Overview
This document describes how to setup a FreeRADIUS server. A MySQL server is used as backend and for the user accounting. OpenVPN and the radiusplugin from Ralf Lübben are used together as nas service.
I do not guarantee for anything in this howto. In my environment this setup is doing a great job here. So hopefully it will do the same for you.
[Update on 2008-10-03]:
This setup is also working with freeradius version 2.1.0, while this document originally was written for a 1.x version. Much of the structure has changed in this newer release, but you can apply this howto even for this version.
[Update on 2009-04-25]:
LDAP authentication coming soon. It is still on my personal wish list
[Update on 2010-08-19]:
Added quick radiusplugin-build instructions at the bottom of this document
[Update on 2010-08-31]:
Finally got LDAP included
[Update on 2010-10-15]:
Enabling tracebacks and ping backs for this side
Required software
The installation was done on Ubuntu Gutsy Gibbon and is still valid up to current Lucid Lynx (versions may differ at the moment):
- freeradius (1.1.6-2)
- freeradius-mysql (1.1.6-2)
- mysql-server-5.0 (5.0.45-1ubuntu2)
- openvpn (2.0.9-8)
- radiusplugin_v2.1_beta9.tar.gz (Please download separately)
- libgcrypt11-dev (1.2.4-2ubuntu2)
I act on the assumption that there is an already running MySQL server.
RADIUS-Server
After having isuccessfully nstalled freeradius and freeradius-mysql using aptitude (apt-get), you have to change the directory to /etc/freeradius.
radiusd.conf:
Please change the following variables under the section PROXY CONFIGURATION
proxy_requests = no
Please comment out any files-entry and as you can see, please enable the sql statements. The changes should look similar like this::
preprocess
chap
mschap
suffix
eap
sql
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
detail
unix
radutmp
sql
}
For freeradisu 2.x in file /etc/freeradius/sites-enabled/default:
sql
}
authenticate {
}
preacct {
acct_unique
}
accounting {
sql
}
session {
sql
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
As you can see, you only require the sql statements and no others. Please give a feedback, if you require more information on freeradius 2.x configuration.
You do not need to change anything else in this configuration files. It keeps as it is.
clients.conf:
secret = EinsupertollesSecret
shortname = localhost
}
The secret should be a secret as far as possible. It will be required in a later configuration file below.
sql.conf:
driver = "rlm_sql_mysql"
server = "127.0.0.1"
login = "radius"
password = "MySQL-passowrd-see-next-paragraph"
radius_db = "radius"
...
}
MySQL
mysql -u root -h 127.0.0.1 -p
Please insert the following schema into MySQL:
zcat /usr/share/doc/freeradius/examples/mysql.sql.gz | \
mysql -u root -prootpass radius
mysql -u root -prootpass
mysql> GRANT ALL ON radius.* to radius@’127.0.0.1′ IDENTIFIED BY ‘Use the same password as in sql.conf’;
Next, some example entries:
+----+------------+----------------+----+---------------+
| id | UserName | Attribute | op | Value |
+----+------------+----------------+----+---------------+
| 1 | croessner | Crypt-Password | := | XXXXXXXXXXXXX |
+----+------------+----------------+----+---------------+
You can use the MySQL ENCRYPT() function to create the passwords.
+----+-----------+-----------+----+-------------+
| id | GroupName | Attribute | op | Value |
+----+-----------+-----------+----+-------------+
| 1 | dynamic | Auth-Type | := | Crypt-Local |
+----+-----------+-----------+----+-------------+
mysql> select * from radgroupreply;
+----+-----------+-----------------------+----+-------------+
| id | GroupName | Attribute | op | Value |
+----+-----------+-----------------------+----+-------------+
| 1 | dynamic | Acct-Interim-Interval | = | 60 |
+----+-----------+-----------------------+----+-------------+
mysql> select * from radreply;
+----+------------+-------------------+----+-------------------------------+
| id | UserName | Attribute | op | Value |
+----+------------+-------------------+----+-------------------------------+
| 1 | croessner | Framed-IP-Address | = | 10.10.0.153 |
| 2 | croessner | Framed-Route | = | 192.168.3.0/24 10.10.0.2/32 1 |
+----+------------+-------------------+----+-------------------------------+
Short description:
After the user croessner as logged on, the IP 10.10.0.153 is assigned to his computer as a point-to-point connection with the endpoint IP 10.10.0.154. At the same time, the OpenVPN server manipulates its internal routing table and adds the network 192.168.3.0/24. If you wish to assign more than one route, you have to use the ‘+=’ operator for any additional data set.
