So, the idea is that I want to use ezVPN for remote sites dialling into a central point. However, rather than having my users configured locally on the hub router, I want to use RADIUS. However, I don't want to pay to use Cisco ACS server or Windows Server, so FreeRADIUS is the obvious open-source option.
Hub Router Configuration
The configuration on the router is fairly simple and well-documented. You will need an appropriate IOS with appropriate crypto functionality. In my case, I am using a Cisco CSR1000V in the cloud to test this. Below are the relevant parts of my configuration:aaa group server radius VPN-RADIUS
server-private <RADIUS Server IP> key <RADIUS Shared Secret>
server-private <RADIUS Server IP> auth-port 1812
server-private <RADIUS Server IP> acct-port 1813
ip vrf forwarding Mgmt-intf
ip radius source-interface GigabitEthernet0
!
aaa authentication login VPN-Users group VPN-RADIUS
aaa authorization network VPN-Users group VPN-RADIUS
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group RemoteUsers
key <pre-shared-key>
acl 110
save-password
!
crypto isakmp profile VPN
match identity group RemoteUsers
client authentication list VPN-Users
isakmp authorization list VPN-Users
client configuration address respond
virtual-template 2
!
crypto ipsec transform-set ezVPN-Transform esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile ezVPN
set transform-set ezVPN-Transform
set isakmp-profile VPN
!
crypto dynamic-map Remote-Map 10
set transform-set ezVPN-Transform
set isakmp-profile VPN
reverse-route
!
crypto map VPN 65535 ipsec-isakmp dynamic Remote-Map
!
interface Virtual-Template2 type tunnel
ip unnumbered GigabitEthernet2
tunnel mode ipsec ipv4
tunnel protection ipsec profile ezVPN
!
access-list 110 permit ip 172.16.0.0 0.15.255.255 any
!
interface Gigabit1
ip address <WAN Address> <Netmask>
crypto map VPN
This is a lot of configuration, and some of this may not be necessary. I need to go back and clean it out. In particular, the ISAKMP Client Configuration group will actually be provided by RADIUS, so likely we can remove this part.
The majority of the above configuration is easily found with some Google searches and is well documented. However, the next part, the RADIUS part, is not.
FreeRADIUS Configuration
First of all you need to get a server set up and FreeRADIUS installed. I won't elaborate further, since this is also well documented elsewhere. For reference, in my setup I used Ubuntu Server 12.04LTS.clients.conf
The clients.conf file is simply used to identify expected RADIUS clients that may talk to us, and set the shared-secret for them. Below is a sample file:client <Cisco device RADIUS source IP> {
secret = <Shared Secret>
nastype = cisco
shortname = ezVPN-Server
}
This now enables our Cisco router to talk to the RADIUS server. Check that you know what the source-address is on the Cisco - it can be defined within the Server Group config.
users
The users file defines the different users available. This can also be done with an SQL database. However, the SQL part is well documented so I will not cover it here. First we have to set up the VPN Group user definition - this is the main part that I struggled with. Here is my example config:
RemoteUsers Cleartext-Password := "cisco"
Tunnel-Type = "ESP",
Tunnel-Password = "<pre-shared-key>",
Cisco-AVPair := "ipsec:tunnel-type=ESP",
Cisco-AVPair += "ipsec:key-exchange=IKE",
Cisco-AVPair += "ipsec:save-password=1",
Cisco-AVPair += "ipsec:inacl=110"
So, to explain some of the fields:
- "RemoteUsers" - this will be whatever your VPN group is
- Cleartext-Password := "cisco" - This is required - the router sends a request with the group name and the password of "cisco".
- Tunnel-Type - This is another required item.
- Tunnel-Password - This should be your actual VPN group key.
Now we move on to the "Cisco-AVPair" entries. These are Cisco Attribute-Value pairs. So basically this is information that gets passed back to the router as parameters for the connection.
- ipsec:tunnel-type=ESP - Required - stating we will use ESP
- ipsec:key-exchange=IKE - Required - stating we will use IKE
- ipsec:save-password=1 - Optional - Since my setup is for branch-offices, I want to have the password pre-configured in the router without people needing to keep entering it. Therefore I have to permit the password to be saved locally.
- ipsec:inacl=110 - Optional - This is for split-tunnel VPNs. It specifies which ACL on my hub router should be used to define the split networking list.
crypto isakmp client configuration group RemoteUsers
key <pre-shared-key> ! Tunnel-Password = "<pre-shared-key>"
acl 110 ! Cisco-AVPair += "ipsec:inacl=110"
save-password ! Cisco-AVPair += "ipsec:save-password=1"
For further reading about Cisco Attribute-Value pairs, have a look at this page: https://supportforums.cisco.com/document/58091/exploring-remote-access-vpn-easy-vpn-cisco-router-cisco-secure-access-control-server
For our actual VPN users, the entries are much simpler. We just need to add user/password pairs to the users file:
User1 Cleartext-Password := "<password>"
Once this is done, you should have a working ezVPN setup with FreeRADIUS server.