Rockhopper VPN

IPsec/IKEv2-based VPN software for Linux

• Top
• About
• Getting Started
• Screenshots
• Download
• Documents
• Contact

[IKEv2: Remote Access VPN] RADIUS Authentication (EAP)

- Version: 0.2.b1-022 or later

Currently, RADIUS authentication is supported only for IKEv2.

Enable and configure RADIUS service on gateway/NAS node (gateway1.example.com)

You can enable and setup RADIUS Client (NAS) on Global Configuration tab of Web console.

- Global Configuration[Tab] > RADIUS[Tab] > Authentication[Tab]

1. Check Enable RADIUS authentication.
   
   
2. Setup RADIUS Server's Address.
   
   

   RADIUS Server's Address: IPv4 and 192.168.0.20.
   

3. If needed, specify Source IP Address to send and receive RADIUS packets.
   
   

   Source IP Address: IPv4 and 192.168.0.10.
   

4. Setup Shared Secret.
   
   

   Shared Secret: testing123.
   

5. Save the global configuration.
   
   

If you want to configure a secondary RADIUS server, check Configure a Secondary RADIUS server and enter values similarly.

Configure the gateway/NAS node (gateway1.example.com) to use RADIUS authentication (EAP).

1. Open Rockhopper Web Console and login.
   
   
2. Load a VPN realm's configuration.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree]

3. Setup Service.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree] > Service[Left-Tree]: Click this tree node and show Service pane.

   - IKEv2 EAP Server: Select RADIUS Authentication.

4. Save this realm's configuration.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, Remove or Load)[Left-Tree]:
   Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

   - Click Save Configuration button.

Configure standard attribute types received from RADIUS server

By specifying standard attribute types received from RADIUS server, Rockhopper's Remote Configuration Server can use the values to configure remote VPN clients.

- Web Console:Global Configuration[Tab] > RADIUS[Tab] > Authentication[Tab]

1. Push Enable standard attribute type button and open Enable a New RADIUS Attribute Type (Authentication) dialog.
   
   
2. Select Attribute Type and then push OK.
   
   
3. Save the global configuration.
   
   

Standard attribute types supported by Rockhopper:

Attribute Type	Description
Framed-IP-Address	Used as an internal IPv4 address assigned for a remote user. Framed-IP-Netmask is also enabled. [RFC2865]
Framed-IPv6-Address	Used as an internal IPv6 address assigned for a remote user. [RFC6911]
MS-Primary-DNS-Server	Used as an internal DNS server's address (IPv4) for a remote user. [RFC2548]
DNS-Server-IPv6-Address	Used as an internal DNS server's address (IPv6) for a remote user. [RFC6911]
MS-Primary-NBNS-Server	Used as an internal WINS server's address (IPv4) for a remote user. [RFC2548]
Tunnel-Private-Group-ID	Used as a VPN Realm's role string to identify a remote user's membership. [RFC2868]
Tunnel-Client-Auth-ID	When a remote user's ID or name is encrypted in a EAP message (e.g. EAP-TTLS), there are cases where Rockhopper can't parse and use it to track the VPN connection state. By receiving the opaque index value from a RADIUS server, Rockhopper can distinguish the connection state without recognizing who actually uses the connection. Therefore, the index value should be like a random value's string. For example, this value is used to clear the user's zombie VPN connection by gateway. [RFC2868]
Session-Timeout	If it expires, a remote user's VPN is disconnected by gateway. [RFC2865]
Framed-MTU	Used as a tunnel MTU. [RFC2865]

Configure private attribute types received from RADIUS server

In addition, by defining private attribute types received from RADIUS server, Rockhopper's Remote Configuration Server can use the values to configure remote VPN clients.

Of course, you also need to configure a RADIUS server. (e.g. FreeRadius's dictionary)

RFC2865 defines types 224-249 for implementation-specific use.