+-----------+-----------+----------+
| UserName | GroupName | priority |
+-----------+-----------+----------+
| croessner | dynamic | 1 |
+-----------+-----------+----------+
I have to mention for the table shown here that the usage of the operators seems not to be really trivial. But you can find more information in /usr/share/doc/freeradius/rlm_sql.gz.
I explicitly use “Crypt-Password” entries in these examples. If this is not desired, you can use the attribute “Cleartext-Password”. But doing so, you have to choose the value “Local” in the table “radgroupcheck”.
You can find more information in the README under http://wiki.freeradius.org/SQL_HOWTO.
OpenVPN
As of writing this howto, the freeradius plugin is not available as an Ubuntu package. Therefor you have to download and compile the source code. Please install the GNU compiler “g++” and “make”. Simply a basic installation of tools, giving you the ability to compile C++ applications. Maybe the package “build-essential”.
cd /usr/local/src/
wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.0b_beta2.tar.gz
tar xvzf radiusplugin_v2.0b_beta2.tar.gz
cd /usr/local/src/radiusplugin_v2.0b_beta2
After that run “make”.
The result is called radiusplugin.so.
cp /usr/local/src/radiusplugin_v2.0b_beta2/radiusplugin.so /etc/openvpn/
Please also copy the file radiusplugin.cnf from the directory /usr/local/src/radiusplugin_v2.0b_beta2 to /etc/openvpn.
The configuration should look something like this:
NAS-Identifier=OpenVpn # The service type which is sent to the RADIUS server
Service-Type=5
# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1
# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5
# The NAS IP address which is sent to the RADIUS server
NAS-IP-Address=127.0.0.1
# Path to the OpenVPN configfile. The plugin searches there for
# client-config-dir PATH (searches for the path)
# status FILE (searches for the file, version must be 1)
# client-cert-not-required (if the option is used or not)
# username-as-common-name (if the option is used or not)
OpenVPNConfig=/etc/openvpn/radiusvpn.conf
# Support for topology option in OpenVPN 2.1
# If you don't specify anything, option "net30" (default in OpenVPN) is used.
# You can only use one of the options at the same time.
# If you use topology option "subnet", fill in the right netmask, e.g. from
# OpenVPN option "--server NETWORK NETMASK"
#subnet=255.255.255.0
# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN
# option "--server NETWORK NETMASK"
#p2p=10.10.0.1
####################### Ich benutze die Default Option
# Allows the plugin to overwrite the client config in client config file directory,
# default is true
overwriteccfiles=true
# Path to a script for vendor specific attributes.
# Leave it out if you don't use an own script.
# vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl
# Path to the pipe for communication with the vsascript.
# Leave it out if you don't use an own script.
# vsanamedpipe=/tmp/vsapipe
# A radius server definition, there could be more than one.
# The priority of the server depends on the order in this file. The first one
# has the highest priority.
server
{
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812
# The name or ip address of the radius server.
name=127.0.0.1
# How many times should the plugin send the if there is no response?
retry=1
# How long should the plugin wait for a response?
wait=1
# The shared secret.
sharedsecret=Hier das Secret aus der client.conf des Radius-Servers
}
Point-to-Multipoint Server
Please setup a point-to-multipoint configuration. Tip: Use the easy-rsa-package, which you can install seperatly with aptitude:
i.e.:
cp -a /usr/share/doc/openvpn/examples/easy-rsa /etc
cd /etc/easy-rsa/2.0/
Edit the file vars and change the lines below, like described in the README.
