Perhaps I should explain what I want to achieve.

I use strongswan with IKEv2 as vpn solution.

The idea is that strongswan uses packetfence (and more specifically active
directory) to authenticate IKEv2 users.

 

According to the documentation of strongswan, the eap-radius plugin allows
to authenticate users by using radius.

Basically, the plugin seems to unpack the IKEv2 with respect to the MSCHAPv2
authentication process and generates the required radius messages.

 

My thought was to use my packetfence install (with active directory
integration already working) as a radius server for strongswan.

A user should be granted vpn access if:

- username password matches

- the user is:

* member of the vpn group or

* the user has the msNPAllowDialin attribute set in AD.
 
My questions are:
- can that be done with packetfence (and if so, a few directions would be
appreciated)
- should I deploy a new radius server and keep things separated from
packetfence.
 
Thanks,
 
-- Jaap

Van: Louis Munro [mailto:[email protected]] 
Verzonden: woensdag 12 april 2017 15:34
Aan: [email protected]
Onderwerp: Re: [PacketFence-users] radtest fails on a working system

 

 

On Apr 12, 2017, at 9:23 AM, Forum <[email protected] <mailto:[email protected]>
> wrote:

 

Wed Apr 12 15:19:21 2017 : ERROR: (0) rest: ERROR: {"Reply-Message":"CLI
Access is not allowed by PacketFence on this
switch","reply:PacketFence-Authorization-Status":"allow"}

 

You are testing from the localhost.

That (virtual) switch is not configured in PacketFence for this type of
requests.

 

The problem is with your test.

radtest is not a working replacement for a real request.

The request has to contain additional radius attributes.

 

Furthermore you are sending requests to a port that will not necessarily
replicate your real AAA workflow.

 

Use either radclient or eapol_test (if doing any kind of eap).

I suggest you capture a real request and then replicate the traffic by
sending the same attributes to the same port.

You will need attributes such as NAS-Ip-Address to be defined.

Look in /usr/local/pf/conf/local_secret for the shared secret of the local
server.

You will need it.

 

Regards,
--

Louis Munro
[email protected] <mailto:[email protected]>   ::  www.inverse.ca
<http://www.inverse.ca>  
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu> ) and
PacketFence (www.packetfence.org <http://www.packetfence.org> )

 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to