- Web Console:Global Configuration[Tab] > RADIUS[Tab] > Authentication[Tab]

1. Check Define a different private attribute type for each remote client's setting.
   
   
2. Specify a number for each attribute type.
   
   
3. Save the global configuration.
   
   

Private attribute types implemented by Rockhopper:

Attribute Type Name	Type	Description	Value's Example
VPN Realm ID	String	Used as a VPN Realm ID assigned for a remote user. Based on the value, Rockhopper authorizes and configures the user's VPN connection.	10
VPN Realm's role string	String	Used as a role string assigned for a remote user. Based on the value, Rockhopper authorizes and configures the user's VPN connection.	sales_dep
Remote user's unique and opaque index	String	When a remote user's ID or name is encrypted in a EAP message (e.g. EAP-TTLS), there are cases where Rockhopper can't parse and use it to track the VPN connection state. By receiving the opaque index value from a RADIUS server, Rockhopper can distinguish the connection state without recognizing who actually uses the connection. Therefore, the index value should be like a random value's string. For example, this value is used to clear the user's zombie VPN connection by gateway.	zLsTYuJT6K8ku9mz
Internal IPv4 Address	String	Used as an internal IPv4 address assigned for a remote user. If a prefix length (e.g. '/24') is specified, it is used as a hint by Rockhopper(NAS).	192.168.100.17 or 192.168.100.17/24
Internal IPv6 Address	String	Used as an internal IPv6 address assigned for a remote user. If a prefix length (e.g. '/64') is specified, it is used as a hint by Rockhopper(NAS).	2001:db8:100::17 or 2001:db8:100::17/64
Internal DNS Server's IPv4 Address	String	Used as an internal DNS server's address (IPv4) for a remote user.	192.168.100.100
Internal DNS Server's IPv6 Address	String	Used as an internal DNS server's address (IPv6) for a remote user.	2001:db8:100::100
Internal Domain Name	String	Used as an internal Domain Name for a remote user.	.example.com
Internal IPv4 Destination Network	String	Used as an internal Route Map (an internal destination network address) for a remote user (IPv4). Multiple values can be specified.	192.168.100.0/24
Internal IPv6 Destination Network	String	Used as an internal Route Map (an internal destination network address) for a remote user (IPv6). Multiple values can be specified.	2001:db8:100::/64
Internal Gateway's IPv4 Address (Bridge mode)	String	Used as an internal gateway address for a remote user. (IPv4)	192.168.100.1
Internal Gateway's IPv6 Address (Bridge mode)	String	Used as an internal gateway address for a remote user. (IPv6)	2001:db8:100::100

Instead, you can define a single private attribute type used for all attribute values.

- Global Configuration[Tab] > RADIUS[Tab] > Authentication[Tab]

1. Check Define a single private attribute type used for all remote client's settings.
   
   
2. Specify a number for Private attribute type (String).
   
   
3. Save the global configuration.
   
   

Attribute Type Name	Syntax ('tag name':'attribute value')	String Value's Example
VPN Realm ID	REALM_ID:vpn_realm_id	REALM_ID:10
VPN Realm's role string	REALM_ROLE:role_string	REALM_ROLE:sales_dep
Remote user's unique and opaque index	USER_INDEX:index_string	USER_INDEX:zLsTYuJT6K8ku9mz
Internal IPv4 Address	IN_IP4:ipv4_address or IN_IP4:ipv4_address/prefix_length A prefix length (e.g. '/24') is used as a hint by Rockhopper (NAS).	IN_IP4:192.168.100.17 or IN_IP4:192.168.100.17/24
Internal IPv6 Address	IN_IP6:ipv6_address or IN_IP6:ipv6_address/prefix_length A prefix length (e.g. '/64') is used as a hint by Rockhopper (NAS).	IN_IP6:2001:db8:100::17 or IN_IP6:2001:db8:100::17/64
Internal DNS Server's IPv4 Address	IN_DNS_IP4:ipv4_address	IN_DNS_IP4:192.168.100.100
Internal DNS Server's IPv6 Address	IN_DNS_IP6:ipv6_address	IN_DNS_IP6:2001:db8:100::100
Internal Domain Name	IN_DOMAIN:domain_name_suffix	IN_DOMAIN:.example.com
Internal IPv4 Destination Network	IN_DEST_IP4:ipv4_subnet_address/prefix_length	IN_DEST_IP4:192.168.101.0/24
Internal IPv6 Destination Network	IN_DEST_IP6:ipv6_subnet_address/prefix_length	IN_DEST_IP6:2001:db8:101::/64
Internal Gateway's IPv4 Address (Bridge mode)	IN_GW_IP4:ipv4_gateway_address	IN_GW_IP4:192.168.100.10
Internal Gateway's IPv6 Address (Bridge mode)	IN_GW_IP6:ipv6_gateway_address	IN_GW_IP6:2001:db8:100::10

The following examples are for FreeRadius's config files on Ubuntu.