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
Now you can create one or more client certificates:
./build-key cl1
cd keys
openvpn –genkey –secret ta.key
Please change to the directory /etc/openvpn
cd /etc/openvpn
mkdir ssl
cp -a /etc/easy-rsa/keys/{ca.crt,dh1024.pem,ta.key,server.crt,server.key} ssl/
Use an editor and put in the following sample configuration:
radiusvpn.conf:
dev tun
fast-io
user nobody
group nogroup
persist-tun
persist-key
server 10.10.0.0 255.255.255.0
management 127.0.0.1 7505
float
username-as-common-name
client-config-dir ccd
client-to-client
push "redirect-gateway def1"
push "dhcp-option NTP 10.10.0.1"
push "dhcp-option DOMAIN lan"
push "dhcp-option DNS 10.10.0.1"
ping-timer-rem
keepalive 10 60
# Use compression
comp-lzo
# Strong encryption
tls-server
tls-auth ssl/ta.key 0
dh ssl/dh1024.pem
cert ssl/server.crt
key ssl/server.key
ca ssl/ca.crt
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
verb 3
mute 10
status /var/log/openvpn/status.log 1
log /var/log/openvpn/radiusvpn.log
mkdir /etc/openvpn/ccd
mkdir /var/log/openvpn
That´s it 
The server is ready to go. Now you can start the services freeradius, mysql and openvpn.
Afterwards you can configure the client(s). The following output is just an idea of how it could look like. Any further documentation can be found on the project website.
Client example
dev tun
fast-io
persist-key
persist-tun
replay-persist radiusvpn.d/cur-replay-protection.cache
# Our remote peer
nobind
remote <HIER_REMOTE_ADRESSE_DES_OPENVPN_SERVERS> 1194
pull
# Use compression
comp-lzo
# Strong encryption
tls-client
tls-remote server
ns-cert-type server
tls-auth ssl/ta.key 1
cert ssl/common.crt
key ssl/common.key
ca ssl/ca.crt
verb 3
mute 10
auth-user-pass radiusvpn.d/auth-user-pass.conf
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
# log /var/log/openvpn.log
mkdir /etc/openvpn/radiusvpn.d
Change to the given directory and create the file auth-user-pass.conf. Please also refer to the openvpn manpage for the parameter –auth-user-pass.
Test it … Be happy
Have fun – You can send me bug reports concerning the hoto to Christian Roessner <info@roessner-net.com> or if you like to, just give a comment.
Extract the plugin archive:
># wget "http://www.nongnu.org/radiusplugin/radiusplugin_v2.1_beta9.tar.gz"
># tar xvzf radiusplugin_v2.1_beta9.tar.gz
Building the radius plugin:
># make
># cp radiusplugin.so /etc/openvpn/plugins/
Update 2010-08-31:
LDAP for authorization and authentication
Instead of using MySQL for authorization and authentication, you can bind FreeRADIUS at an LDAP server. I have not done this with OpenVPN as a NAS yet, but with pppoe-server (rp-pppoe) and the steps should be nearly the same. Here is what I have done.
To use LDAP with freeradius, you need to install freeradius-ldap and slapd.
preprocess
files
sql
ldap
expiration
logintime
}
authenticate {
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
sql
}
session {
sql
}
post-auth {
ldap
exec
}
pre-proxy {
}
post-proxy {
}
Notice: You also need the files module, else you can not have LDAP looking up profiles for reply-items. At the moment I do not know, if there is another way for looking up GroupName stuff. Maybe someone else might give a hint here
Modify the users file like this (example):
Reply-Message = "Account disabled. Please call the helpdesk.",
Fall-Through = no
DEFAULT Ldap-Group == flat10000, User-Profile := "uid=flat10000,ou=profiles,ou=radius,ou=wl,dc=example,dc=org"
Fall-Through = no
DEFAULT Auth-Type := Reject
Reply-Message = "Please call the helpdesk."
