[Dynamic VPN] Configuration Example Using FreeRADIUS
Content
[Dynamic VPN] Configuration example using FreeRADIUS
[KB17337] Show KB Properties
SUMMARY:
In Junos 10.3 and below, local authentication for launching the Dynamic VPN and connecting to the SRX is not
supported. In other words, local users are not supported in the security dynamic-vpn configuration portion on the
SRX (Step 4 of the Dynamic VPN application note (for Junos 10.3 and below)); however, local authentication is supported
in Junos 10.4 and above. This article provides some tips on configuring FreeRADIUS, so you can use FreeRADIUS to
configure authentication for your Dynamic VPN users.
Note that local authentication is supported for the access configuration portion on the SRX, i.e. downloading the Access
Manager client.
Unless otherwise noted these steps apply to all versions of Dynamic VPN. Any steps which apply to a specific version will
note which versions the step applies to.
PROBLEM OR GOAL:
Symptoms:
Junos 10.3 and below:
You don't have a RADIUS server set up yet, and because local authentication is not supported for the
security dynamic-vpn configuration on the SRX, you need to configure a RADIUS server. (Local
authentication is supported in Junos 10.4 and above)
Junos 10.4 and above:
You want to use RADIUS to configure authentication for your Dynamic VPN users.
SOLUTION:
Juniper does not provide support for FreeRADIUS, but it has been known to work for Dynamic VPN authentication.
The FreeRADIUS website is located at http://freeradius.org/.
Below are FreeRADIUS installation and configuraiton instructions that a customer provided to JTAC. If you encounter
problems with these steps, please contact FreeRadius for support.
FreeRADIUS INSTALLATION AND CONFIGURATION
In this example Ubuntu Linux is used with FreeRADIUS. The NAS (Network Access Server) is a Juniper SRX210/240.
Install FreeRADIUS:
sudo apt-get install freeradius*
This will fully install freeradius and start the service.
Configure your NAS.
For example, in the file /etc/freeradius/clients.conf, add the following:
client 192.168.2.154 {
secret = juniper
shortname = SRX-NAS-test
}
If you want to assign DNS settings to your VPN clients, then do this. In the file /usr/share/freeradius
/dictionary.juniper, add these lines to the existing attributes:
ATTRIBUTE Juniper-Primary-Dns 31 ipaddr
ATTRIBUTE Juniper-Secondary-Dns 33 ipaddr
This step is not needed if no DNS settings are required.
Configure users.
For example, in file /etc/freeradius/users add the following:
user1 Cleartext-Password := "user1"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Juniper-Primary-Dns = 1.1.1.1,
Juniper-Secondary-Dns = 2.2.2.2,
This above defines username user1 with password user1 and a specified IP address. The DNS attributes are
optional.
NOTE: The user defined in the users file corresponds with the user specified in the security dynamic-vpn
portion of the config on the SRX (also documented in the Dynamic VPN application note. For example:
ipsec-vpn dynamic-vpn-user1;
user {
user1 <---------This must match user name in RADIUS
}
Restart the FE service to load the new configuration files:
sudo /etc/init.d/freeradius restart
For configuring the SRX device for Dynamic VPN, please refer to Dynamic VPN application note.
TROUBLESHOOTING
If the FreeRADIUS service does not start for some reason, you can use the command "sudo freeradius -X" to
see the log messages during service start.
The RADIUS server can be tested with the radtest tool like in this example:
$ radtest user1 user1 localhost 1812 testing123
Sending Access-Request of id 134 to 127.0.0.1 port 1812
User-Name = "user1"
User-Password = "user1"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=134,
length=68 Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Juniper-Primary-Dns = 1.1.1.1
Juniper-Secondary-Dns = 2.2.2.2
Juniper Networks - [Dynamic VPN] Configuration example using Fr... http://kb.juniper.net/InfoCenter/index?page=content&id=KB17337
1 of 2 4/16/2014 6:32 PM
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Juniper-Primary-Dns = 1.1.1.1
Juniper-Secondary-Dns = 2.2.2.2
The local host should already be configured as a NAS with secret testing123 by default in /etc/freeradius
/clients.conf
RADIUS packets can be seen using tcpdump. For example:
$ sudo tcpdump -vvv -i eth0 -s0 -n
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:41:12.307859 IP (tos 0x0, ttl 64, id 5705, offset 0, flags [none], proto UDP (17),
length 87) 192.168.2.154.62976 > 192.168.2.51.1812: [udp sum ok] RADIUS, length: 59
Access Request (1), id: 0x95, Authenticator: 9794118f1faa7d3c399742bb6ffe12df
Username Attribute (1), length: 9, Value: juniper
0x0000: 6a75 6e69 7065 72
Password Attribute (2), length: 18, Value:
0x0000: 879c 848c f903 493a c671 bc0f 296a 1ee8
NAS ID Attribute (32), length: 6, Value: luna
0x0000: 6c75 6e61
NAS Port Type Attribute (61), length: 6, Value: Virtual
0x0000: 0000 0005
15:41:12.311950 arp who-has 192.168.2.154 tell 192.168.2.51
15:41:12.313197 arp reply 192.168.2.154 is-at 00:24:dc:16:78:41
15:41:12.313204 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17),
length 96) 192.168.2.51.1812 > 192.168.2.154.62976: [bad udp cksum 49c4!] RADIUS,
length: 68
Access Accept (2), id: 0x95, Authenticator: c37edfdffbf79ed523743d3df1d042c6
Service Type Attribute (6), length: 6, Value: Framed
0x0000: 0000 0002
Framed Protocol Attribute (7), length: 6, Value: PPP
0x0000: 0000 0001
Framed IP Address Attribute (8), length: 6, Value: 172.16.3.33
0x0000: ac10 0321
Framed IP Network Attribute (9), length: 6, Value: 255.255.255.0
0x0000: ffff ff00
Vendor Specific Attribute (26), length: 12, Value: Vendor: Juniper Networks (2636)
Vendor Attribute: 31, Length: 4, Value: ....
0x0000: 0000 0a4c 1f06 0101 0101
Vendor Specific Attribute (26), length: 12, Value: Vendor: Juniper Networks (2636)
Vendor Attribute: 33, Length: 4, Value: ....
0x0000: 0000 0a4c 2106 0202 0202
The configurations in this document are performed with FreeRADIUS Version 1.1.7
PURPOSE:
Implementation
Juniper Networks - [Dynamic VPN] Configuration example using Fr... http://kb.juniper.net/InfoCenter/index?page=content&id=KB17337
2 of 2 4/16/2014 6:32 PM