(e.g.) /etc/freeradius/dictionary

# # This is the master dictionary file, which references the # pre-defined dictionary files included with the server. # # Any new/changed attributes MUST be placed in this file, as # the pre-defined dictionaries SHOULD NOT be edited. # ... ATTRIBUTE RHP-VPN-REALM-ID 224 string ATTRIBUTE RHP-VPN-REALM-ROLE 225 string ATTRIBUTE RHP-USER-INDEX 226 string ATTRIBUTE RHP-INTERNAL-IPV4-ADDRESS 227 string ATTRIBUTE RHP-INTERNAL-IPV6-ADDRESS 228 string ATTRIBUTE RHP-INTERNAL-DNS-IPV4 229 string ATTRIBUTE RHP-INTERNAL-DNS-IPV6 230 string ATTRIBUTE RHP-INTERNAL-DOMAIN-NAME 231 string ATTRIBUTE RHP-INTERNAL-ROUTE-MAP-IPV4 232 string ATTRIBUTE RHP-INTERNAL-ROUTE-MAP-IPV6 233 string ATTRIBUTE RHP-INTERNAL-GATEWAY-IPV4 234 string ATTRIBUTE RHP-INTERNAL-GATEWAY-IPV6 235 string

(e.g.) /etc/freeradius/users

... alice Cleartext-Password := "abcd"   Reply-Message := "Hello, %{User-Name}",   RHP-VPN-REALM-ID = 10,   RHP-VPN-REALM-ROLE = sales_dep,   RHP-USER-INDEX = zLsTYuJT6K8ku9mz,   RHP-INTERNAL-IPV4-ADDRESS = 192.168.100.17/24,   RHP-INTERNAL-IPV6-ADDRESS = 2001:db8:100::17/64,   RHP-INTERNAL-DNS-IPV4 = 192.168.100.100,   RHP-INTERNAL-DNS-IPV6 = 2001:db8:100::100,   RHP-INTERNAL-DOMAIN-NAME = .example.com,   RHP-INTERNAL-ROUTE-MAP_IPV4 = 192.168.101.0/24,   RHP-INTERNAL-ROUTE-MAP_IPV4 = 192.168.102.0/24,   RHP-INTERNAL-ROUTE-MAP_IPV6 = 2001:db8:101::/64,   RHP-INTERNAL-ROUTE-MAP_IPV6 = 2001:db8:102::/64,   RHP-INTERNAL-GATEWAY-IPV4 = 192.168.100.10,   RHP-INTERNAL-GATEWAY-IPV6 = 2001:db8:100::10   Framed-MTU = 1390 ...

(e.g.) /etc/freeradius/dictionary

# # This is the master dictionary file, which references the # pre-defined dictionary files included with the server. # # Any new/changed attributes MUST be placed in this file, as # the pre-defined dictionaries SHOULD NOT be edited. # ... ATTRIBUTE RHP-ATTR 236 string

(e.g.) /etc/freeradius/users

... alice Cleartext-Password := "abcd"   Reply-Message := "Hello, %{User-Name}",   RHP-ATTR = REALM_ROLE:sales_dep,   RHP-ATTR = USER_INDEX:zLsTYuJT6K8ku9mz,   RHP-ATTR = IN_IP4:192.168.100.17/24,   RHP-ATTR = IN_IP6:2001:db8:100::17/64,   RHP-ATTR = IN_DNS_IP4:192.168.100.100,   RHP-ATTR = IN_DNS_IP6:2001:db8:100::100,   RHP-ATTR = IN_DOMAIN:.example.com,   RHP-ATTR = IN_DEST_IP4:192.168.101.0/24/24,   RHP-ATTR = IN_DEST_IP4:192.168.102.0/24,   RHP-ATTR = IN_DEST_IP6:2001:db8:101::/64,   RHP-ATTR = IN_DEST_IP6:2001:db8:102::/64,   RHP-ATTR = IN_GW_IP4:192.168.100.10,   RHP-ATTR = IN_GW_IP6:2001:db8:100::10,   Framed-MTU = 1390 ...

