Formatting code for SecutiryRadiusCiscoVPN
{{parent page="Security"}}
==Using Radius as auth backend for Cisco VPN==
Ref: http://www.ibm.com/developerworks/library/l-radius/
===Install freeradiusd===
%%
yum -y install freeradius
%%
===Start service and perform basic test===
%%
service radiusd start
chkconfig radiusd on
radtest test test localhost 0 testing123
%%
===Configure logging for radiusd===
%%(text;radiusd.conf)
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
%%
=== Configure client shared secret ===
%%
# Make sure this IP is the inside address
client FIREWALL-IP {
secret = some-shared-secret
shortname = cisco-vpn
nastype = other
}
%%
===Create a local user and test===
%%
useradd -gvpn client1
passwd client1 < "some-pass"
%%
For system auth to work, /etc/shadow needs to be readable by the radiusd user. Do what you have to (hint: chmod)
===test it===
%%
> radtest client1 some-pass localhost 0 testing123
Sending Access-Request of id 79 to 127.0.0.1 port 1812
User-Name = "client1"
User-Password = "some-pass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=79, length=20
> tail -1 /var/log/radius/radius.log
Thu Feb 18 23:20:23 2010 : Auth: Login OK: [client1/some-pass] (from client localhost port 0)
%%
===Set this up to be used with cisco: ===
%%(text;clients.conf)
client1 Auth-Type = System
Service-Type = Framed-User,
cisco-avpair = "shell:priv-lvl=15"
%%
Auth should be ok and the specified service type should be returned.
%%
> radtest client1 some-pass localhost 0 testing123
Sending Access-Request of id 77 to 127.0.0.1 port 1812
User-Name = "client1"
User-Password = "some-pass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=77, length=51
Service-Type = Framed-User
Cisco-AVPair = "shell:priv-lvl=15"
%%
===Firewall===
I'm not a cisco guy but here's the config
%%
aaa-server RADIUS protocol radius
aaa-server RADIUS (web) host 1.2.3.4
key radius-secret-here
authentication-port 1812
tunnel-group inmarkit_vpn type ipsec-ra
tunnel-group inmarkit_vpn general-attributes
address-pool mypool
default-group-policy client_vpn
authentication-server-group RADIUS
authentication-server-group (web) RADIUS
tunnel-group client_vpn ipsec-attributes
pre-shared-key xxx
%%
==Using Radius as auth backend for Cisco VPN==
Ref: http://www.ibm.com/developerworks/library/l-radius/
===Install freeradiusd===
%%
yum -y install freeradius
%%
===Start service and perform basic test===
%%
service radiusd start
chkconfig radiusd on
radtest test test localhost 0 testing123
%%
===Configure logging for radiusd===
%%(text;radiusd.conf)
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
%%
=== Configure client shared secret ===
%%
# Make sure this IP is the inside address
client FIREWALL-IP {
secret = some-shared-secret
shortname = cisco-vpn
nastype = other
}
%%
===Create a local user and test===
%%
useradd -gvpn client1
passwd client1 < "some-pass"
%%
For system auth to work, /etc/shadow needs to be readable by the radiusd user. Do what you have to (hint: chmod)
===test it===
%%
> radtest client1 some-pass localhost 0 testing123
Sending Access-Request of id 79 to 127.0.0.1 port 1812
User-Name = "client1"
User-Password = "some-pass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=79, length=20
> tail -1 /var/log/radius/radius.log
Thu Feb 18 23:20:23 2010 : Auth: Login OK: [client1/some-pass] (from client localhost port 0)
%%
===Set this up to be used with cisco: ===
%%(text;clients.conf)
client1 Auth-Type = System
Service-Type = Framed-User,
cisco-avpair = "shell:priv-lvl=15"
%%
Auth should be ok and the specified service type should be returned.
%%
> radtest client1 some-pass localhost 0 testing123
Sending Access-Request of id 77 to 127.0.0.1 port 1812
User-Name = "client1"
User-Password = "some-pass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=77, length=51
Service-Type = Framed-User
Cisco-AVPair = "shell:priv-lvl=15"
%%
===Firewall===
I'm not a cisco guy but here's the config
%%
aaa-server RADIUS protocol radius
aaa-server RADIUS (web) host 1.2.3.4
key radius-secret-here
authentication-port 1812
tunnel-group inmarkit_vpn type ipsec-ra
tunnel-group inmarkit_vpn general-attributes
address-pool mypool
default-group-policy client_vpn
authentication-server-group RADIUS
authentication-server-group (web) RADIUS
tunnel-group client_vpn ipsec-attributes
pre-shared-key xxx
%%
