. It is used when no server name is specified. # # We don't indent the rest of this file, because doing so # would make it harder to read. # # Authorization. First preprocess (hints and huntgroups files), # then realms, and finally look in the "users" file. # # Any changes made here should also be made to the "inner-tunnel" # virtual server. # # The order of the realm modules will determine the order that # we try to find a matching realm. # # Make *sure* that 'preprocess' comes before any realm if you # need to setup hints for the remote radius server authorize { # # Security settings. Take a User-Name, and do some simple # checks on it, for spaces and other invalid characters. If # it looks like the user is trying to play games, reject it. # # This should probably be enabled by default. # # See policy.conf for the definition of the filter_username policy. # # filter_username # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. preprocess # # If you want to have a log of authentication requests, # un-comment the following line, and the 'detail auth_log' # section, above. # auth_log # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set chap # # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. mschap # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authenticate' section. digest # # The WiMAX specification says that the Calling-Station-Id # is 6 octets of the MAC. This definition conflicts with # RFC 3580, and all common RADIUS practices. Un-commenting # the "wimax" module here means that it will fix the # Calling-Station-Id attribute to the normal format as # specified in RFC 3580 Section 3.21 # wimax # # Look for IPASS style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. # IPASS # # If you are using multiple kinds of realms, you probably # want to set "ignore_null = yes" for all of them. # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. # suffix if (User-Name =~ /^.*\\\\\\\\(.*)/) { update request { Stripped-User-Name := "%{1}" } } # ntdomain # # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP # authentication. # # It also sets the EAP-Type attribute in the request # attribute list to the EAP type from the packet. # # As of 2.0, the EAP module returns "ok" in the authorize stage # for TTLS and PEAP. In 1.x, it never returned "ok" here, so # this change is compatible with older configurations. # # The example below uses module failover to avoid querying all # of the following modules if the EAP module returns "ok". # Therefore, your LDAP and/or SQL servers will not be queried # for the many packets that go back and forth to set up TTLS # or PEAP. The load on those servers will therefore be reduced. # eap { ok = return } # # Pull crypt'd passwords from /etc/passwd or /etc/shadow, # using the system API's to get the password. If you want # to read /etc/passwd or /etc/shadow directly, see the # passwd module in radiusd.conf. # # unix # # Read the 'users' file #files # # Look in an SQL database. The schema of the database # is meant to mirror the "users" file. # # See "Authorization Queries" in sql.conf sql # # If you are using /etc/smbpasswd, and are also doing # mschap authentication, the un-comment this line, and # configure the 'smbpasswd' module. # smbpasswd # # The ldap module will set Auth-Type to LDAP if it has not # already been set # ldap # # Enforce daily limits on time spent logged in. # daily # # Use the checkval module # checkval expiration logintime # # If no other module has claimed responsibility for # authentication, then try to use PAP. This allows the # other modules listed above to add a "known good" password # to the request, and to do nothing else. The PAP module # will then see that password, and use it to do PAP # authentication. # # This module should be listed last, so that the other modules # get a chance to set Auth-Type for themselves. # pap # # If "status_server = yes", then Status-Server messages are passed # through the following section, and ONLY the following section. # This permits you to do DB queries, for example. If the modules # listed here return "fail", then NO response is sent. # # Autz-Type Status-Server { # # } # monthlytrafficcounter if(Stripped-User-Name != ""){ if("%{sql: SELECT getMothlyUsageJudgement('%{Stripped-User-Name}')}" == "Yes"){ reject } } else{ if("%{sql: SELECT getMothlyUsageJudgement('%{User-Name}')}" == "Yes"){ reject } } } # Authentication. # # # This section lists which modules are available for authentication. # Note that it does NOT mean 'try each module in order'. It means # that a module from the 'authorize' section adds a configuration # attribute 'Auth-Type := FOO'. That authentication type is then # used to pick the apropriate module from the list below. # # In general, you SHOULD NOT set the Auth-Type attribute. The server # will figure it out on its own, and will do the right thing. The # most common side effect of erroneously setting the Auth-Type # attribute is that one authentication method will work, but the # others will not. # # The common reasons to set the Auth-Type attribute by hand # is to either forcibly reject the user (Auth-Type := Reject), # or to or forcibly accept the user (Auth-Type := Accept). # # Note that Auth-Type := Accept will NOT work with EAP. # # Please do not put "unlang" configurations into the "authenticate" # section. Put them in the "post-auth" section instead. That's what # the post-auth section is for. # authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. digest # # Pluggable Authentication Modules. # pam # # See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # # For normal "crypt" authentication, the "pap" module should # be used instead of the "unix" module. The "unix" module should # be used for authentication ONLY for compatibility with legacy # FreeRADIUS configurations. # #unix # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. # Auth-Type LDAP { # ldap # } # # Allow EAP authentication. eap # # The older configurations sent a number of attributes in # Access-Challenge packets, which wasn't strictly correct. # If you want to filter out these attributes, uncomment # the following lines. # # Auth-Type eap { # eap { # handled = 1 # } # if (handled && (Response-Packet-Type == Access-Challenge)) { # attr_filter.access_challenge.post-auth # handled # override the "updated" code from attr_filter # } # } } # # Pre-accounting. Decide which accounting type to use. # preacct { preprocess # # Session start times are *implied* in RADIUS. # The NAS never sends a "start time". Instead, it sends # a start packet, *possibly* with an Acct-Delay-Time. # The server is supposed to conclude that the start time # was "Acct-Delay-Time" seconds in the past. # # The code below creates an explicit start time, which can # then be used in other modules. # # The start time is: NOW - delay - session_length # # update request { # FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" # } # # Ensure that we have a semi-unique identifier for every # request, and many NAS boxes are broken. acct_unique # # Look for IPASS-style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. # # Accounting requests are generally proxied to the same # home server as authentication requests. # IPASS suffix if (User-Name =~ /^.*\\\\\\\\(.*)/) { update request { Stripped-User-Name := "%{1}" } } # ntdomain # # Read the 'acct_users' file #files } # # Accounting. Log the accounting data. # accounting { # # Create a 'detail'ed log of the packets. # Note that accounting requests which are proxied # are also logged in the detail file. detail # daily # Update the wtmp file # # If you don't use "radlast", you can delete this line. # unix # # For Simultaneous-Use tracking. # # Due to packet losses in the network, the data here # may be incorrect. There is little we can do about it. # radutmp # sradutmp # Return an address to the IP Pool when we see a stop record. # main_pool # # Log traffic to an SQL database. # # See "Accounting queries" in sql.conf sql if (User-Name =~ /^.*\\\\\\\\(.*)/) { update request { Stripped-User-Name := "%{1}" } } # # If you receive stop packets with zero session length, # they will NOT be logged in the database. The SQL module # will print a message (only in debugging mode), and will # return "noop". # # You can ignore these packets by uncommenting the following # three lines. Otherwise, the server will not respond to the # accounting request, and the NAS will retransmit. # # if (noop) { # ok # } # # Instead of sending the query to the SQL server, # write it into a log file. # # sql_log # Cisco VoIP specific bulk accounting # pgsql-voip # For Exec-Program and Exec-Program-Wait exec # Filter attributes from the accounting response. attr_filter.accounting_response # # See "Autz-Type Status-Server" for how this works. # # Acct-Type Status-Server { # # } update disconnect { User-Name = "%{User-Name}" Acct-Session-Id = "%{Acct-Session-Id}" NAS-IP-Address = "%{NAS-IP-Address}" } if(Stripped-User-Name != ""){ update control { Send-CoA-Request = "%{sql: SELECT getMothlyUsageJudgement('%{Stripped-User-Name}')}" } } else{ update control { Send-CoA-Request = "%{sql: SELECT getMothlyUsageJudgement('%{User-Name}')}" } } } # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { # radutmp # # See "Simultaneous Use Checking Queries" in sql.conf sql } # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { # Get an address from the IP Pool. # main_pool # # If you want to have a log of authentication replies, # un-comment the following line, and the 'detail reply_log' # section, above. # reply_log # # After authenticating the user, do another SQL query. # # See "Authentication Logging Queries" in sql.conf sql # # Instead of sending the query to the SQL server, # write it into a log file. # # sql_log # # Un-comment the following if you have set # 'edir_account_policy_check = yes' in the ldap module sub-section of # the 'modules' section. # # ldap # For Exec-Program and Exec-Program-Wait exec # # Calculate the various WiMAX keys. In order for this to work, # you will need to define the WiMAX NAI, usually via # # update request { # WiMAX-MN-NAI = "%{User-Name}" # } # # If you want various keys to be calculated, you will need to # update the reply with "template" values. The module will see # this, and replace the template values with the correct ones # taken from the cryptographic calculations. e.g. # # update reply { # WiMAX-FA-RK-Key = 0x00 # WiMAX-MSK = "%{EAP-MSK}" # } # # You may want to delete the MS-MPPE-*-Keys from the reply, # as some WiMAX clients behave badly when those attributes # are included. See "raddb/modules/wimax", configuration # entry "delete_mppe_keys" for more information. # # wimax # If there is a client certificate (EAP-TLS, sometimes PEAP # and TTLS), then some attributes are filled out after the # certificate verification has been performed. These fields # MAY be available during the authentication, or they may be # available only in the "post-auth" section. # # The first set of attributes contains information about the # issuing certificate which is being used. The second # contains information about the client certificate (if # available). # # update reply { # Reply-Message += "%{TLS-Cert-Serial}" # Reply-Message += "%{TLS-Cert-Expiration}" # Reply-Message += "%{TLS-Cert-Subject}" # Reply-Message += "%{TLS-Cert-Issuer}" # Reply-Message += "%{TLS-Cert-Common-Name}" # Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}" # # Reply-Message += "%{TLS-Client-Cert-Serial}" # Reply-Message += "%{TLS-Client-Cert-Expiration}" # Reply-Message += "%{TLS-Client-Cert-Subject}" # Reply-Message += "%{TLS-Client-Cert-Issuer}" # Reply-Message += "%{TLS-Client-Cert-Common-Name}" # Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" # } # MacSEC requires the use of EAP-Key-Name. However, we don't # want to send it for all EAP sessions. Therefore, the EAP # modules put required data into the EAP-Session-Id attribute. # This attribute is never put into a request or reply packet. # # Uncomment the next few lines to copy the required data into # the EAP-Key-Name attribute # if (reply:EAP-Session-Id) { # update reply { # EAP-Key-Name := "%{reply:EAP-Session-Id}" # } # } # If the WiMAX module did it's work, you may want to do more # things here, like delete the MS-MPPE-*-Key attributes. # # if (updated) { # update reply { # MS-MPPE-Recv-Key !* 0x00 # MS-MPPE-Send-Key !* 0x00 # } # } # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # # Add the ldap module name (or instance) if you have set # 'edir_account_policy_check = yes' in the ldap module configuration # Post-Auth-Type REJECT { # log failed authentications in SQL, too. sql attr_filter.access_reject } } # # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. # # Only a few modules currently have this method. # pre-proxy { # attr_rewrite # Uncomment the following line if you want to change attributes # as defined in the preproxy_users file. # files # Uncomment the following line if you want to filter requests # sent to remote servers based on the rules defined in the # 'attrs.pre-proxy' file. # attr_filter.pre-proxy # If you want to have a log of packets proxied to a home # server, un-comment the following line, and the # 'detail pre_proxy_log' section, above. # pre_proxy_log } # # When the server receives a reply to a request it proxied # to a home server, the request may be massaged here, in the # post-proxy stage. # post-proxy { # If you want to have a log of replies from a home server, # un-comment the following line, and the 'detail post_proxy_log' # section, above. # post_proxy_log # attr_rewrite # Uncomment the following line if you want to filter replies from # remote proxies based on the rules defined in the 'attrs' file. # attr_filter.post-proxy # # If you are proxying LEAP, you MUST configure the EAP # module, and you MUST list it here, in the post-proxy # stage. # # You MUST also use the 'nostrip' option in the 'realm' # configuration. Otherwise, the User-Name attribute # in the proxied request will not match the user name # hidden inside of the EAP packet, and the end server will # reject the EAP request. # eap # # If the server tries to proxy a request and fails, then the # request is processed through the modules in this section. # # The main use of this section is to permit robust proxying # of accounting packets. The server can be configured to # proxy accounting packets as part of normal processing. # Then, if the home server goes down, accounting packets can # be logged to a local "detail" file, for processing with # radrelay. When the home server comes back up, radrelay # will read the detail file, and send the packets to the # home server. # # With this configuration, the server always responds to # Accounting-Requests from the NAS, but only writes # accounting packets to disk if the home server is down. # # Post-Proxy-Type Fail { # detail # } } |
And you should also listen the coa respond in radius.conf, and add theses lines:
1 2 3 4 |
listen { ipaddr = * type = coa } |
I’m not sure the configutation is right, but it is finished.
kiven
2016年12月18日 - 02:53
I’m not sure the configutation is right, but it is finished.
Why do this statement. I configure through the above tutorial and facing issues.
looking for peer configs matching 138.68.79.62[138.68.79.62]…151.243.102.104[test4]
Dec 17 18:30:00 16[CFG] no matching peer config found
Dec 17 18:30:00 16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 17 18:30:00 16[IKE] peer supports MOBIKE
Dec 17 18:30:00 16[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Dec 17 18:30:00 16[NET] sending packet: from 138.68.79.62[4500] to 151.243.102.104[4500] (80 bytes)
Varun
2017年7月27日 - 19:00
I tried with it but it doesn’t work.
I’m receiving this logs on the server
RADIUS authentication of ‘varun’ failed
11[IKE] EAP method EAP_MD5 failed for peer varun