Re: [PacketFence-users] radtest fails on a working system

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Perhaps I should explain what I want to achieve.

I use strongswan with IKEv2 as vpn solution.

The idea is that strongswan uses packetfence (and more specifically active
directory) to authenticate IKEv2 users.

According to the documentation of strongswan, the eap-radius plugin allows
to authenticate users by using radius.

Basically, the plugin seems to unpack the IKEv2 with respect to the MSCHAPv2
authentication process and generates the required radius messages.

My thought was to use my packetfence install (with active directory
integration already working) as a radius server for strongswan.

A user should be granted vpn access if:

- username password matches

- the user is:

* member of the vpn group or

* the user has the msNPAllowDialin attribute set in AD.

My questions are:
- can that be done with packetfence (and if so, a few directions would be
appreciated)
- should I deploy a new radius server and keep things separated from
packetfence.

Thanks,

-- Jaap

Van: Louis Munro [mailto:lm...@in...] 
Verzonden: woensdag 12 april 2017 15:34
Aan: pac...@li...
Onderwerp: Re: [PacketFence-users] radtest fails on a working system

On Apr 12, 2017, at 9:23 AM, Forum <fr...@go... <mailto:fr...@go...>
> wrote:

Wed Apr 12 15:19:21 2017 : ERROR: (0) rest: ERROR: {"Reply-Message":"CLI
Access is not allowed by PacketFence on this
switch","reply:PacketFence-Authorization-Status":"allow"}

You are testing from the localhost.

That (virtual) switch is not configured in PacketFence for this type of
requests.

The problem is with your test.

radtest is not a working replacement for a real request.

The request has to contain additional radius attributes.

Furthermore you are sending requests to a port that will not necessarily
replicate your real AAA workflow.

Use either radclient or eapol_test (if doing any kind of eap).

I suggest you capture a real request and then replicate the traffic by
sending the same attributes to the same port.

You will need attributes such as NAS-Ip-Address to be defined.

Look in /usr/local/pf/conf/local_secret for the shared secret of the local
server.

You will need it.

Regards,
--

Louis Munro
lm...@in... <mailto:lm...@in...>   ::  www.inverse.ca
<http://www.inverse.ca>  
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu> ) and
PacketFence (www.packetfence.org <http://www.packetfence.org> )