Radius Setup

[mariocg89]

Hi,

I'm trying to set up a SoftEther VPN server in Ubuntu server using Radius authetincation in other Ubuntu server.

I think everything should be fine, but the communication between Softether and Radius is not correct. My first attempt was to log in with username and password, but the password never was in the correct format, so finally I decided to log in with an username, which will be controlled in Radius. So finally, the user in Radius is "test" with "test" password and I provide access to him through the group he is in. The group has the atribute Auth-Type = Accept. At the same time, I created the user "test" in my Virtual Hub with Radius authentication, and I configured the Radius ip + secret. In the Radius side, I added my SoftEther VPN Server as a client for external usage, and everything should work.

When I try to log into my SoftEther VPN server, the authentication goes to Radius, and I get this in the log:
VPN LOG:
###########################
2015-01-16 03:53:22.097 IPsec Client 11 (85.x.y.z:500 -> 199.x.y.z:500): A new IPsec client is created.
2015-01-16 03:53:22.097 IPsec IKE Session (IKE SA) 8 (Client: 11) (85.x.y.z:500 -> 199.x.y.z:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xFF87382FEF26D048, Responder Cookie: 0xD5A87832BB8485D7, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: 3DES-CBC, Cipher Key Size: 192 bits, Lifetime: 4294967295 Kbytes or 28800 seconds
2015-01-16 03:53:22.399 IPsec Client 11 (85.x.y.z:4500 -> 199.x.y.z:4500): The port number information of this client is updated.
2015-01-16 03:53:22.399 IPsec Client 11 (85.x.y.z:4500 -> 199.x.y.z:4500):
2015-01-16 03:53:22.399 IPsec IKE Session (IKE SA) 8 (Client: 11) (85.x.y.z:4500 -> 199.x.y.z:4500): This IKE SA is established between the server and the client.
2015-01-16 03:53:22.550 IPsec IKE Session (IKE SA) 8 (Client: 11) (85.x.y.z:4500 -> 199.x.y.z:4500): The client initiates a QuickMode negotiation.
2015-01-16 03:53:22.550 IPsec ESP Session (IPsec SA) 10 (Client: 11) (85.x.y.z:4500 -> 199.x.y.z:4500): A new IPsec SA (Direction: Client -> Server) is created. SPI: 0xFB901CEA, DH Group: (null), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 128 bits, Lifetime: 250000 Kbytes or 3600 seconds
2015-01-16 03:53:22.550 IPsec ESP Session (IPsec SA) 10 (Client: 11) (85.x.y.z:4500 -> 199.x.y.z:4500): A new IPsec SA (Direction: Server -> Client) is created. SPI: 0x4825AE09, DH Group: (null), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 128 bits, Lifetime: 250000 Kbytes or 3600 seconds
2015-01-16 03:53:22.691 IPsec ESP Session (IPsec SA) 10 (Client: 11) (85.x.y.z:4500 -> 199.x.y.z:4500): This IPsec SA is established between the server and the client.
2015-01-16 03:53:22.691 IPsec Client 11 (85.x.y.z:4500 -> 199.x.y.z:4500): The L2TP Server Module is started.
2015-01-16 03:53:23.003 L2TP PPP Session [85.x.y.z:1701]: A new PPP session (Upper protocol: L2TP) is started. IP Address of PPP Client: 85.x.y.z (Hostname: "mcastillo-ubook.sapphire-int.gi"), Port Number of PPP Client: 1701, IP Address of PPP Server: 199.x.y.z, Port Number of PPP Server: 1701, Client Software Name: "L2TP VPN Client - Microsoft", IPv4 TCP MSS (Max Segment Size): 1314 bytes
2015-01-16 03:53:23.707 On the TCP Listener (Port 0), a Client (IP address 85.x.y.z, Host name "85.x.y.z", Port number 1701) has connected.
2015-01-16 03:53:23.707 For the client (IP address: 85.x.y.z, host name: "85.x.y.z", port number: 1701), connection "CID-13" has been created.
2015-01-16 03:53:23.707 SSL communication for connection "CID-13" has been started. The encryption algorithm name is "(null)".
2015-01-16 03:53:23.707 [HUB "TestHub"] The connection "CID-13" (IP address: 85.x.y.z, Host name: 85.x.y.z, Port number: 1701, Client name: "L2TP VPN Client - Microsoft", Version: 4.12, Build: 9514) is attempting to connect to the Virtual Hub. The auth type provided is "External server authentication" and the user name is "test".
2015-01-16 03:53:23.707 [HUB "TestHub"] Connection "CID-13": User authentication failed. The user name that has been provided was "test".
2015-01-16 03:53:23.737 Connection "CID-13" terminated by the cause "User authentication failed." (code 9).
2015-01-16 03:53:23.737 Connection "CID-13" has been terminated.
2015-01-16 03:53:23.737 The connection with the client (IP address 85.x.y.z, Port number 1701) has been disconnected.
2015-01-16 03:53:24.009 L2TP PPP Session [85.x.y.z:1701]: A PPP protocol error occurred, or the PPP session has been disconnected.
2015-01-16 03:53:24.180 IPsec ESP Session (IPsec SA) 10 (Client: 11) (85.x.y.z:4500 -> 199.x.y.z:4500): This IPsec SA is deleted.
2015-01-16 03:53:24.180 IPsec IKE Session (IKE SA) 8 (Client: 11) (85.x.y.z:4500 -> 199.x.y.z:4500): This IKE SA is deleted.
2015-01-16 03:53:24.180 IPsec ESP Session (IPsec SA) 10 (Client: 11) (85.x.y.z:4500 -> 199.x.y.z:4500): This IPsec SA is deleted.
2015-01-16 03:53:34.438 IPsec Client 11 (85.x.y.z:4500 -> 199.x.y.z:4500): This IPsec Client is deleted.
###########################

