I am trying to setup a proxy Freeradius server that forwards all requests to another Freeradius server.
For reference see the following picture:
The reason for this setup is I want users to be to onnect to the local LAN via VPN, but the local site is not accessible due to NAT implementet at the ISP.
I am however able to make a site2site VPN connection from local LAN to the VPN server, so I want users to be able to make a VPN connection to the local network via the public VPN server, provided they are a valid user on the local net.
I have a Freeradius server running on local LAN that validates users against a database - and that part is working fine.
Configuration VPN server side
As far as I understand the only thing I need to modify on the server is the file proxy.conf.
Assuming usernames logging onto the VPN is on the form [email protected] then I would only need to add the following entry to proxy.conf:
realm example.com {
type = radius
secret = VeryS3cretPassw0rd
authhost = local-radius.example.com:1812
accthost = local-radius.example.com:1813
nostrip
}
The nostrip entry is making sure that the proxied request does not remove the @-postfix from username.
I would also need to add the following to /etc/hosts:
# VPN Address of local-radius.example.com
192.168.100.2 local-radius.example.com
Configuration local radius server side
On the local radius server I need to update client.conf so any queries to the local radius server and originating from the VPN ip adress is permittet. Like for instance this entry:
client vpn-net {
# Allow requests originating from VPN subnet.
ipaddr = 192.168.100.0/24
secret = VeryS3cretPassw0rd
}
Running the following command on VPN server works as expected:
radtest -t mschap [email protected] SecretPassword local-radius.example.com:1812 0 VeryS3cretPassw0rd
I get the following response back:
Sent Access-Request Id 108 from 0.0.0.0:47466 to 192.168.100.2:1812 length 148
User-Name = "[email protected]"
MS-CHAP-Password = "SecretPassword "
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "SecretPassword"
MS-CHAP-Challenge = ....
MS-CHAP-Response = ...
Received Access-Accept Id 108 from 192.168.100.2:1812 to 192.168.100.1:47466 length 84
MS-CHAP-MPPE-Keys = ...
MS-MPPE-Encryption-Policy = Encryption-Required
MS-MPPE-Encryption-Types = 4
However running the following command on the VPN server fails:
radtest -t mschap [email protected] SecretPassword localhost:18120 0 testing123
The output from the command is:
Sent Access-Request Id 104 from 0.0.0.0:39558 to 127.0.0.1:18120 length 148
User-Name = "[email protected]"
MS-CHAP-Password = "SecretPassword"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "SecretPassword"
MS-CHAP-Challenge = ...
MS-CHAP-Response = ...
Received Access-Reject Id 104 from 127.0.0.1:18120 to 127.0.0.1:39558 length 20
(0) -: Expected Access-Accept got Access-Reject
Running the command freeradius -X on VPN server gives among others this output:
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "example.com" for User-Name = "[email protected]"
(0) suffix: Found realm "example.com"
(0) suffix: Adding Realm = "example.com"
(0) suffix: Proxying request from user [email protected] to realm example.com
(0) suffix: Preparing to proxy authentication request to realm "example.com"
(0) [suffix] = updated
(0) ntdomain: Request already has destination realm set. Ignoring
(0) [ntdomain] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = noop
(0) } # authorize = updated
(0) There was no response configured: rejecting request
Monitoring freeradius on local net indicates that the server was never called, from the vpn server, so what am I missing?
I am not quite sure what happened, but after doing a complete reinstall of Freeradius on the server there were no problem with proxying the request.
For simplicity you can just point the proxy server towards the VPN ip address of the local radius server and that is basically it.
Assuming you have a clean install of Freeradius, then you would only need to modify
proxy.confwith the following setup:Also when testing user login with
radtest: Do not test againstlocalhost:18120as you are only testing against local user on the VPN due to it is mapped against theinner-tunnelvirtual server.You should instead test against
localhost:1812as it is mapped against thedefaultvirtual server.Testing against the proxy server gave me among others the following output from
freeradius -xImportant closing remarks
It appears that the way proxying works is changing with each major revision of Freeradius.
The syntax I used is compatible with version 2 of Freeradius, but considered obsolete in version 3. Here the recommended way is to point the realms against
home_server_poolswhich in turn points towards a pool of one or morehome_servers.Though obsolete - it still works with version 3. :-)
However: In Freeradius version 4 everything has changed again when setting up a proxy server and as such we need to learn a new way of configuring the server.
For more information. Please go to this link:
https://wiki.freeradius.org/upgrading/version4/proxy