(e.g.) /etc/freeradius/dictionary

# # This is the master dictionary file, which references the # pre-defined dictionary files included with the server. # # Any new/changed attributes MUST be placed in this file, as # the pre-defined dictionaries SHOULD NOT be edited. # ... ATTRIBUTE RHP-ATTR 236 string

(e.g.) /etc/freeradius/users

... alice Cleartext-Password := "abcd"   Reply-Message := "Hello, %{User-Name}",   Framed-IP-Address = 192.168.100.17,   Framed-IP-Netmask = 255.255.255.0,   Framed-IPv6-Address = 2001:db8:100::17,   MS-Primary-DNS-Server = 192.168.100.100,   DNS-Server-IPv6-Address = 2001:db8:100::100,   MS-Primary-NBNS-Server = 192.168.100.100,   RHP-ATTR = REALM_ROLE:sales_dep,   RHP-ATTR = IN_DOMAIN:.example.com,   RHP-ATTR = IN_DEST_IP4:192.168.101.0/24/24,   RHP-ATTR = IN_DEST_IP4:192.168.102.0/24,   RHP-ATTR = IN_DEST_IP6:2001:db8:101::/64,   RHP-ATTR = IN_DEST_IP6:2001:db8:102::/64,   RHP-ATTR = IN_GW_IP4:192.168.100.10,   RHP-ATTR = IN_GW_IP6:2001:db8:100::10,   Framed-MTU = 1390,   Tunnel-Client-Auth-Id = zLsTYuJT6K8ku9mz ...

Configure standard attribute types sent to RADIUS server

By specifying standard attribute types sent to RADIUS server, Rockhopper can include additional attributes into each RADIUS Access-Request message.

- Web Console:Global Configuration[Tab] > RADIUS[Tab] > Authentication[Tab]

1. Push Enable standard attribute type button and open Enable a New RADIUS Attribute Type (Authentication) dialog.
   
   
2. Select Attribute Type and then push OK.
   
   
3. Save the global configuration.
   
   

Standard attribute types supported by Rockhopper:

Attribute Type	Value	Description
NAS-Identifier	Any string	Send a specified string as a NAS-Identifier attribute. [RFC2865]
NAS-Identifier-IKEv2-ID	enable or disable	Send a gateway(NAS)'s IKEv2 ID as a NAS-Identifier attribute. [RFC2865] (e.g. gateway1.example.com)
Connect-Info	Any string	Send a Connect-Info attribute. [RFC2869]
Framed-MTU	Bytes of VPN tunnel's MTU.	Send a fixed tunnel MTU as a Framed-MTU attribute. [RFC2865]
Calling-Station-Id	enable or disable	Send a remote user's IP address and port as a Calling-Station-Id attribute. [RFC2865]
NAS-Port-Type	enable or disable	Send a NAS-Port-Type attribute as Virtual(5). [RFC2865]

Configure additional settings.

- Web Console:Global Configuration[Tab] > RADIUS[Tab] > Authentication[Tab]

1. Push Add Setting button and open Add a New RADIUS Setting (Authentication) dialog.
   
   
2. Select Setting Name, enter Setting Value and then push OK.
   
   
3. Save the global configuration.
   
   

Setting Name	Setting Value	Default Value	Description
max_sessions	Number of RADIUS sessions.	256 (sessions)	The number of maximum RADIUS sessions initiated by Rockhopper.
retransmit_interval	Number of seconds.	3 (seconds)	The number of interval seconds to retransmit a RADIUS message by Rockhopper.
retransmit_times	Retransmission times.	3 (times)	Retransmission times of a RADIUS message by Rockhopper.

Configuration examples

• tmp
  
  

Back to Top

Copyright © 2011 T.HANADA All Rights Reserved.