In the last few posts , we had install L2TP over IPsec and freeradius. Today we will show you how to use Freeradius to authenticate L2TP login user, let’s go.
Server IP : 192.168.0.253
VPN IP range : 192.168.30.2 – 192.168.30.254
VPN Gateway : 192.168.30.1
Network Interface : enp0s3
Install Radius-Server
apt-get update apt-get install build-essential libauthen-radius-perl libauthen-simple-radius-perl libgcrypt11-dev openssl apt-get install freeradius freeradius-mysql
vim /etc/freeradius/sites-enabled/default
comment out the “files” and uncomment “sql” as below.
authorize { # files sql } authenticate { } preacct { # files } accounting { sql } session { sql } post-auth { sql Post-Auth-Type REJECT { # log failed authentications in SQL, too. sql attr_filter.access_reject } }
vim /etc/freeradius/radiusd.conf
uncomment this : $INCLUDE sql.conf
The information for database, we need to create an user and db with these settings.
vim /etc/freeradius/sql.conf
login = "cannon" password = "cannon123" radius_db = "radius"
vim /etc/freeradius/clients.conf
remember this secret , we need it later
secret = 123cannon
Install Mysql
apt-get install mysql-server -y
enter and repeat the password of root mysql
After that , create an user and database following the information we do above.
mysql -u root -p mysql> create database radius; mysql> CREATE USER 'cannon'@'localhost' IDENTIFIED BY 'cannon123'; mysql> GRANT ALL PRIVILEGES ON * . * TO 'cannon'@'localhost'; mysql> flush privileges; mysql> exit
Insert these tables into the database we created just now.
mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql; mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql; mysql -u root -p mysql> use radius; mysql> show tables; +--------------------+ | Tables_in_radius | +--------------------+ | nas | | radacct | | radcheck | | radgroupcheck | | radgroupreply | | radpostauth | | radreply | | radusergroup | +--------------------+ 8 rows in set (0.00 sec)
L2TP Install
apt-get update
apt-get install xl2tpd strongswan
Download the freeradius-client from GitHub.
cd /opt/
wget https://github.com/FreeRADIUS/freeradius-client/archive/master.zip
unzip master.zip
mv freeradius-client-master freeradius-client
cd freeradius-client/
./configure --prefix=/
make && make install
Add the following lines in the /etc/sysctl.conf file to enable forwarding on the Linux machine.
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
Run the following command to apply changes.
sysctl -p
Remember the secret ?
vim /etc/radiusclient/servers
localhost 123cannon
vim /etc/radiusclient/radiusclient.conf
auth_order radius,local
login_tries 4
login_timeout 60
nologin /etc/nologin
issue /etc/radiusclient/issue
seqfile /var/run/freeradius/freeradius.pid
authserver localhost
acctserver localhost
servers /etc/radiusclient/servers
dictionary /etc/radiusclient/dictionary
login_radius /sbin/login.radius
mapfile /etc/radiusclient/port-id-map
default_realm
radius_timeout 10
radius_retries 3
bindaddr *
login_local /bin/login
Following configuration (which is related to IPv6) in /etc/radiusclient/dictionary file should be commented out to run the radius client
#ATTRIBUTE NAS-IPv6-Address 95 string #ATTRIBUTE Framed-Interface-Id 96 string #ATTRIBUTE Framed-IPv6-Prefix 97 ipv6prefix #ATTRIBUTE Login-IPv6-Host 98 string #ATTRIBUTE Framed-IPv6-Route 99 string #ATTRIBUTE Framed-IPv6-Pool 100 string #ATTRIBUTE Framed-IPv6-Address 168 ipv6addr #ATTRIBUTE DNS-Server-IPv6-Address 169 ipv6addr #ATTRIBUTE Route-IPv6-Information 170 ipv6prefix
vim /etc/xl2tpd/xl2tpd.conf
[global] ipsec saref = yes saref refinfo = 30 ;debug avp = yes ;debug network = yes ;debug state = yes ;debug tunnel = yes [lns default] ip range = 192.168.30.2-192.168.30.254 local ip = 192.168.30.1 refuse pap = yes require authentication = yes ;ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
vim /etc/ipsec.secrets
192.168.0.253 %any : PSK "private"
vim /etc/ipsec.conf
