Knowledge Search


×
 

[SRX] FreeRADIUS configuration example for Dynamic VPN connections

  [KB17337] Show Article Properties


Summary:

This article provides some tips on configuring FreeRADIUS, so you can use FreeRADIUS to configure authentication for your Dynamic VPN users. 


Symptoms:

Symptoms:

  • You want to use RADIUS to configure authentication for your Dynamic VPN users.

Cause:

Solution:

Juniper does not provide support for FreeRADIUS, but it has been known to work for Dynamic VPN authentication.

The FreeRADIUS website is located at http://freeradius.org/.

Below are FreeRADIUS installation and configuration instructions that a customer provided to JTAC.  If you encounter problems with these steps, please contact FreeRadius for support.


FreeRADIUS INSTALLATION AND CONFIGURATION

In this example Ubuntu Linux is used with FreeRADIUS. The NAS (Network Access Server) is a Juniper SRX210/240.

  • Install FreeRADIUS:
  • sudo apt-get install freeradius*

    This will fully install freeradius and start the service.


  • Configure your NAS.
    For example, in the file /etc/freeradius/clients.conf, add the following:

    client 192.168.2.154 {
    secret = juniper
    shortname = SRX-NAS-test
    }

  • If you want to assign DNS settings to your VPN clients, then do this.  In the file /usr/share/freeradius/dictionary.juniper, add these lines to the existing attributes:

    ATTRIBUTE Juniper-Primary-Dns 31 ipaddr
    ATTRIBUTE Juniper-Secondary-Dns 33 ipaddr


    This step is not needed if no DNS settings are required.

  • Configure users.
    For example, in file /etc/freeradius/users add the following:

    user1 Cleartext-Password := "user1"
    Service-Type = Framed-User,
    Framed-Protocol = PPP,                           
    Framed-IP-Address = 172.16.3.33,
    Framed-IP-Netmask = 255.255.255.0,
    Juniper-Primary-Dns = 1.1.1.1,
    Juniper-Secondary-Dns = 2.2.2.2,


    This above defines username user1 with password user1 and a specified IP address. The DNS attributes are optional.

    NOTE: The user defined in the users file corresponds with the user specified in the security dynamic-vpn portion of the config on the SRX (also documented in the Dynamic VPN application note.  For example:
        ipsec-vpn dynamic-vpn-user1; 
         user {       
             user1           <---------This must match user name in RADIUS
         }                               
    
  • Restart the FE service to load the new configuration files:
    sudo /etc/init.d/freeradius restart

  • For configuring the SRX device for Dynamic VPN, please refer to Dynamic VPN application note.

TROUBLESHOOTING
  • If the FreeRADIUS service does not start for some reason, you can use the command "sudo freeradius -X" to see the log messages during service start.

  • The RADIUS server can be tested with the radtest tool like in this example:

  • $ radtest user1 user1 localhost 1812 testing123
    Sending Access-Request of id 134 to 127.0.0.1 port 1812
    User-Name = "user1"
    User-Password = "user1"
    NAS-IP-Address = 255.255.255.255
    NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=134, length=68 Service-Type = Framed-User
    Framed-Protocol = PPP
    Framed-IP-Address = 172.16.3.33
    Framed-IP-Netmask = 255.255.255.0
    Juniper-Primary-Dns = 1.1.1.1
    Juniper-Secondary-Dns = 2.2.2.2

    The local host should already be configured as a NAS with secret testing123 by default in /etc/freeradius/clients.conf


  • RADIUS packets can be seen using tcpdump. For example:

    $ sudo tcpdump -vvv -i eth0 -s0 -n
    tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    15:41:12.307859 IP (tos 0x0, ttl 64, id 5705, offset 0, flags [none], proto UDP (17), length 87) 192.168.2.154.62976 > 192.168.2.51.1812: [udp sum ok] RADIUS, length: 59
    Access Request (1), id: 0x95, Authenticator: 9794118f1faa7d3c399742bb6ffe12df
    Username Attribute (1), length: 9, Value: juniper
    0x0000: 6a75 6e69 7065 72
    Password Attribute (2), length: 18, Value:
    0x0000: 879c 848c f903 493a c671 bc0f 296a 1ee8
    NAS ID Attribute (32), length: 6, Value: luna
    0x0000: 6c75 6e61
    NAS Port Type Attribute (61), length: 6, Value: Virtual
    0x0000: 0000 0005
    15:41:12.311950 arp who-has 192.168.2.154 tell 192.168.2.51
    15:41:12.313197 arp reply 192.168.2.154 is-at 00:24:dc:16:78:41
    15:41:12.313204 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96) 192.168.2.51.1812 > 192.168.2.154.62976: [bad udp cksum 49c4!] RADIUS, length: 68
    Access Accept (2), id: 0x95, Authenticator: c37edfdffbf79ed523743d3df1d042c6
    Service Type Attribute (6), length: 6, Value: Framed
    0x0000: 0000 0002
    Framed Protocol Attribute (7), length: 6, Value: PPP
    0x0000: 0000 0001
    Framed IP Address Attribute (8), length: 6, Value: 172.16.3.33
    0x0000: ac10 0321
    Framed IP Network Attribute (9), length: 6, Value: 255.255.255.0
    0x0000: ffff ff00
    Vendor Specific Attribute (26), length: 12, Value: Vendor: Juniper Networks (2636)
    Vendor Attribute: 31, Length: 4, Value: ....
    0x0000: 0000 0a4c 1f06 0101 0101
    Vendor Specific Attribute (26), length: 12, Value: Vendor: Juniper Networks (2636)
    Vendor Attribute: 33, Length: 4, Value: ....
    0x0000: 0000 0a4c 2106 0202 0202

The configurations in this document were performed with FreeRADIUS Version 1.1.7.

Related Links: