Using Radius as auth backend for Cisco VPN
Ref: http://www.ibm.com/developerworks/library/l-radius/Install freeradiusd
yum -y install freeradius
Start service and perform basic test
service radiusd start chkconfig radiusd on radtest test test localhost 0 testing123
Configure logging for radiusd
radiusd.conf
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
log_auth_badpass = no
log_auth_goodpass = no
Configure client shared secret
# Make sure this IP is the inside address
client FIREWALL-IP {
secret = some-shared-secret
shortname = cisco-vpn
nastype = other
}Create a local user and test
useradd -gvpn client1 passwd client1 < "some-pass"
For system auth to work, /etc/shadow needs to be readable by the radiusd user. Do what you have to (hint: chmod)
test it
> radtest client1 some-pass localhost 0 testing123 Sending Access-Request of id 79 to 127.0.0.1 port 1812 User-Name = "client1" User-Password = "some-pass" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=79, length=20 > tail -1 /var/log/radius/radius.log Thu Feb 18 23:20:23 2010 : Auth: Login OK: [client1/some-pass] (from client localhost port 0)
Set this up to be used with cisco:
clients.conf
client1 Auth-Type = System
Service-Type = Framed-User,
cisco-avpair = "shell:priv-lvl=15"
Service-Type = Framed-User,
cisco-avpair = "shell:priv-lvl=15"
Auth should be ok and the specified service type should be returned.
> radtest client1 some-pass localhost 0 testing123 Sending Access-Request of id 77 to 127.0.0.1 port 1812 User-Name = "client1" User-Password = "some-pass" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=77, length=51 Service-Type = Framed-User Cisco-AVPair = "shell:priv-lvl=15"
Firewall
I'm not a cisco guy but here's the configaaa-server RADIUS protocol radius aaa-server RADIUS (web) host 1.2.3.4 key radius-secret-here authentication-port 1812 tunnel-group inmarkit_vpn type ipsec-ra tunnel-group inmarkit_vpn general-attributes address-pool mypool default-group-policy client_vpn authentication-server-group RADIUS authentication-server-group (web) RADIUS tunnel-group client_vpn ipsec-attributes pre-shared-key xxx
There are no comments on this page. [Add comment]