The ldap module configuration for freeradius might look like this:
server = "wl00.wl.example.org" # Insert your exact FQDN here, if using TLS
identity = "cn=proxyuser,dc=example,dc=org"
password = YOUR-LDAPY-PROXYUSER-PW-HERE
basedn = "ou=wl,dc=example,dc=org"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = yes
cacertfile = /ca/cacert_org.crt # I use certificates signed by http://www.cacert.org
require_cert = "demand"
}
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = userPassword
edir_account_policy_check = no
groupname_attribute = radiusGroupName
groupmembership_filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=radiusprofile))"
compare_check_items = no
}
Add the freeradius-schema for LDAP to the slapd.conf (or include it in slapd.d).
A sample init.ldif is shown here:
objectClass: top
objectClass: dcObject
objectClass: organization
dc: example
o: MyCompany
dn: ou=wl,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: wl
dn: ou=users,ou=wl,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: users
dn: ou=radius,ou=wl,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: radius
dn: ou=profiles,ou=radius,ou=wl,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: profiles
# This sample is from PPPoE and shows some vendor specific attributes
dn: uid=flat10000,ou=profiles,ou=radius,ou=wl,dc=example,dc=org
objectClass: radiusObjectProfile
objectClass: top
objectClass: radiusprofile
uid: flat10000
cn: flat10000
radiusReplyItem: Acct-Interim-Interval := 360
radiusReplyItem: RP-Downstream-Speed-Limit := 10240
radiusReplyItem: RP-Upstream-Speed-Limit := 10240
radiusIdleTimeout: 3600
radiusSessionTimeout: 86400
radiusSimultaneousUse: 1
dn: cn=proxyuser,dc=example,dc=example
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: proxyuser
userPassword: {SSHA}***************
description: LDAP administrator (read-only)
dn: uid=wl00000000,ou=users,ou=wl,dc=example,dc=org
objectClass: inetOrgPerson
objectClass: radiusprofile
uid: wl00000000
cn: Christian Roessner
sn: Roessner
givenName: Christian
l: Cityname_here
postalCode: Zip_code_here
postalAddress: Foobar street 4711
homePhone: +49 000 00000000
mail: sample@example.org
userPassword: Test123West
description: Testuser
radiusGroupName: flat10000
Notice: Maybe you see that I am using cleartext passwords. This differs from using MySQL as source for storing users/pws. I do not see this as a security provlem.
I have configured LDAP to have a proxyuser that has access rights to all data with read-only support.
Here is my sample slapd.conf:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/freeradius.schema # You can find it in the doc folder somewhere in freeradius
argsfile /var/run/slapd/slapd.args
pidfile /var/run/slapd/slapd.pid
modulepath /usr/lib/ldap
moduleload back_hdb.la
loglevel 256
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
security ssf=1 update_ssf=112 simple_bind=64
TLSCACertificateFile /ca/cacert_org.crt
TLSCertificateFile /ca/newcert.pem
TLSCertificateKeyFile /ca/newkey.pem
database frontend
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to *
by self write
by users read
by anonymous auth
database config
rootdn cn=config
rootpw {SSHA}*****************
database hdb
suffix dc=example,dc=org
rootdn cn=admin,dc=example,dc=org
rootpw {SSHA}*****************
directory /var/lib/ldap
index objectClass eq
# ... More indexes where added with Apache-Directory-Studio and not listed here
access to attrs=userPassword,shadowLastChange
by self write
by dn.exact="cn=proxyuser,dc=example,dc=org" read
by anonymous auth
by * none
access to *
by dn.exact="cn=proxyuser,dc=example,dc=org" read
by users read
by * none
After finishing, you can delete everything from the MySQL server concerning users. The only table that will still be used is the radacct table. All the other tables are empty. But you also can store users in both servers. Storing one user in both is a bad idea
See a final radtest here:
Sending Access-Request of id 215 to 127.0.0.1 port 1812
User-Name = "wl00000000"
User-Password = "PW_for_wl00000000"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=215, length=62
Idle-Timeout = 3600
Session-Timeout = 86400
Acct-Interim-Interval = 360
RP-Downstream-Speed-Limit = 10240
RP-Upstream-Speed-Limit = 10240
And LDAP sample output:
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 op=0 STARTTLS
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 op=0 RESULT oid= err=0 text=
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 fd=15 TLS established tls_ssf=128 ssf=128
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 op=1 BIND dn="cn=proxyuser,dc=example,dc=org" method=128
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 op=1 BIND dn="cn=proxyuser,dc=example,dc=org" mech=SIMPLE ssf=0
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 op=1 RESULT tag=97 err=0 text=
...
