[Dynamic VPN] Configuration example using FreeRADIUS
[KB17337] Show KB Properties
SUMMARY: In Junos 10.3 and below, local authentication for launching the Dynamic VPN and connecting to the SRX is not supported. In other words, local users are not supported in the security dynamic-vpn configuration portion on the SRX (Step 4 of the Dynamic VPN application note (for Junos 10.3 and below)); however, local authentication is supported in Junos 10.4 and above. This article provides some tips on configuring FreeRADIUS, so you can use FreeRADIUS to configure authentication for your Dynamic VPN users. Note that local authentication is supported for the access configuration portion on the SRX, i.e. downloading the Access Manager client. Unless otherwise noted these steps apply to all versions of Dynamic VPN. Any steps which apply to a specific version will note which versions the step applies to. PROBLEM OR GOAL: Symptoms: Junos 10.3 and below: You don't have a RADIUS server set up yet, and because local authentication is not supported for the security dynamic-vpn configuration on the SRX, you need to configure a RADIUS server. (Local authentication is supported in Junos 10.4 and above) Junos 10.4 and above: You want to use RADIUS to configure authentication for your Dynamic VPN users. SOLUTION: Juniper does not provide support for FreeRADIUS, but it has been known to work for Dynamic VPN authentication. The FreeRADIUS website is located at http://freeradius.org/. Below are FreeRADIUS installation and configuraiton instructions that a customer provided to JTAC. If you encounter problems with these steps, please contact FreeRadius for support. FreeRADIUS INSTALLATION AND CONFIGURATION In this example Ubuntu Linux is used with FreeRADIUS. The NAS (Network Access Server) is a Juniper SRX210/240. Install FreeRADIUS: sudo apt-get install freeradius* This will fully install freeradius and start the service. Configure your NAS. For example, in the file /etc/freeradius/clients.conf, add the following: client 192.168.2.154 { secret = juniper shortname = SRX-NAS-test } If you want to assign DNS settings to your VPN clients, then do this. In the file /usr/share/freeradius /dictionary.juniper, add these lines to the existing attributes: ATTRIBUTE Juniper-Primary-Dns 31 ipaddr ATTRIBUTE Juniper-Secondary-Dns 33 ipaddr This step is not needed if no DNS settings are required. Configure users. For example, in file /etc/freeradius/users add the following: user1 Cleartext-Password := "user1" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 172.16.3.33, Framed-IP-Netmask = 255.255.255.0, Juniper-Primary-Dns = 1.1.1.1, Juniper-Secondary-Dns = 2.2.2.2, This above defines username user1 with password user1 and a specified IP address. The DNS attributes are optional. NOTE: The user defined in the users file corresponds with the user specified in the security dynamic-vpn portion of the config on the SRX (also documented in the Dynamic VPN application note. For example: ipsec-vpn dynamic-vpn-user1; user { user1 <---------This must match user name in RADIUS } Restart the FE service to load the new configuration files: sudo /etc/init.d/freeradius restart For configuring the SRX device for Dynamic VPN, please refer to Dynamic VPN application note. TROUBLESHOOTING If the FreeRADIUS service does not start for some reason, you can use the command "sudo freeradius -X" to see the log messages during service start. The RADIUS server can be tested with the radtest tool like in this example: $ radtest user1 user1 localhost 1812 testing123 Sending Access-Request of id 134 to 127.0.0.1 port 1812 User-Name = "user1" User-Password = "user1" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=134, length=68 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Juniper-Primary-Dns = 1.1.1.1 Juniper-Secondary-Dns = 2.2.2.2 Juniper Networks - [Dynamic VPN] Configuration example using Fr... http://kb.juniper.net/InfoCenter/index?page=content&id=KB17337 1 of 2 4/16/2014 6:32 PM Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Juniper-Primary-Dns = 1.1.1.1 Juniper-Secondary-Dns = 2.2.2.2 The local host should already be configured as a NAS with secret testing123 by default in /etc/freeradius /clients.conf RADIUS packets can be seen using tcpdump. For example: $ sudo tcpdump -vvv -i eth0 -s0 -n tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 15:41:12.307859 IP (tos 0x0, ttl 64, id 5705, offset 0, flags [none], proto UDP (17), length 87) 192.168.2.154.62976 > 192.168.2.51.1812: [udp sum ok] RADIUS, length: 59 Access Request (1), id: 0x95, Authenticator: 9794118f1faa7d3c399742bb6ffe12df Username Attribute (1), length: 9, Value: juniper 0x0000: 6a75 6e69 7065 72 Password Attribute (2), length: 18, Value: 0x0000: 879c 848c f903 493a c671 bc0f 296a 1ee8 NAS ID Attribute (32), length: 6, Value: luna 0x0000: 6c75 6e61 NAS Port Type Attribute (61), length: 6, Value: Virtual 0x0000: 0000 0005 15:41:12.311950 arp who-has 192.168.2.154 tell 192.168.2.51 15:41:12.313197 arp reply 192.168.2.154 is-at 00:24:dc:16:78:41 15:41:12.313204 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96) 192.168.2.51.1812 > 192.168.2.154.62976: [bad udp cksum 49c4!] RADIUS, length: 68 Access Accept (2), id: 0x95, Authenticator: c37edfdffbf79ed523743d3df1d042c6 Service Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Framed Protocol Attribute (7), length: 6, Value: PPP 0x0000: 0000 0001 Framed IP Address Attribute (8), length: 6, Value: 172.16.3.33 0x0000: ac10 0321 Framed IP Network Attribute (9), length: 6, Value: 255.255.255.0 0x0000: ffff ff00 Vendor Specific Attribute (26), length: 12, Value: Vendor: Juniper Networks (2636) Vendor Attribute: 31, Length: 4, Value: .... 0x0000: 0000 0a4c 1f06 0101 0101 Vendor Specific Attribute (26), length: 12, Value: Vendor: Juniper Networks (2636) Vendor Attribute: 33, Length: 4, Value: .... 0x0000: 0000 0a4c 2106 0202 0202 The configurations in this document are performed with FreeRADIUS Version 1.1.7 PURPOSE: Implementation Juniper Networks - [Dynamic VPN] Configuration example using Fr... http://kb.juniper.net/InfoCenter/index?page=content&id=KB17337 2 of 2 4/16/2014 6:32 PM
Hacking: A Beginners Guide To Your First Computer Hack; Learn To Crack A Wireless Network, Basic Security Penetration Made Easy and Step By Step Kali Linux
CCNA: 3 in 1- Beginner's Guide+ Tips on Taking the Exam+ Simple and Effective Strategies to Learn About CCNA (Cisco Certified Network Associate) Routing And Switching Certification
Computer Networking: The Complete Beginner's Guide to Learning the Basics of Network Security, Computer Architecture, Wireless Technology and Communications Systems (Including Cisco, CCENT, and CCNA)
Evaluation of Some Websites that Offer Virtual Phone Numbers for SMS Reception and Websites to Obtain Virtual Debit/Credit Cards for Online Accounts Verifications
Microsoft Access Guide to Success: From Fundamentals to Mastery in Crafting Databases, Optimizing Tasks, & Making Unparalleled Impressions [III EDITION]
The CompTIA Network+ Computing Technology Industry Association Certification N10-008 Study Guide: Hi-Tech Edition: Proven Methods to Pass the Exam with Confidence - Practice Test with Answers
Computer Networking: The Complete Guide to Understanding Wireless Technology, Network Security, Computer Architecture and Communications Systems (Including Cisco, CCNA and CCENT)