From: Forum <fr...@go...> - 2017-04-22 02:07:54
|
Perhaps I should explain what I want to achieve. I use strongswan with IKEv2 as vpn solution. The idea is that strongswan uses packetfence (and more specifically active directory) to authenticate IKEv2 users. According to the documentation of strongswan, the eap-radius plugin allows to authenticate users by using radius. Basically, the plugin seems to unpack the IKEv2 with respect to the MSCHAPv2 authentication process and generates the required radius messages. My thought was to use my packetfence install (with active directory integration already working) as a radius server for strongswan. A user should be granted vpn access if: - username password matches - the user is: * member of the vpn group or * the user has the msNPAllowDialin attribute set in AD. My questions are: - can that be done with packetfence (and if so, a few directions would be appreciated) - should I deploy a new radius server and keep things separated from packetfence. Thanks, -- Jaap Van: Louis Munro [mailto:lm...@in...] Verzonden: woensdag 12 april 2017 15:34 Aan: pac...@li... Onderwerp: Re: [PacketFence-users] radtest fails on a working system On Apr 12, 2017, at 9:23 AM, Forum <fr...@go... <mailto:fr...@go...> > wrote: Wed Apr 12 15:19:21 2017 : ERROR: (0) rest: ERROR: {"Reply-Message":"CLI Access is not allowed by PacketFence on this switch","reply:PacketFence-Authorization-Status":"allow"} You are testing from the localhost. That (virtual) switch is not configured in PacketFence for this type of requests. The problem is with your test. radtest is not a working replacement for a real request. The request has to contain additional radius attributes. Furthermore you are sending requests to a port that will not necessarily replicate your real AAA workflow. Use either radclient or eapol_test (if doing any kind of eap). I suggest you capture a real request and then replicate the traffic by sending the same attributes to the same port. You will need attributes such as NAS-Ip-Address to be defined. Look in /usr/local/pf/conf/local_secret for the shared secret of the local server. You will need it. Regards, -- Louis Munro lm...@in... <mailto:lm...@in...> :: www.inverse.ca <http://www.inverse.ca> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125 Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu> ) and PacketFence (www.packetfence.org <http://www.packetfence.org> ) |