...
Aug 30 19:08:42 wl00 slapd[5100]: conn=2126 op=15 SRCH base="ou=wl,dc=example,dc=org" scope=2 deref=0 filter="(uid=wl100001)"
Aug 30 19:08:42 wl00 slapd[5100]: conn=2126 op=15 SRCH attr=radiusNASIpAddress radiusExpiration acctFlags dBCSPwd sambaNtPassword sambaLmPassword ntPassword lmPassword radiusCallingStationId radiusCal
ledStationId radiusSimultaneousUse radiusAuthType radiusCheckItem radiusTunnelPrivateGroupId radiusTunnelMediumType radiusTunnelType radiusReplyMessage radiusLoginLATPort radiusPortLimit radiusFramedA
ppleTalkZone radiusFramedAppleTalkNetwork radiusFramedAppleTalkLink radiusLoginLATGroup radiusLoginLATNode radiusLoginLATService radiusTerminationAction radiusIdleTimeout radiusSessionTimeout radiusCl
ass radiusFramedIPXNetwork radiusCallbackId radiusCallbackNumber radiusLoginTCPPort radiusLoginService radiusLoginIPHost radiusFramedCompression radiusFramedMTU radiusFilterId radiusFramedRouting radi
usFramedRoute radiusFramedIPNetmask radiusFramedIPAddress radiusFramedProtocol radiusServiceType radiusReplyItem userPassword sasdefaultloginsequence
Aug 30 19:08:42 wl00 slapd[5100]: conn=2126 op=15 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 30 19:08:42 wl00 slapd[5100]: conn=2126 op=16 SRCH base="uid=flat10000,ou=profiles,ou=radius,ou=wl,dc=example,dc=org" scope=0 deref=0 filter="(objectClass=radiusprofile)"
Aug 30 19:08:42 wl00 slapd[5100]: conn=2126 op=16 SRCH attr=radiusNASIpAddress radiusExpiration acctFlags dBCSPwd sambaNtPassword sambaLmPassword ntPassword lmPassword radiusCallingStationId radiusCal
ledStationId radiusSimultaneousUse radiusAuthType radiusCheckItem radiusTunnelPrivateGroupId radiusTunnelMediumType radiusTunnelType radiusReplyMessage radiusLoginLATPort radiusPortLimit radiusFramedA
ppleTalkZone radiusFramedAppleTalkNetwork radiusFramedAppleTalkLink radiusLoginLATGroup radiusLoginLATNode radiusLoginLATService radiusTerminationAction radiusIdleTimeout radiusSessionTimeout radiusCl
ass radiusFramedIPXNetwork radiusCallbackId radiusCallbackNumber radiusLoginTCPPort radiusLoginService radiusLoginIPHost radiusFramedCompression radiusFramedMTU radiusFilterId radiusFramedRouting radi
usFramedRoute radiusFramedIPNetmask radiusFramedIPAddress radiusFramedProtocol radiusServiceType radiusReplyItem userPassword sasdefaultloginsequence
Aug 30 19:08:42 wl00 slapd[5100]: conn=2126 op=16 SEARCH RESULT tag=101 err=0 nentries=1 text=
If you run the ldap- and freeradius server on the same machine, you also could forget about using tls and use a unix socket instead (/etc/freeradius/module/ldap: server=”ldapi://%2fvar%2frun%2fslapd%2fldapi”). This works with ssf from slapd.conf aswell. I use ldapi and tls, so I can manage LDAP from remote with Apache Directory Studio and have a working setup, even I forgot to renew the server certificate
I know the part binding freeradisu to an ldap might be not as good as the first part of this howto, but I am short in time Hope it works for you.