conn L2TP-PSK-noNAT dpdaction=clear authby=secret auto=add keyingtries=3 ikelifetime=8h keylife=1h ike=aes256-sha1,aes128-sha1,3des-sha1 type=transport left=192.168.0.253 leftprotoport=17/1701 right=%any rightprotoport=17/%any
vim /etc/ppp/options.xl2tpd
logfd 2
logfile /var/log/l2tp.log
refuse-mschap-v2
refuse-mschap
ms-dns 208.67.222.222
ms-dns 208.67.220.220
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
plugin /usr/lib/pppd/2.4.7/radius.so
plugin /usr/lib/pppd/2.4.7/radattr.so
# vim /etc/radiusclient/dictionary.microsoft
# Microsoft’s VSA’s, from RFC 2548
#
# $Id: poptop_ads_howto_8.htm,v 1.8 2008/10/02 08:11:48 wskwok Exp $
#
VENDOR Microsoft 311 Microsoft
BEGIN VENDOR Microsoft
ATTRIBUTE MS-CHAP-Response 1 string Microsoft
ATTRIBUTE MS-CHAP-Error 2 string Microsoft
ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft
ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft
ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft
ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft
# This is referred to as both singular and plural in the RFC.
# Plural seems to make more sense.
ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft
ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft
ATTRIBUTE MS-CHAP-Domain 10 string Microsoft
ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft
ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft encrypt=1
ATTRIBUTE MS-BAP-Usage 13 integer Microsoft
ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft
ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft
ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft
ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft
ATTRIBUTE MS-RAS-Version 18 string Microsoft
ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft
ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft
ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft
ATTRIBUTE MS-Filter 22 string Microsoft
ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft
ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft
ATTRIBUTE MS-CHAP2-Response 25 string Microsoft
ATTRIBUTE MS-CHAP2-Success 26 string Microsoft
ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft
ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr
ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr
ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft
ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft
#ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft
#
# Integer Translations
#
# MS-BAP-Usage Values
VALUE MS-BAP-Usage Not-Allowed 0
VALUE MS-BAP-Usage Allowed 1
VALUE MS-BAP-Usage Required 2
# MS-ARAP-Password-Change-Reason Values
VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1
VALUE MS-ARAP-PW-Change-Reason Expired-Password 2
VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3
VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4
# MS-Acct-Auth-Type Values
VALUE MS-Acct-Auth-Type PAP 1
VALUE MS-Acct-Auth-Type CHAP 2
VALUE MS-Acct-Auth-Type MS-CHAP-1 3
VALUE MS-Acct-Auth-Type MS-CHAP-2 4
VALUE MS-Acct-Auth-Type EAP 5
# MS-Acct-EAP-Type Values
VALUE MS-Acct-EAP-Type MD5 4
VALUE MS-Acct-EAP-Type OTP 5
VALUE MS-Acct-EAP-Type Generic-Token-Card 6
VALUE MS-Acct-EAP-Type TLS 13
END-VENDOR Microsoft
# vim /etc/radiusclient/dictionary
INCLUDE /etc/radiusclient/dictionary.merit INCLUDE /etc/radiusclient/dictionary.microsoft
service mysql restart
service freeradius restart
service xl2tpd restart
service pptpd restart
ipsec restart
IPTABLES Rules
iptables -I INPUT -p udp --dport 500 -j ACCEPT iptables -I INPUT -p udp --dport 4500 -j ACCEPT iptables -I INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.0.253 -o enp0s3
Add User
mysql -u root -p
mysql>use radius;
mysql> INSERT INTO radcheck (username, attribute, op, value) VALUES (‘testing’,’User-Password’,’:=’,’123123′);
Connect from a device, as example I using android phone , go to setting –> wireless options –> VPN –> add a new vpn –> VPN type choose L2TP/IPSEC PSK –> key in your server ip –> and the PSK key –> your account & password –> connect
Leave a Reply
Want to join the discussion?Feel free to contribute!