solaris chroot | Cisco VPN user auth

Tue, 25 Sep 2001 22:42:31 -0700 

Couple of things:

Has anyone done or started on a chroot config of freeRADIUS on Solaris? 

Also, for archives sake, following are the instructions for authenticating Cisco VPN 
concentrator users against freeRADIUS.

Thanks,
Jason

On the VPN concentrator (sw version 5.2):

[ RADIUS ]
BindTo                   = "Ethernet 0"
AcctPort                 = 1813
AuthPort                 = 1812
PrimAddress              = x.x.x.x # Address of freeradius
PrimRetries              = 5
Authentication           = TRUE
Accounting               = TRUE
PrimUseSecret            = TRUE
UseChap16                = TRUE
Secret                   = password # This secret corresponds to the key in the 
freeradius clients file
VPNPassword              = 66 # Attribute number in freeradius
VPNGroupInfo             = 67 # Attribute number in freeradius
ChallengeType            = CHAP

You must also have a VPN group configured. The group in this example
 is called "rad_users". Note: There is no RADIUS specific configuration necessary in 
the VPN group configuration.

[ VPN Group "rad_users" ]
BindTo                   = "Ethernet 0"
MaxConnections           = 5
StartIPAddress           = 1.1.1.1
IPNet                    = 0.0.0.0/0
Transform                = ESP(MD5,3DES)

That is all on the VPN concentrator. On the radius server, assuming you have the stock 
dictionary file, the Tunnel-Client-Endpoint and
Tunnel-Server-Endpoint attribute numbers should match up to what
has been configured on the VPN concentrator for the VPNPassword and
VPNGroupInfo configuration parameters.

# egrep 'Tunnel-Client|Tunnel-Server' /usr/local/etc/raddb/dictionary
ATTRIBUTE       Tunnel-Server-Endpoint  66      string
ATTRIBUTE       Tunnel-Client-Endpoint  67      string

And, make sure you have an entry for the VPN 5000 in the freeRADIUS clients file and 
that the Key matches up with the VPN 5000 Secret configuration setting.

# cat clients
localhost               foobar
x.x.x.x                 password

When adding users to the users file, you'll just need to include
the VPN attributes along with the user entry. 
Here's a sample entry for a
user that authenticates off the freeRADIUS server:

jbc   Password = "mypassword"
      User-Service-Type = Login-user,
      Tunnel-Server-Endpoint = "rad_users", # the VPN group
      Tunnel-Client-Endpoint = "rad_users",

At this point, everything is set to authenticate VPN users off the
freeRADIUS server. Some useful VPN commands for debugging:

vpn trace dump all
show sys log buf
show radius statistics





------------------------------------------------------------
Get the official Your Mom T-Shirts!
http://www.yourmom.com/ym/mail/t.asp

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to