-- Download OpenVPN RADIUS MySQL/LDAP Howto als PDF --
For Windows users:
The config file should look something like this:
[...]
ca ssl/ca.crt
verb 3
mute 10
auth-user-pass
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
[...]
Have a look at the documentation of the OpenVPN project for more information, why this feature is unavailable.
I have found another bug. Remove the up/down and log options under Windows, if using the OpenVPN-GUI
save to my Bookmarks
hi,
Im very new to FreeRADIUS,
i have been trying to setup a radius server for about a week now, am still unable to get the mysql authentication to freeradius, i have set everything for my best. but its not working, when i try from console, “sudo radtest mysqltest testsecret 127.0.0.1 0 radiussecret”, it just keep replying me “Sending Access-Request of id 204 to 127.0.0.1 port 1812″ for about 10 times and at the end it gives, “radclient: no response from server for ID 204 socket 3″.
I am sorry, but I am currently less in time. I have to write some tests next week.
Little problem.. Auth – All Fine.. But Accouting – nothing.. in log:
RADIUS-PLUGIN: BACKGROUND ACCT: No accounting data was found for …. so in\out octets = 0 in mysql table..
version of software:
openvpn –version
OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
—
radiusplugin_v2.1_beta
—
wtf? =(
Could you get your problem fixed? I did not have the time to answer, yet, sorry.
yes.. i fix this problem.. trouble was in status file format:
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
but radiusplugin read him as
Virtual Address,Bytes Received,Bytes Sent,Connected Since
in source file AcctScheduler.cpp in function parseStatusFile
so i replace parameter user->getKey() to user->getCommonname() (in my version CommonName is UNIQUE) like this:
this->parseStatusFile(context, &bytesin, &bytesout,user->getCommonname().c_str());
and accounting begin work..
P.S. sorry for my english – i’m russian..
Hi,
directly after your last answer, I posted this to Ralf. Today he wrote this over the mailing list:
[...]
I uploaded a new beta version. In the old beta version the accounting does not
work properly.
[...]
i’ve tried yout tutorial…. and it works great… thank you…
But i have one problem… the openvpn doesn’t read the profile user in freeradius…
i set the profile bandwidth max up/down to every user to 128 kbps / 128 kbps…
But users still get bandwidht more than 128/128 kbps…
how to limit bandwidth of every user ?
sorry, my english not so good,, but i hope you can understand my question…
please.. help me…
Just taken a short look at this topic, quite interesting, but since I never played around with OpenVPN & RADIUS before, I have no clue, what it can do for me. I am to setup OpenVPN, to connect our SOHO LAN with our rootserver, but I am not sure, what benefits I’d have with combining it with RADIUS.
Christian, how many users to you handle with this setup? And how exactly do you use this setup (means, you explained, how you have set it up, but not what it exactly does for you / what the benefit is compared to a setup without RADIUS)?
Well, I started doing this setup here, when I played around with Linksys WRT54G routers. I had set up a wireless distributed network over four house levels. All this with openwrt. Because the chipset inside the WRTs was a braodcom, the driver was proprietary. The nas-part which normally handles the wpa-2 stuff was broken. So I only could use unencrypted connections. So I decided to setup a RADIUS server with openvpn on my root-server, too, like you said. So people could log in with there username and password and could surf secured.
At the moment, this setup is only active for my family. I use it, if thes do have problems at home. But I had about 20 users, when the routers where active here (I have finished this service here with wireless distributed network).
The radius server has the advantage that you do not need a hand made auth-script for openvpn. I like the user information to be inside MySQL. And as described I think about doing authentication over ldap. So this setup actually is some kind of a testing platform for me to learn more about all this. Hope, you could understand me. I have not hda coffee, yet, this morning *g*
Looks like I really have to do some reading on RADIUS.
@ alexdob
can you past all AcctScheduler.cpp
becuase i try to modify like your modification but not work
How can configure radius with mysql ?
