OpenVpn + Radius
-
Hello Guys ,
I am tring to implement openvpn with security as follows :
Openvpn Mode : RemoteAccess (Ssl/Tls + user Auth) + radius.I did some search on the net an found out that I need todo some setting for Radius EAP option.
I did that and I get the sense that the EAP setting has no effect the the setting.I understans that because if I have user cert + pass ==> that mean that if I delete the user cert then the user should NOT have login access , but It does.
Here is my radius conf :
/usr/local/etc/raddb/radiusd.conf prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} modconfdir = ${confdir}/mods-config certdir = ${confdir}/certs cadir = ${confdir}/certs run_dir = ${localstatedir}/run db_dir = ${raddbdir} libdir = /usr/local/lib/freeradius-3.0.21 pidfile = ${run_dir}/${name}.pid max_request_time = 30 cleanup_delay = 5 max_requests = 1024 hostname_lookups = no regular_expressions = yes extended_expressions = yes log { destination = syslog colourise = yes file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = no auth_goodpass = no msg_goodpass = "" msg_badpass = "%{User-Name}" msg_denied = "You are already logged in - access denied" } checkrad = ${sbindir}/checkrad security { allow_core_dumps = no max_attributes = 200 reject_delay = 1 status_server = no # Disable this check since it may not be accurate due to how FreeBSD patches OpenSSL allow_vulnerable_openssl = yes } $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_queue_size = 65536 max_requests_per_server = 0 auto_limit_acct = no } modules { $INCLUDE ${confdir}/mods-enabled/ } instantiate { exec expr expiration logintime ### Dis-/Enable sql instatiate #sql daily weekly monthly forever } policy { $INCLUDE policy.d/ } $INCLUDE sites-enabled/
Here is my EAP conf :
/usr/local/etc/raddb/mods-enabled/eap ### EAP eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 ### DISABLED WEAK EAP TYPES MD5, GTC, LEAP ### # pwd { # group = 19 # server_id = theserver@example.com # fragment_size = 1020 # virtual_server = "inner-tunnel" # } tls-config tls-common { # private_key_password = whatever private_key_file = ${certdir}/server_key.pem certificate_file = ${certdir}/server_cert.pem ca_path = ${confdir}/certs ca_file = ${ca_path}/ca_cert.pem # auto_chain = yes # psk_identity = "test" # psk_hexphrase = "036363823" dh_file = ${certdir}/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = no ### check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/emailAddress=test@mycomp.com/CN=myca" ### check_cert_cn = %{User-Name} cipher_list = "DEFAULT" cipher_server_preference = no # disable_tlsv1_2 = no ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 #name = "EAP module" #persist_dir = "/tlscache" } verify { # skip_if_ocsp_ok = no # tmpdir = /tmp/radiusd # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" # use_nonce = yes # timeout = 0 # softfail = no } } tls { tls = tls-common # virtual_server = check-eap-tls } ttls { tls = tls-common default_eap_type = tls copy_request_to_tunnel = no include_length = yes # require_client_cert = yes virtual_server = "inner-tunnel-ttls" #use_tunneled_reply is deprecated, new method happens in virtual-server } ### end ttls peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no # proxy_tunneled_request_as_eap = yes # require_client_cert = yes soh = yes soh_virtual_server = "soh-server" virtual_server = "inner-tunnel-peap" #use_tunneled_reply is deprecated, new method happens in virtual-server } mschapv2 { # send_error = no # identity = "FreeRADIUS" } # fast { # tls = tls-common # pac_lifetime = 604800 # authority_identity = "1234" # pac_opaque_key = "0123456789abcdef0123456789ABCDEF" # virtual_server = inner-tunnel # } }
PF Ver 2.5.0 CE
Please advice ,
Where am I doing wrong.Best Regards ,
Koby Peleg Hen