Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVpn + Radius

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 199 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Koby Peleg Hen
      last edited by Koby Peleg Hen

      Hello Guys ,
      I am tring to implement openvpn with security as follows :
      Openvpn Mode : RemoteAccess (Ssl/Tls + user Auth) + radius.

      I did some search on the net an found out that I need todo some setting for Radius EAP option.
      I did that and I get the sense that the EAP setting has no effect the the setting.

      I understans that because if I have user cert + pass ==> that mean that if I delete the user cert then the user should NOT have login access , but It does.

      Here is my radius conf :

      /usr/local/etc/raddb/radiusd.conf
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run
db_dir = ${raddbdir}
libdir = /usr/local/lib/freeradius-3.0.21
pidfile = ${run_dir}/${name}.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
hostname_lookups = no
regular_expressions = yes
extended_expressions = yes

log {
	destination = syslog
	colourise = yes
	file = ${logdir}/radius.log
	syslog_facility = daemon
	stripped_names = no
	auth = yes
	auth_badpass = no
	auth_goodpass = no
	msg_goodpass = ""
	msg_badpass = "%{User-Name}"
	msg_denied = "You are already logged in - access denied"
}

checkrad = ${sbindir}/checkrad
security {
	allow_core_dumps = no
	max_attributes = 200
	reject_delay = 1
	status_server = no
	# Disable this check since it may not be accurate due to how FreeBSD patches OpenSSL
	allow_vulnerable_openssl = yes
}

$INCLUDE  clients.conf
thread pool {
	start_servers = 5
	max_servers = 32
	min_spare_servers = 3
	max_spare_servers = 10
	max_queue_size = 65536
	max_requests_per_server = 0
	auto_limit_acct = no
}

modules {
	$INCLUDE ${confdir}/mods-enabled/
}

instantiate {
	exec
	expr
	expiration
	logintime
	### Dis-/Enable sql instatiate
	#sql
	daily
	weekly
	monthly
	forever
}
policy {
	$INCLUDE policy.d/
}
$INCLUDE sites-enabled/

      Here is my EAP conf :

      /usr/local/etc/raddb/mods-enabled/eap
### EAP
eap {
	default_eap_type = tls
	timer_expire     = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = 4096

### DISABLED WEAK EAP TYPES MD5, GTC, LEAP ###

#	pwd {
#		group = 19
#		server_id = theserver@example.com
#		fragment_size = 1020
#		virtual_server = "inner-tunnel"
#	}

	tls-config tls-common {
		# private_key_password = whatever
		private_key_file = ${certdir}/server_key.pem
		certificate_file = ${certdir}/server_cert.pem
		ca_path = ${confdir}/certs
		ca_file = ${ca_path}/ca_cert.pem
	#	auto_chain = yes
	#	psk_identity = "test"
	#	psk_hexphrase = "036363823"
		dh_file = ${certdir}/dh
		random_file = /dev/urandom
		fragment_size = 1024
		include_length = yes
		check_crl = no
		### check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/emailAddress=test@mycomp.com/CN=myca" ###
		check_cert_cn = %{User-Name}
		cipher_list = "DEFAULT"
		cipher_server_preference = no
#		disable_tlsv1_2 = no
		ecdh_curve = "prime256v1"
		cache {
			enable = no
			lifetime = 24
			max_entries = 255
			#name = "EAP module"
			#persist_dir = "/tlscache"
		}
		verify {
	#		skip_if_ocsp_ok = no
	#		tmpdir = /tmp/radiusd
	#		client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
		}
		ocsp {
			enable = no
			override_cert_url = no
			url = "http://127.0.0.1/ocsp/"
			# use_nonce = yes
			# timeout = 0
			# softfail = no
		}
	}
	tls {
		tls = tls-common
	#	virtual_server = check-eap-tls
	}
	ttls {
		tls = tls-common
		default_eap_type = tls
		copy_request_to_tunnel = no
		include_length = yes
	#	require_client_cert = yes
		virtual_server = "inner-tunnel-ttls"
		#use_tunneled_reply is deprecated, new method happens in virtual-server
	}	### end ttls
	peap {
		tls = tls-common
		default_eap_type = mschapv2
		copy_request_to_tunnel = no
	#	proxy_tunneled_request_as_eap = yes
	#	require_client_cert = yes

		soh = yes
		soh_virtual_server = "soh-server"


		virtual_server = "inner-tunnel-peap"
		#use_tunneled_reply is deprecated, new method happens in virtual-server
	}
	mschapv2 {
#		send_error = no
#		identity = "FreeRADIUS"
	}
#	fast {
#		tls = tls-common
#		pac_lifetime = 604800
#		authority_identity = "1234"
#		pac_opaque_key = "0123456789abcdef0123456789ABCDEF"
#		virtual_server = inner-tunnel
#	}
}

      PF Ver 2.5.0 CE

      Please advice ,
      Where am I doing wrong.

      Best Regards ,
      Koby Peleg Hen

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.