It works But can’t assign specific ip(10.10.0.153),Why can you tell me?
I want my vpnclient connect my sever will get a static ip address,but I could not Realize it,(openvpn rediusplugin mysql framed-ip-address ),I want use ‘auth-user-pass’ auth type
can you help me, thank you
At the moment I have less time, so pls maybe you can help yourself guys?
Ok,I will try it again and again untiall success,thanks for your reply.
I want to know ,openvpn server how push the mask to client, the cient can get the ip address from server but can’t get the mask, Anyways I set the mask in the redius to push the client get mask 255.255.255.0 always, I don’t know the server push the mask to client base on
Hey,
I have enabled DHCP but for some users I need to provide them a static IP address. It is not working with the use of RADIUS, RADIUS Is not replying with an IP address as listed in framed-IP-Address, it is still assigning dynamically.
Could you help please
Did you find the problem, yet? Or can you provide more details to your current configuration, so others have a chance to review it?
No, I have not found a solution yet, what configuration do you want me to put radius or Open VPN,
For openVPN i have defined a set of IP address to allocate to a user, same I have configured for PPTP on the same server, when some one request an IP through PPTP they get assigned with an static IP but for VPN connection, system allocates through a pool of dynamic IP address.
Hi,
Thanks for a good write-up
BTW if you are compiling the radiusplugin on Debian lenny as I was, and you are getting this error message:
RadiusClass/RadiusAttribute.h:24:20: error: gcrypt.h: No such file or directory
and you already have libgcrypt11 installed you will also need to “apt-get install libgcrypt11-dev” as well, only then will your platform has the libcrypt “headers” available to build the plugin.
This information was sourced from:
http://jan-krueger.net/development/truecrypt-system-drive-on-linux
Solution for ip address assignment via FreeRadius:
1. You will have to use at least OpenVPN 2.1
2. Add option “topology subnet” to openvpn.conf (server)
3. Uncomment option “subnet=255.255.255.0″ in radiusplugin.cnf
4. ???
5. PROFIT !!!
If this doesn’t help, provide some details.
I tried your solution for IP address assignment via FreeRadius and it works. Thanks a lot for posting this useful information. I was able to save a lot of time.
This is the best howto i’ve ever seen, well organized, well explained…
Thanks, BIG TIME …
Thank you very much
Thanks a lot!! I did it in Gentoo with little modifications and works!!
Hi
please i would like to know how to run the “make ” for radiusplugin_v2.0b_beta2 . cause i have not radiusplugin.so appears after run make
thanks
Hi, I had not updated the reuqirements for a long time, which I did right after your last comment. There is a newer version of the radiusplugin available. So see above (link included) and follow the instructions at the bottom of the howto. If it still does not build, maybe provide additional information to us.
Hi
ok i went to try it now
and give you the result after
thanks for all
I have to configure the LDAP authentication to my Open VPN server so please help me how can I do this?
Please guide me
Thanks
Harsh Shah
Have you already tried the addtions to LDAP shown above, yet?
Hi,
I’ve tried to configure IP address assigning from FreeRadius, but can’t do it, OpenVPN still assign addresses fom local pool.
I’m did everything what I can found here, topology etc etc,
but I saw from FreeRadius Logs that IP was assigned:
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
Sending Access-Accept of id 241 to 10.179.176.90 port 46971
Service-Type = Framed-User
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Framed-Compression = Van-Jacobson-TCP-IP
Acct-Interim-Interval = 5
Framed-Protocol = PPP
Framed-MTU = 1500
Framed-IP-Address = 10.8.0.4
but server assigned to client 10.8.0.2.
Can you pls help?
Also accounting didn’t work,
ADIUS-PLUGIN: BACKGROUND ACCT: No accounting data was found for hostame,ip:60529.
a lof of these records, but no accounting inside DB.
Has anyone got Framed IP to work?
Heres the answear using radtest;
Sending Access-Request of id 133 to x.x.x.x port 1812
User-Name = “randomdude”
User-Password = “abc123″
NAS-IP-Address = x.x.x.x
NAS-Port = 0
rad_recv: Access-Accept packet from host x.x.x.x port 1812, id=133, length=32
Framed-IP-Address = 10.55.0.199
Acct-Interim-Interval = 60
But when I connect the server doesnt push this FramedIP.
