[Openswan Users] RES: RES: Openswan using Radius server forauthentication

Arnel B. Espanola aespanola at arts.ucla.edu
Mon Jun 2 16:45:51 EDT 2008 

Here are the radiusclient configs in my vpn server. My VPN (10.0.1.23) 
and Radius (10.0.1.101) are on different server. I don't have 
/etc/radiusclient/clients.conf in my VPN server but I have clients.conf 
in my Radius server. Do I need that file in my vpn server as well? Also, 
please note that the login.radius file doesn't exist in my vpn server 
which is configured in radiusclient.conf.

Please note that I'm running Fedora 6. I installed 'radiuslient-ng' 
package because Fedora doesn't have 'radiusclient' package. And then I 
created radiusclient directory and copied there all the files from 
'radiusclient-ng' directory. File permissions stay the same.

Appreciate your help on this!

Arnel

1.)radiusclient.conf

# General settings

# specify which authentication comes first respectively which
# authentication is used. possible values are: "radius" and "local".
# if you specify "radius,local" then the RADIUS server is asked
# first then the local one. if only one keyword is specified only
# this server is asked.
auth_order      radius,local

# maximum login tries a user has
login_tries     4

# timeout for all login tries
# if this time is exceeded the user is kicked out
login_timeout   60

# name of the nologin file which when it exists disables logins.
# it may be extended by the ttyname which will result in
# a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable
# logins on /dev/ttyS2)
nologin /etc/nologin

# name of the issue file. it's only display when no username is passed
# on the radlogin command line
# issue /etc/radiusclient-ng/issue
issue   /etc/radiusclient/issue

# RADIUS settings

# RADIUS server to use for authentication requests. this config
# item can appear more then one time. if multiple servers are
# defined they are tried in a round robin fashion if one
# server is not answering.
# optionally you can specify a the port number on which is remote
# RADIUS listens separated by a colon from the hostname. if
# no port is specified /etc/services is consulted of the radius
# service. if this fails also a compiled in default is used.
#authserver     auth.ucla.edu:1812
authserver      10.0.1.101:1812

# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too.
#
#acctserver     localhost
#acctserver     auth.ucla.edu
acctserver      10.0.1.101:1813

# file holding shared secrets used for the communication
# between the RADIUS client and server
#servers                /etc/radiusclient-ng/servers
servers         /etc/radiusclient/servers

# dictionary of allowed attributes and values
# just like in the normal RADIUS distributions
#dictionary     @pkgdatadir@/dictionary
dictionary      /etc/radiusclient/dictionary

# program to call for a RADIUS authenticated login
login_radius   /usr/sbin/login.radius
Note: this login.radius file doesn't exist in my vpn server

# file which holds sequence number for communication with the
# RADIUS server
seqfile         /var/run/radius.seq

# file which specifies mapping between ttyname and NAS-Port attribute
#mapfile                /etc/radiusclient-ng/port-id-map
mapfile         /etc/radiusclient/port-id-map

# default authentication realm to append to all usernames if no
# realm was explicitly specified by the user
# the radiusd directly form Livingston doesnt use any realms, so leave
# it blank then
default_realm

# time to wait for a reply from the RADIUS server
radius_timeout  10

# resend request this many times before trying the next server
radius_retries  3

# local address from which radius packets have to be sent
# bindaddr *

# LOCAL settings

# program to execute for local login
# it must support the -f flag for preauthenticated login
login_local     /bin/login

2.) servers

#Server Name or Client/Server pair              Key
#----------------                               ---------------
10.0.1.23 (vpn server)                          [removed]
10.0.1.101 (radius server)                      [removed]


Giovani Moda wrote:
>> Here are my configs. Take note that I'm actually using public IPs but I
> just changed them into private IPs. Thanks. 
> 
> Is the radius server on the same machine than your VPN server? If not,
> please post your /etc/radiusclient/radiusclient.conf,
> /etc/radiusclient/servers and /etc/radiusclient/clients.conf. Feel free
> to mask any relevant information, but make sure we can distinguish your
> private from your public IP's when doing so.
> 
> Giovani Moda
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list