RADIUS LOG:
###########################
Ready to process requests.
rad_recv: Access-Request packet from host 199.x.y.z port 38366, id=6, length=266
User-Name = "test"
Acct-Session-Id = "\000\006"
NAS-IP-Address = 199.x.y.z
Service-Type = Framed-User
MS-RAS-Vendor = 311
MS-RAS-Version = "MSRASV5.20"
NAS-Port-Type = Virtual
Tunnel-Type:0 = PPTP
Tunnel-Medium-Type:0 = IPv4
Calling-Station-Id = "85.x.y.z"
Tunnel-Client-Endpoint:0 = "85.x.y.z"
MS-RAS-Client-Version = "MSRASV5.20"
MS-RAS-Client-Name = "85.x.y.z"
MS-CHAP-Challenge = 0x4a7ce5d4f9102b8943fd310d7263c15f
MS-CHAP2-Response = 0x00007085012043ad055d1976f4e956b4224c00000000000000007fa763d0926a94f117560a7d0b4753848304cfc0d85fa70c
NAS-Identifier = "SoftEther VPN Server"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} -> test
[sql] sql_set_user escaped user --> 'test'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'softetherEnabled' ORDER BY id
[sql] User found in group softetherEnabled
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'softetherEnabled' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [test/<via Auth-Type = Accept>] (from client SoftEther port 0 cli 85.x.y.z)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> test
[sql] sql_set_user escaped user --> 'test'
[sql] expand: %{User-Password} ->
[sql] ... expanding second conditional
[sql] expand: %{Chap-Password} ->
[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', '', 'Access-Accept', '2015-01-16 04:19:24')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', '', 'Access-Accept', '2015-01-16 04:19:24')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 6 to 199.x.y.z port 38366
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 6 with timestamp +10
Ready to process requests.
###########################

I also captured the packets which are transfered FROM and TO my SoftEther VPN server with tcpdump, and the package with "Radius Protocol" was like this:
23 19.236235 199.x.x.x 199.x.x.y RADIUS 64 Access-Accept(2) (id=4, l=20)

So I think the response is sent from Radius to SoftEther and the server is receiving it but the server, for some reason is not accepting it.

If you need more information just let me know.

Thanks for your time, best regards

[dajhorn]

Get RADIUS authentication working with the native SoftEther client before trying anything involving IPSec.

[mariocg89]

Thanks for your response.

I've tried with the SoftEther VPN client as you said, and it worked perfectly. I started reviewing the Log, then I understood the VPN authentication wasn't right.

I've change the type of VPN to Automatic, added the preshared key, and enable PAP and CHAP (even MS-CHAP V2).

After that, the authentication through Windows over IPSec worked perfectly with Radius authentication.

Thanks again, best regards.