Thu Nov 4 16:39:39 2010 us=267838 client1/x.x.x.x:3045 SENT CONTROL [client1]: ‘PUSH_REPLY,redirect-gateway,dhcp-option DNS 8.8.8.8,route 10.55.0.1,topology net30,ping 10,ping-restart 30,ifconfig 10.55.0.6 10.55.0.5′ (status=1)
Fredik, You must set up in your OPENVPN config file: client-config-dir ( directory must exist)
sample:
ON linux: mkdir ccd
openvpn config file:
client-config-dir ccd
I have this line in my config but i don’t have directory and I have similar problem.
I compared my current config on the server with the one above. Still the old same config and it works. So maybe you have missed some part from the howto?
Firstable, I’d like to thank you Chris for your work and effort. This is very nice howto, especialy for newbies in this sphere – like me
I’ve a question, about i’ve searched in google, but nothing found. When i try to authenticate with my openvpn client, i recieve this message: “AUTH: Received AUTH_FAILED control message”
The openvpn/radius server is giving this strange error in the message log:
====
openvpn[11168]: Libgcrypt warning: missing initialization – please fix the application
====
The server is – Centos 5.5 (i386)
OpenVpn: 2.1.1-2
radiusplugin:
===
RadiusPlugin: 2.0b/2.1a (the same problem in both versions)
===
libgcrypt:
===
libgcrypt-devel-1.4.4-5.el5
libgcrypt-1.4.4-5.el5
===
Any suggestions ?
Thx in advance !
To be honest?? I have no idea on that. I still use that setup on Ubuntu LTS (Lucid) and I did not yet stumble over this problem. Maybe someone else does know a soulution.
Sorry for posting that, before i’ve fully investigated the case.
After some debugging i made, realize that the problem was in openvpn authentication to radiusd (i.e. different secrets). I corrected the issue, and everything is just fine now. The log entries mislead me, because of the strange error..
radius plugin version 2.0 wont compile with latest g++ versions ..
but they fixed the problem and using radius plugin v2.1 fixes the problem :
http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz
I have set up openvpn + freeradius and its working except Framed-IP-Address .
openvpn is selecting an IP from its IP Pool list and ignoring the IP that sents by freeradius ..
Does anybody have any idea to fix this problem ?
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module “preprocess” returns ok for request 4
modcall[authorize]: module “chap” returns noop for request 4
modcall[authorize]: module “mschap” returns noop for request 4
rlm_eap: EAP packet type response id 1 length 21
rlm_eap: No EAP Start, assuming it’s an on-going EAP conversation
modcall[authorize]: module “eap” returns updated for request 4
users: Matched entry stacked.35.31241 at line 1
modcall[authorize]: module “files” returns ok for request 4
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module “pap” returns noop for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type “EAP”
ERROR: Unknown value specified for Auth-Type. Cannot perform requested action.
auth: Failed to validate the user.
I need to know the cause for this error
I have experienced Framed IP Address problem too. And after several hours of debugging I found solution, at least for my problem.
– I was running openvpn directly from openvpn folder(/etc/openvpn):
openvpn –daemon vpnserver1 –config vpnserver1.conf
– Radius plugin was writing to ccd folder (which it was reading from vpnserver1.conf file) correctly.
– But openvpn itself, was not able to find “ccd” folder despite “client-config-dir ccd” configuration line.
– At the end, adding this line to the vpnserver1.conf file did the trick(without using “topology subnet” option):
cd /etc/openvpn
– Running this from command line would do the same:
openvpn –daemon vpnserver1 –config vpnserver1.conf –cd /etc/openvpn
So, it is basically a relative path/absolute path problem…
ENVIRONMENT
CentOS 5.6 x86_64
freeradius2-2.1.7-7.el5
radiusplugin_v2.1a_beta1
OpenVPN 2.2.1